Access On Demand (Schedule Changing Group Membership)

Question

I am trying to create a process where a user can request access to one or more groups via a web form that also prompts for a date/time to be added (custom date attribute) and a number of hours before being removed from the group (custom integer attribute).

I thought I could do this by creating a business rule that would require approval before executing a powershell to set up a scheduled task to add the user to the group and another to remove the user after the specified number of hours. There are great examples of scripts that do parts of this, including setting up a scheduled task.

I created a modify user form to capture the date, duration, and select the groups. It works fine capturing all the information except the group. Using an example script, I am at a point where I can create the scheduled job after approval, but I have not figured out a good way to allow someone to select a group and pass that into the script?

Maybe creating a scheduled task to add membership and a second task to remove after the duration has expired is not the right approach. I am open to ideas and would appreciate the help.

$user = "%distinguishedName%"
$AODStart="%adm-CustomAttributeDate1%"
$AODLength="%adm-CustomAttributeInt1%"
$AODEnd = "%adm-CustomAttributeDate1%,$AODLength"
$group = "??????"
$actiont = %action%

# Scheduled task settings
$containerName = "AOD - Auto Tasks" # Where to create scheduled task
$taskName = "AOD - Start - %username%" # Name Task
$taskDescription = "AOD Start Access" # Description of Task
$deleteTaskAfterExecution = $False # Set to $false for testing and $true for normal use

# Script for action
$scriptDescription = "Start AOD" 

$scriptToExecute = "Add-AdmGroupMember $group $user -ErrorAction SilentlyContinue"

function CheckNameForUnique($taskPath)
{
    try
    {
        $task = $Context.BindToObject($taskPath)
        return $False
    }
    catch
    {
        return $True
    }
}

# Bind to the Scheduled Tasks container
$scheduledTasksPath = $Context.GetWellKnownContainerPath("ScheduledTasks")
$scheduledTasksPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $scheduledTasksPath
$containerPath = $scheduledTasksPathObj.CreateChildPath("CN=$containerName")
$container = $Context.BindToObject($containerPath)

$Context.LogMessage("task | " + $container , "Error")

# If the task name is not unique, generate a unique one
$uniqueName = $taskName
for ($i = 1; $True; $i++)
{
    $taskPath = $containerPath.CreateChildPath("CN=$uniqueName")
    if (CheckNameForUnique $taskPath)
    {
        break
    }
    $uniqueName = "$taskName`_$i"
}

# Create a Scheduled Task
$task = $container.Create("adm-ScheduledTask", "CN=$uniqueName")

$task.ObjectType = "domainDNS"
$task.Description = $taskDescription
$task.Disabled = $False
$task.ExecutionMoment = "ADM_BUSINESSRULEEXECMOMENT_BEFORE"
$task.OperationType = "none"
$task.DeleteTaskAfterExecution = $deleteTaskAfterExecution

$recurrencePattern = $task.GetRecurrencePattern()
$recurrencePattern.RecurrenceType = "ADM_RECURRENCEPATTERNTYPE_ONCE"
$recurrencePattern.PatternStartDateTime = ($AODStart)
$task.SetRecurrencePattern($recurrencePattern)

$task.SetInfo()

# Define actions and conditions

# Create a new set of actions and conditions
$actionsAndConditions = $task.ConditionedActions.Create()
$actionsAndConditions.ConditionsLogicalOperation = "ADM_LOGICALOPERATION_AND"
$actionsAndConditions.SetInfo()

# Add Run PowerShell Script action
$action = $actionsAndConditions.Actions.CreateEx("adm-RunScriptAction")
$action.ExecutionOptions = "ADM_ACTIONEXECUTIONOPTIONS_SYNC"
$scriptAction = $action.GetAction()
$scriptAction.ScriptType = "ADM_SCRIPTTYPE_POWERSHELL"
$scriptAction.ScriptDescription = $scriptDescription
$scriptAction.Script = $scriptToExecute.ToString()
$action.SetAction($scriptAction)
$action.SetInfo()
$actionsAndConditions.Actions.Add($action)

# Add the set to the Scheduled Task
$task.ConditionedActions.Add($actionsAndConditions)

# Set the scope of activity to All Objects
$scopeItem = $task.ActivityScopeItems.Create()
$scopeItem.BaseObject = $NULL
$scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
$scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
$scopeItem.Exclude = $False
$scopeItem.SetInfo()

$task.ActivityScopeItems.Add($scopeItem)

Answer 1

Hello,

Using a Business Rule triggered after updating a user, you won't be able to get the groups a user selected on your custom form. Adding a user to a group means modifying the group, not the user. In such a case, the Distinguished Name (DN) of the user is added to the Member property of the group.

To work around this, on your custom form, instead of the Member Of section, you can add a certain property of the user account that can store multiple DN values. Users will be able to specify the groups they need using that property. There are 2 properties that you can use for this purpose: See Also or Secretary.

Thus, when a user requests access to a group:

1. On your custom form, the user picks a date (custom date/time attribute), number of hours (custom integer attribute) and the groups they need (See Also or Secretary).
2. Using a Business Rule triggered before updating a user, the modification is submitted for approval.
3. If approved, another Business Rule triggered after updating a user updates a certain multi-valued string (text) attribute of the user. It adds 1 line for each group. Each line contains: group DN, date and time when to add the user to the group, date and time when to remove the user.
4. A Scheduled Task run once an hour will check the multi-valued attribute of each user and will add/remove them from the groups based on the information specified in the attribute.

If you are OK with such a solution, we will provide you with detailed instructions on how to achieve it.

Comments

Yes, this sounds like an approach that would be very beneficial. I will send a PM with some additional context for your consideration.