Adaxes enables users to reset their passwords themselves by answering predefined security questions and submitting a verification code sent via SMS or email. To increase the security of privileged accounts, you can go further and add an approval step to the process. Approval can be requested from the user's manager, fellow employees, administrators, etc.
In this tutorial, you will learn how to create a Business Rule to request an approval for self password reset.
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Business Rule.
Enter a name for the new Business Rule and click Next.
To trigger the Business Rule before self-resetting passwords:
Click Add an action and select the Send this operation for approval action.
In the Action Parameters section specify the approvers for the operation.
If you need to build the list of approvers based on complex criteria, you can use a PowerShell script to submit the operation for approval.
Click the Edit button.
To submit a request for approval from a script, you need to call the SubmitForApproval method of the predefined PowerShell variable $Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers.
The following script submits an approval request to a user and members of a group.
$approvers = @( "CN=John Smith,CN=Users,DC=example,DC=com", "CN=My Group,OU=Groups,DC=example,DC=com") $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
Click Copy DN. The DN of the selected object will be copied to the clipboard.
You can use value references in the script (e.g. %department%). Value references will be replaced with corresponding property values of the user whose password is reset.
The following example submits an approval request to the members of a group with the name consisting of the name of the user's department plus Managers.
$approvers = @("CN=%department%Managers,CN=Users,DC=example,DC=com") $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
The following example submits an approval request to the user's secretary and members of group Admins located in the user's Organizational Unit.
$approvers = @( "%secretary%", "CN=Admins,%adm-InitiatorParentDN%") $Context.SubmitForApproval($approvers, $False, $False, $False, $False)
For information on how to create scripts for Business Rules, Custom Commands, and Scheduled Tasks, see Server-Side Scripting.
To request an approval only if certain conditions are met, right-click the action and select Add Condition.
For example, an approval can be requested only if the user is a member of a specific group or Business Unit, located in a specific Organizational Unit, the Job Title property of the user's account contains the word Manager.
When done, click Next.
To define the scope of activity for the Business Rule, click Add.
In the Activity Scope dialog, select the following items:
All Objects - select to execute the Business Rule for all user accounts in all domains managed by Adaxes.
Specific Domain - select to execute the Business Rule for all user accounts within an AD domain.
OU or Container - select to execute the Business Rule for the user accounts located under an Organizational Unit or container.
Group - select to execute the Business Rule for the user accounts that are members of a group.
Business Unit - select to execute the Business Rule for the user accounts that are members of a Business Unit. To select a Business Unit, open the Look in drop-down list and select the Business Units item.
You can exclude specific users, groups, Organizational Units and Business Units from the activity scope of the Business Rule. For example, if you've assigned the Business Rule over all objects in a domain, but do not want it to be executed for members of a certain group, you can exclude the group from the activity scope. To exclude an object, select the Exclude option in the Assignment Options dialog box.
Click the object you want to exclude.
In the Assignment Options dialog, select the Exclude option.
When done, click OK and then click Finish.