0 votes

I have a custom command which require approve before it starts. How can I get access to approve message within my custom command?

by (20 points)
0

Hello!

Do we understand correctly that you need to customize email notifications for approval requests? If so, it can only be done system-wide and the modifications will be applied to all approval request notifications. For information on how to customize the notifications, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.ManageApprovalRequests.CustomizeNotificationTemplates.html.

If this is not what you meant, please, provide us with all the possible details regarding the desired behavior. Screenshots and live examples would be much appreciated.

0

approve.PNG

I am talking about this window. How can I get this 'reason' value in my custom command?

0

It would be nice to get username which approve request

0

Hello!

The only possibility to get the approval reason and the approver name is by executing a PowerShell script in the Custom Command. The Approval Request will be searched by the target object, initiator and the Custom Command ID, they should match with the corresponding properties of the Custom Command where the script is executed. However if there are several approved requests that were initiated by one user and the target object is the same, there will be no possibility to determine which request is related to the current Custom Command execution.

To suggest a solution, please, provide us with a screenshot of the Custom Command you have and describe the desired workflow in all the possible details.

Additionally, please, specify Adaxes version you are using. For information on how to check the version, have a look at the following help article: https://www.adaxes.com/help/?HowDoI.ManageService.CheckAdaxesServiceVersion.html.

0

The process looks something like that:

  1. User requests access to some application on self-manage portal: fills the username and access level fields (which are parameters in a custom command)
  2. Before proccess this custom command, adaxes sends approve request to manager of application
  3. Manager approves request and overrides access level to application from HIGH to LOW in approve field "Reason"
  4. Adaxes checks this "Reason" value before runs custom command and overrides some parameter in the script

Adaxes version is 3.13.18001.0

0

Hello!

Thank you for the provided details. For further troubleshooting, please, post here or send us (support[at]adaxes.com) the script executed in the Custom Command.

User requests access to some application on self-manage portal: fills the username and access level fields (which are parameters in a custom command)

Please, clarify what object type the Custom Command is configured for. If it is configured for the User object, do we understand correctly that the command will always be executed on the currently signed in user?

Adaxes checks this "Reason" value before runs custom command and overrides some parameter in the script

Do we understand correctly that the values for the script parameters are taken from the Custom Command parameters?

0

We created cutsom command

Custom command has two parametrs: username - editbox, access level - editbox

Actions: powershell script (required approve, run as adaxes service account)

$username = '%editboxUsername%'
$accesslevel = '%editboxAccessLevel%'
$REASON = '% SOME VALUE WE WANT TO GET %'

if ($REASON -is $null)
{ create user with $accesslevel }
else
{ create user with $REASON }

We placed this custom command in user interface and gave user access to execute this command

1 Answer

0 votes
by (14.9k points)

Hello!

Thank you for clarifying.

To achieve the desired a Custom Command and a Business Rule triggering After updating an ApprovalRequest can be used. The script that creates user accounts will be executed in the Business Rule, not in the Custom Command. This way the required approval request will be the target object of the rule and there will be no need to search the request. The Custom Command will be configured to save values of the parameters to custom text attributes of the user on which the command is executed and then submit the approval request. If the request is approved, the script in the Business Rule will check whether the approve reason is specified and if it is, overwrite the value of the access level parameter with the value of the approve reason. If the request is denied or canceled, the custom attribute values will be cleared using a PowerShell script.

i. Creating the Custom Command

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service node.
  3. In the context menu, navigate to New and click Custom Command. image.png
  4. On step 2 of the Create Custom Command wizard, select the User object type. image.png
  5. Click Next.
  6. Click New. image.png
  7. Select Edit box and click Next. image.png
  8. Specify a parameter name and display name (e.g. Username and User name). image.png
  9. Click Next and finish creating the parameter.
  10. Click New again.
  11. Select Edit box and click Next.
  12. Specify a parameter name and display name (e.g. Accesslevel and Access level).
  13. Click Next and finish creating the parameter.
  14. Click Next.
  15. Click Add an action.
  16. Select Update the user.
  17. Click Add. image.png
  18. In the Property to modify drop-down, select the custom text attribute (e.g. CustomAttributeText1) that will be used to store the value of the parameter created on steps 6-9 and used to specify the user name.
  19. In the New value field, specify the value reference containing the name of the parameter created on steps 6-9 with the param- prefix (e.g. %param-Username%). image.png
  20. Click OK.
  21. Click Add again.
  22. In the Property to modify drop-down, select the custom text attribute (e.g. CustomAttributeText2) that will be used to store the value of the parameter created on steps 10-13 and used to specify the access level.
  23. In the New value field, specify the value reference containing the name of the parameter created on steps 10-13 with the param- prefix (e.g. %param-Accesslevel%).
  24. Click OK.
  25. Finally, the configuration of the action should look like the following: image.png
  26. Click OK.
  27. Right-click the created action and then click Add New Action. image.png
  28. Select Send this operation for approval.
  29. Specify the required approvers and click OK. image.png
  30. Click Next and finish creating the Custom Command.
  31. Finally, the command configuration should look like the following: image.png

