Request approval for user creation

Adaxes enables you to track and control critical tasks, such as user and group management, by adding approval steps to the process. Approval workflows can be configured for any operation – adding and removing members from groups, enabling and disabling user accounts, assigning Microsoft 365 licenses, etc. In this tutorial, you will learn how to request approval for creation of new user accounts.

For information on how to delegate the permissions to create user accounts, see Grant rights to create users.

To submit user creation for approval, create a business rule triggered before a user account is created.

  1. Launch Adaxes Administration console.

     How { #collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Business Rule.

  3. Enter a name for the new business rule and click Next.

  4. To trigger the business rule before a user account is created:

    • In the Object Type list, select User.

    • Select Before and then select creating a user.

  5. Click Next.

  6. Click Add an action.

  7. Select Send this operation for approval.

  8. In the Action Parameters section, specify the approvers for the operation.

    • Click Add to select specific users and groups.

    • Select Manager of the requestor to allow the manager of the user who initiated account creation to approve or deny the request. The manager is specified in the Manager property of user accounts.

    • Select Manager of the user to allow the manager of the new user to approve or deny the request. The manager is specified in the Manager property of user accounts.

    • Select Owners of the requestor's OU to allow any owner of the organizational unit where the account of the operation initiator is located to approve or deny the request. For more details about object ownership in Adaxes, see Object owners.

    • Select Owners of the user's OU to allow any owner of the organizational unit where the new user will be created to approve or deny the request. For more details about object ownership in Adaxes, see Object owners.

    • Click OK.

    Adaxes service administrators have the rights to approve or deny any request.

    Using scripts

    If you need to build the list of approvers based on complex criteria, you can use a PowerShell script to submit the operation for approval.

     How { #use_script_to_request_approval}
    • In the Add Action dialog, select the Run a program or PowerShell script action.

    • Click Edit.

      Click the button to provide a custom description for the action.

    • To submit a request for approval from a script, you need to call the SubmitForApproval method of the predefined PowerShell variable $Context. As the first parameter, the method takes an array of distinguished names (DNs) of users or groups that will be designated as approvers.

      The following script submits an approval request to a user and members of a group.

      $approvers = @(
              "CN=John Smith,CN=Users,DC=example,DC=com",
              "CN=My Group,OU=Groups,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $false, $false, $false, $false)
      
       How to get the DN of an object { #how_to_get_object_dn}
      • Launch Adaxes Administration console.

      • Right-click the object you need.

      • In the context menu, open the submenu of the Copy item.

      • Click Copy DN. The DN of the selected object will be copied to the clipboard.

      You can use value references in the script (e.g. %department%). Value references will be replaced with corresponding property values of the new user account.

      The following script submits an approval request to the members of a group with the name consisting of the name of the user's department plus Managers.

      $approvers = @("CN=%department% Managers,CN=Users,DC=example,DC=com")
      $Context.SubmitForApproval($approvers, $false, $false, $false, $false)
      

      The following script submits an approval request to the user's secretary and members of the Admins group located in the user's organizational unit.

      $approvers = @(
              "%secretary%",
              "CN=Admins,%adm-ParentDN%")
      $Context.SubmitForApproval($approvers, $false, $false, $false, $false)
      

      For information on how to write scripts for business rules, see Server-side scripting.

    Multi-level approval

    Approval workflows can be configured for multiple levels. To request approval from another group of approvers, add another Send operation for approval action to the business rule.

  9. To request approval only if certain conditions are met, right-click the action and then click Add Condition.

    Example 1 – If the initiator is not a member of a specific group

     Step by step { #step_by_step_condition1}
    • Select the If the initiator is a member of <group> condition.

    • In the Condition Parameters section, select is not in the drop-down list and specify the group.

    • Click OK.

    Example 2 – If the Job Title property of the new user's account contains the word Manager

     Step by step { #step_by_step_condition2}
    • Select the If <property> <relation> <value> condition.

    • In the Condition Parameters section, specify Job Title - contains - Manager.

    • Click OK.

  10. Click Next.

  11. On the Activity Scope step, click Add.

    Select from the following items:

    • All Objects – select to request approval when a user account is created in any domain managed by Adaxes.

    • Domain – select to request approval when a user account is created in a specific domain.

    • OU or Container – select to request approval when a user account is created in a specific organizational unit or container.

    You can exclude specific organizational units and domains from the activity scope of the business rule. For example, if you assigned the rule over the whole domain, but do not want it to trigger when a user account is created in a specific organizational unit, you can exclude the organizational unit from the activity scope. To exclude an object, select the Exclude the selection option in the Assignment Options dialog.

     Step by step { #exclude_scope}
    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection option.

    • Click OK.

  12. Click OK and then click Finish.

Approval notifications

When an operation is submitted for approval, approved, denied, or cancelled, Adaxes sends email notifications to the request approvers and initiator. To enable Adaxes to send email messages, you need to configure the outgoing mail settings for your Adaxes service.

Configure outgoing mail settings

  • In Adaxes Administration console, right-click your Adaxes service, and then click Properties in the context menu.

  • Activate the Mail Settings tab and change the SMTP settings.

  • Click Apply.

If you want email notifications to include the links to view and process the approval request as well as links to related directory objects, you need to specify a Web interface for your Adaxes service.

  • In Adaxes Administration console, right-click your Adaxes service, and then click Properties in the context menu.

  • Activate the Web Interface tab and specify the URL of the Web interface you want to use.

  • Click OK.

Email template customization

It is possible to customize templates for approval email notifications.

  • In Adaxes Administration console, expand your Adaxes service.

  • Right-click Approval Requests, and then click Properties in the context menu.

  • Activate the Email Notifications tab and customize the templates.

    To completely disable email notifications when an approval request is submitted, approved, denied, cancelled, or the underlying operation has failed, clear the Enabled checkbox on the corresponding tab.

  • Click OK.

Processing approval requests

To approve, deny, and cancel approval requests, users can use either Adaxes Web interface, or Administration console.