0 votes

Hi,

I already have a home page action to add a user to a security group but the security group owners want some info on the user requesting access to the group because they don't always know who it is who's asking.
How can I get some sort of "more info" box asking for details before any approval steps?

Thanks.

by (840 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,
It is possible to implement something like that. For this purpose, you need to create a Modify Group action with a customized form. On the form, there will be a field where users can specify a reason why they want to join a group. The reason will be assigned to one of the virtual group properties, for example, CustomAttributeText1. Such virtual properties are not stored in Active Directory, but you can use them as any other properties of AD objects. Also, the action will automatically modify another virtual property, for example, CustomAttributeText2, and set it to the Distinguished Name (DN) of the user who runs the action.

The 2nd property will be used to launch a Business Rule. The Business Rule will add the user who launched the action (specified via CustomAttributeText2) to the group, and also add the reason (specified via CustomAttributeText1) in one operation. Thus, when your Business Rule that requests approval for adding a member to a group triggers, an approver will get an approval request that will contain both the user who wants to join the group and the reason, why.

To implement such a solution:

I. Create home page action

To allow users to specify a reason why they want to join a group, you need to create a Modify Group Home Page Action as follows:

  1. Launch the Web Interface Customization tool.
  2. In the Interface type drop-down list, select the Web Interface you need.
  3. On the General tab, click Configure Home Page Actions.
  4. Click Add.
  5. Select Modify Group. Click Next 3 times.
  6. On the Form Customization page, select Use customized form.
  7. Click Customize Form.
  8. Leave only the General section in the Fields displayed on the form are grouped by the following sections field. To remove unnecessary sections, select it and click Delete.
  9. Select the General section.
  10. In Section fields, remove all fields by selecting each one and clicking Delete.
  11. Click Add.
  12. Select the Show all properties checkbox.
  13. In the Object property field, select CustomAttributeText1. Click OK twice.
  14. In the Predefined Fields section of the Form Customization page, click Add.
  15. In the Property name field, select Show all properties checkbox and CustomAttributeText2.
  16. In the Default value field, specify %adm-InitiatorDN%. Click OK.
  17. Finish creating the home page action and apply the changes.

II. Create Business Rule

To create a Business Rule that will add the user who launched the action to the group and specify the reason in one operation:

  1. Create a new Business Rule.

  2. On the Triggering Operation page, select Group and Before Updating a Group. Click Next.

  3. Now, you need to add an action that adds the user whose DN is specified in CustomAttributeText2 to the group. To do this, you need to add the user's DN to the Member property of the group. Click Add Action.

  4. Select Update the Group.

  5. In the Action Parameters section, click Add.

  6. In the Property to modify drop-down list, select Member.

  7. In the New value field, click Edit.

  8. Activate the Template tab.

  9. Specify %adm-CustomAttributeText2%.

  10. Click OK 2 times.

  11. Now, you also need to add the reason. Click Add once more.

  12. In the Property to modify drop-down list, select CustomAttributeText1.

  13. Select the Update value section.

  14. In the New value field, specify %adm-CustomAttributeText1%.

  15. Click OK 2 times.

  16. Also, you need to clear the custom attributes. To do this, you need to add another action. Click Add action.

  17. Select the Run program or PowerShell script action.

  18. In the Script field enter the following script:

     # Clear custom attributes
     $Context.SetModifiedPropertyValue("adm-CustomAttributeText1", $NULL)
     $Context.SetModifiedPropertyValue("adm-CustomAttributeText2", $NULL)
  19. Specify Short description. Click OK.

  20. As mentioned above, the actions will be triggered only when a DN of a user is specified via CustomAttributeText2. For this purpose, yo need to add a condition. Click Add Condition.

  21. Select the If <property> has changed condition type.

  22. Specify If CustomAttributeText2 has changed.

  23. Finish creating the Business Rule.

III. Specify custom names for attributes

You can specify your own names that will be used to display the virtual attributes for group objects. For information on how to specify a default name for all object types, see Customizing Display Names for AD Properties. To define display names that will be used only for groups, you need to do the following:

  1. Add the specificFriendlyName element to the corresponding XML friendlyNameItem.
  2. Specify group in the objectClass parameter of the specificFriendlyName attribute.
  3. Specify a desired display name as the value of the specificFriendlyName element.

In the following example, attribute CustomAttributeText1 will be displayed as Reason for groups and CustomAttributeText1 for all other object types:

<i class="text-italic"><friendlyNameItem>
    <ldapName>adm-CustomAttributeText1</ldapName>
    <friendlyName>CustomAttributeText1</friendlyName>
    <specificFriendlyName objectClass="<strong class="text-bold">group</strong>">Reason</specificFriendlyName>
  </friendlyNameItem></i>

To apply the changes, restart your IIS and Adaxes service.

Related questions

0 votes
1 answer

We don't think our users read the logs they get after taking actions in the web interface. We'd like to alert a pop up after an action has been taken by a user ... the users with a bunch of emails after every possible action they can take. Any ideas? Thanks!

asked Jun 1, 2020 by spencerp (120 points)
0 votes
1 answer

Is there a way I can change the wording on this pop up? I'd like it to say "...without any assistance from the technology department" Thanks Ryan

asked Apr 4, 2014 by ryan_breneman (920 points)
0 votes
1 answer

I created a Report asking the report to get the Assinged Microsoft Supbsription license assinged to the Users, When the Reports runs it geta few users but time out ... way to increase the time Out oprtion fro Reports that are getting information from Azure?

asked May 16 by George.Holden (60 points)
0 votes
1 answer

I have to do a weekly Inactiviy Report for Accounts that have not logged in for 30 days or more. 1 of the reports is for Internal users BUT there is an Account ... Adaxes and working on the product, and i need to get all my reporting done through Adaxes

asked Nov 14, 2022 by dtorannini (80 points)
0 votes
1 answer

I am testing using MFA and we use Duo. I havn't seen where we can set up push instead of adding having the end users set up another account for Duo.

asked Jan 11 by mightycabal (1.0k points)
3,589 questions
3,278 answers
8,303 comments
548,137 users