0 votes

Hello!

I have been evaluating the Adaxes product, so far mostly on paper. I wanted to ask for your comment on my proposed design, with the following prerequisites and requirements:

  • Enter co-worker information in a web interface doing some input control to ensure data quality and information consistency
  • Then, I would like an optional approval step if the user have specific business role
  • The AD account provisioning process is nothing special, only the usual username/email address uniqueness checks, setting UPN to the email address and then some group memberships depending on the user role
  • Fire off a script that creates/modifies a user object in Dynamics AX using their "NewAXUser" Powershell cmdlets. AX gets a reference to the AD user (sAMAccountName)
  • Fire off another script or export data for Domino (Lotus Notes) account creation based on the same person data, account names and such (Haven't had time to explore technical options here, but presuming it's possible one way or the other...)

Use the built-in features of Adaxes to delegate control for different admins to control different users based on business unit or geography

Do you see any challenges in my proposed design? Of course we will do testing but to move on to evaluation I would love to get some input on the overall idea feasibility! The organisation is around 1500 users in a single Active Directory.
One challenge I can see is that there would be limited capability to ensure the account was created successfully in the target systems, but that is a general challenge and typically only addressed in way more complex and expensive IAM solutions.
Any input ideas or references to "recipes" related to the concept described here is much appreciated.

Kind regards

by (50 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

First of all, thank you for your interest in Softerra Adaxes!

Your requirements are quite typical and we do nor foresee any considerable issues or challenges with implementing what you need. As to your specific requirements:

Enter co-worker information in a web interface doing some input control to ensure data quality and information consistency

To ensure data integrity and consistency, you can use Adaxes Property Patterns. Property Patterns allow you to specify required properties, define property constraints and formatting rules, as well as specify default values for properties. For more information on using Property patterns, see the AD Data Integrity video. For information on how to perform the most typical tasks, see the following set of tutorials: Simplifying Data Entry.

Then, I would like an optional approval step if the user have specific business role

This is also possible. How is a business role defined in Active Directory? Is there a certain AD attribute used for this purpose? If yes, you can send a new user request for approval only if the attribute is assigned a certain value or values.

The AD account provisioning process is nothing special, only the usual username/email address uniqueness checks, setting UPN to the email address and then some group memberships depending on the user role

As for username/email address uniqueness checks, have a look at the following tutorial: http://www.adaxes.com/tutorials_Simplif ... Script.htm. Example 2 on step 5 of the tutorial shows how to automatically add a digit to the username if it is not unique. You can use the same approach for the email address. Alternatively, instead of generating a unique value, you can cancel the operation, so that users could come up with a unique username / email address themselves.

As for adding group memberships depending on the user role, see the following tutorial: http://www.adaxes.com/tutorials_Automat ... rtment.htm.

Fire off a script that creates/modifies a user object in Dynamics AX using their "NewAXUser" Powershell cmdlets. AX gets a reference to the AD user (sAMAccountName)
Fire off another script or export data for Domino (Lotus Notes) account creation based on the same person data, account names and such (Haven't had time to explore technical options here, but presuming it's possible one way or the other...)

For information on how to automatically run PowerShell scripts after creating a user, see the following tutorial: http://www.adaxes.com/tutorials_Automat ... ngUser.htm. As for the actual scripts, you can use our SDK and Script Repository as source of information and examples. If you find difficulty with your scripts, we will help you.

One challenge I can see is that there would be limited capability to ensure the account was created successfully in the target systems, but that is a general challenge and typically only addressed in way more complex and expensive IAM solutions.

Every operation performed via Adaxes, including running a PowerShell script, is logged. Using scripts, you can update Adaxes logs with your own information, warnings, error messages etc. For example, when using the New-AXUser cmdlet, you can forward any errors returned by the cmdlet to Adaxes log. Then, you can use that information to track any issues in interacting with external systems. For information on how to update logs from a script, see section Updating the Execution Log in the following article: http://www.adaxes.com/sdk/?ServerSideSc ... ecutionLog.

0

Hi, thanks a lot for that initiated and answer!
I'll review it in more detail shortly. :)
Kind regards,
Daniel

Related questions

0 votes
1 answer

It's possible to integrate ADAXES with HR Solution to create user in active directory ?

asked Feb 14, 2020 by babid (20 points)
0 votes
1 answer

Hi all, I have a condition during new user creation - Where the corporate email is entered into the email address field, but a custom drop-down for "Mailbox required?" is No. ... screen, and be able to save the result of this choice to a variable? Thanks all,

asked Oct 24 by dshortall (80 points)
0 votes
1 answer

We try to use ADSI scripting to automate some tasks using Adaxes 2023. One such task is to try to check whether an answer provided by a user to his question is correct or not. ... . But I do not see an easy way to do this using ADSI script and/or interfaces.

asked Oct 22 by gfang (20 points)
0 votes
1 answer

Hi team, I have a few questions about approval flows How can I send approval to individual user (stored in an custom attribute)? How can I do actions based on request is ... -> set accountExpire +6 Months if denied -> do nothing and account will expire

asked Mar 13 by wintec01 (1.5k points)
0 votes
1 answer

Hi all, I wanted to ask community if you are experiencing same behavior: Add a primary group owner to a security group in ADAXES console. Make sure Can update membership using ... list is checked? In my case it is CHECKED for some reason. Thanks all!

asked Dec 13, 2023 by mega128 (20 points)
3,589 questions
3,278 answers
8,303 comments
548,148 users