ii. Creating the Business Rule

  1. Launch Adaxes Administration Console.
  2. In the Console Tree, right-click your service node.
  3. In the context menu, navigate to New and click Business Rule. image.png
  4. On step 2 of the Create Business Rule wizard, select the Show all object types checkbox.
  5. Select the ApprovalRequest object type. image.png
  6. Select After updating a ApprovalRequest. image.png
  7. Click Next.
  8. Click Add an action.
  9. Click OK without selecting any actions.
  10. Right-click the If the operation succeeded condition and then click Edit Condition. image.png
  11. Select If the main operation failed and then click OK. image.png
  12. Right-click the modified condition and then click Add New Condition. image.png
  13. Select If operation <result>.
  14. Select If the main operation suspended. image.png
  15. Click OK.
  16. Right-click the created condition and then click Add New Condition. image.png
  17. Select If PowerShell script returns true.
  18. Paste the below script into the Script field. In the script, the $customCommandId variable specifies the ID of the Custom Command created in section i. For information on how to get the ID, see http://adaxes.com/sdk/HowDoI.GetCustomCommandID.
$customCommandId = '{9a55c89f-42b9-4ba6-af6f-67027e5879d0}' # TODO: modify me
$Context.ConditionIsMet = $False

if ($Context.TargetObject.ActionToApprove.CustomCommandID -ne $customCommandId)
{
    $Context.ConditionIsMet = $True
}
  1. Specify a description for the script and click OK. image.png
  2. Click the AND logical operator to change it to OR. image.png
  3. Right-click the created condition and then click Add Else If. image.png
  4. In the created Else If block, right-click <no condition> and then click Add Condition. image.png
  5. Select If <property> <relation> <value>.
  6. Select If ApprovalState equals 1. image.png
  7. Right-click Do nothing and then click Add Action. image.png
  8. Select Run a program or PowerShell script.
  9. Modify the below script to meet your needs and then paste it into the Script field. In the script:
    • $usernameAttributeName - Specifies the LDAP name of the custom text attribute you specified in section i on step 18.
    • $accessLevelAttributeName - Specifies the LDAP name of the custom text attribute you specified in section i on step 22.
$usernameAttributeName = "adm-CustomAttributeText1" # TODO: modify me
$accessLevelAttributeName = "adm-CustomAttributeText2" # TODO: modify me

# Get the approval request target user
$user = $Context.TargetObject.TargetObject

# Get the custom attribute values
try
{
    $username = $user.Get($usernameAttributeName)
    $accessLevel = $user.Get($accessLevelAttributeName)
}
catch
{
    $Context.LogMessage("Failed to get attribute values", "Error")
    return
}

# Get approve reason
$reason = $Context.TargetObject.ApprovingReason

if (-not ([System.String]::IsNullOrEmpty($reason)))
{
    # Replace access level with approve reason
    $accessLevel = $reason
}

# Provide the rest of your script here. 
# The $username variable contains the value of the username specified in the Custom Command parameter.
# The $accessLevel variable contains the value of the access level specified in the Custom Command parameter. If the approve reason is specified, the $accessLevel variable contains the value of the approve reason.

# Clear custom attributes
$user.Put($usernameAttributeName, $NULL)
$user.Put($accessLevelAttributeName, $NULL)
$user.SetInfo()
  1. Provide a description for the script and click OK.
  2. Right-click the created action and then click Add Else. image.png
  3. Right-click Do nothing and then click Add Action. image.png
  4. Select Run a program or PowerShell script.
  5. Paste the below script into the Script filed. In the script:
    • $usernameAttributeName - Specifies the LDAP name of the custom text attribute you specified in section i on step 18.
    • $accessLevelAttributeName - Specifies the LDAP name of the custom text attribute you specified in section i on step 22.
$usernameAttributeName = "adm-CustomAttributeText1" # TODO: modify me
$accessLevelAttributeName = "adm-CustomAttributeText2" # TODO: modify me

# Get the approval request target user
$user = $Context.TargetObject.TargetObject

# Clear custom attributes
$user.Put($usernameAttributeName, $NULL)
$user.Put($accessLevelAttributeName, $NULL)
$user.SetInfo()
  1. Specify a description for the script and click OK.
  2. Click Next and finish creating the Business Rule.
  3. Finally, the rule should look like the following: image.png

Related questions

0 votes
1 answer

I would like users to use Adaxes to add themselves or others to a group, but instead of it just working, it has to go thru an approval process and be approved by the group owner before they are added. Thanks!

asked Jun 30, 2021 by RayBilyk (240 points)
0 votes
1 answer

Using this built in function: There is no option to change the domain on the user account, however this is not the domain we use for UPN. However after creating a user, you can change it but trying to avoid going back into the object.

asked Apr 14, 2023 by mightycabal (1.0k points)
0 votes
1 answer

How to grant someone access to see logging in Adaxes Admin Console?

asked Nov 30, 2022 by sra98a (120 points)
0 votes
1 answer

When running a PowerShell script as an action in a custom command, you can set the script to run as a different account and then use the RunAs property in the ... Is there another way to get the Adaxes service account's credentials from within the script?

asked Mar 31, 2022 by KelseaIT (320 points)
0 votes
1 answer

Is it possible to run a report to get users disabled in the last 24 hours?

asked Jun 10, 2020 by peggleg (110 points)
3,589 questions
3,278 answers
8,303 comments
548,155 users