Send approval to division manager

Question

Hello Adaxes Team

You have already helped me to send an approval to the manager of a user. https://www.adaxes.com/questions/12406/send-approval-request-to-manager-of-group-member

Can the script be customized to send the approval to an employee's Divisons Manager? All my division managers are members of the business unit "Division Managers" and can be identified that way.

For example, I have the following hierarchy:

• CEO
• |
• DivManager1 (is member of Business Unit "Division Managers")
• |
• Manager1
• |
• Manager2
• |
• Employee1

So when Employee1 is added to a group, DivManager1 should receive the approval request.

thank you and greetings pudong

Comments

Hello Pudong,

Sorry for the confusion, but it is not quite clear how to determine a division manager for a user. Is it a member of the specific group that has the same Division property value as the member being added to a group? If that is not it, please, describe the process of determining the manager in all the possible details with live examples. If post the details here is not convenient, you can send them to us at support@adaxes.com.

---

Hello I have created a business unit in Adaxes called "Division Manager" which contains all AD users that have the function Division Manager.

For example, I want to know the division manager from Paul. To get the Division Manager from Paul, his manager must be checked to see if he belongs to the Business Unit "Divison Manager". If this is not the case, the next higher manager is checked until the correct manager is found (Jeff).

I think in code it should look something like this:

$manager = Get-ADUser "paul" -Properties Manager

while($true)
{
$manager = Get-ADUser $manager.Manager -Properties Manager
if($manager is member of business unit "division manager") {break}
}

send approval to $manager

---

Hello,

Thank you for the provided details. As we understand, first the script should check the manager of the member being added to the group, then manager of the manager and so on until a manager that is a member of the specified business unit is found. Is that correct? If it is, please, specify what should be done in case if somebody in the chain does not have a manager or there is no manager belonging to the business unit found.

---

Yes, that is correct.

If the Division Manager could not be determined, the approval should be assigned to a specific person. In addition, this person should be sent an email with information about the problem (such as "Division Manager not found for %member%. Please check for alternative approver").

Answer 1

Hello Pudong,

Thank you for the confirmation. Below is the script that should do the trick. Same like the previous one, this script should be executed in a business rule triggering Before adding a member to a group. In the script:

• $predefinedAccountDN – Specifies the distinguished name (DN) of the person to submit the request for approval and send email to if no division manager is found. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject.
• $subject – Specifies the email notification subject.
• $message – Specifies the email notification text.
• $businessUnitDN – Specifies the distinguished name (DN) of the business unit containing division managers.

$predefinedAccountDN = "CN=John Smith,OU=Users,DC=company,DC=com" # TODO: modify me
$subject = "Division Manager not found for %adm-MemberFullName%." # TODO: modify me
$message = "Division Manager not found for %adm-MemberFullName%. Please check for alternative approver" # TODO: modify me
$businessUnitDN = "CN=My Unit,CN=Business Units,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me

function SendMail ($recipientDN, $subject, $message)
{
    # Get recipient email
    $recipient = $Context.BindToObjectByDN($recipientDN)
    try
    {
        $recipientEmail = $recipient.Get("mail")
        $Context.SendMail($recipientEmail, $subject, $message, $NULL)
    }
    catch
    {
        $Context.LogMessage("The specified recipient has no email address. No notification will be sent.", "Warning")
    }
}

function GetApproverDN ($objectDN, $unit, $alreadyProcessedObjects)
{
    if (-not $alreadyProcessedObjects.Add($objectDN))
    {
        return $NULL
    }
    $object = $Context.BindToObjectByDN($objectDN)

    if ($unit.IsMember($object))
    {
        return $objectDN
    }
    else
    {
        # Get manager
        try
        {
            $managerDN = $object.Get("manager")
        }
        catch
        {
            return $NULL
        }
        $objectDN = GetApproverDN $managerDN $unit $alreadyProcessedObjects
    }
    return $objectDN
}

# Bind to the business unit
$unit = $Context.BindToObjectByDN($businessUnitDN)

# Bind to the member
$member = $Context.BindToObject("Adaxes://%member%")

# Check division manager
try
{
    $memberManagerDN = $member.Get("manager")
}
catch
{
    $Context.SubmitForApproval(@($predefinedAccountDN), $False, $False, $False, $False)
    SendMail $predefinedAccountDN $subject $message
}

$alreadyProcessedObjects = New-Object "System.Collections.Generic.HashSet[System.String]"
$approverDN = GetApproverDN $memberManagerDN $unit $alreadyProcessedObjects

# Submit for approval
if ($NULL -ne $approverDN)
{
    $Context.SubmitForApproval(@($approverDN), $False, $False, $False, $False)
}
else
{
    $Context.SubmitForApproval(@($predefinedAccountDN), $False, $False, $False, $False)
    SendMail $predefinedAccountDN $subject $message
}

Comments

Fantastic! I tested the script and it works exactly as requested.

Kudos. Your support is outstanding!

Thanks for the super fast help. Pudong

---

Hello Pudong,

Thank you for the confirmation and for your good words, it is much appreciated! Should you have any questions or need clarifications, do not hesitate to contact our Support Team.