0 votes

Hello Adaxes Team

You have already helped me to send an approval to the manager of a user. https://www.adaxes.com/questions/12406/send-approval-request-to-manager-of-group-member

Can the script be customized to send the approval to an employee's Divisons Manager? All my division managers are members of the business unit "Division Managers" and can be identified that way.

For example, I have the following hierarchy:

  • CEO
  • |
  • DivManager1 (is member of Business Unit "Division Managers")
  • |
  • Manager1
  • |
  • Manager2
  • |
  • Employee1

So when Employee1 is added to a group, DivManager1 should receive the approval request.

thank you and greetings pudong

by (680 points)
0

Hello Pudong,

Sorry for the confusion, but it is not quite clear how to determine a division manager for a user. Is it a member of the specific group that has the same Division property value as the member being added to a group? If that is not it, please, describe the process of determining the manager in all the possible details with live examples. If post the details here is not convenient, you can send them to us at support@adaxes.com.

0

Hello I have created a business unit in Adaxes called "Division Manager" which contains all AD users that have the function Division Manager.

For example, I want to know the division manager from Paul. To get the Division Manager from Paul, his manager must be checked to see if he belongs to the Business Unit "Divison Manager". If this is not the case, the next higher manager is checked until the correct manager is found (Jeff).

image.png

I think in code it should look something like this:

$manager = Get-ADUser "paul" -Properties Manager

while($true)
{
$manager = Get-ADUser $manager.Manager -Properties Manager
if($manager is member of business unit "division manager") {break}
}

send approval to $manager
0

Hello,

Thank you for the provided details. As we understand, first the script should check the manager of the member being added to the group, then manager of the manager and so on until a manager that is a member of the specified business unit is found. Is that correct? If it is, please, specify what should be done in case if somebody in the chain does not have a manager or there is no manager belonging to the business unit found.

0

Yes, that is correct.

If the Division Manager could not be determined, the approval should be assigned to a specific person. In addition, this person should be sent an email with information about the problem (such as "Division Manager not found for %member%. Please check for alternative approver").

1 Answer

0 votes
by (288k points)
selected by
Best answer

Hello Pudong,

Thank you for the confirmation. Below is the script that should do the trick. Same like the previous one, this script should be executed in a business rule triggering Before adding a member to a group. In the script:

  • $predefinedAccountDN – Specifies the distinguished name (DN) of the person to submit the request for approval and send email to if no division manager is found. For information on how to get an object DN, see https://adaxes.com/sdk/HowDoI.GetDnOfObject.
  • $subject – Specifies the email notification subject.
  • $message – Specifies the email notification text.
  • $businessUnitDN – Specifies the distinguished name (DN) of the business unit containing division managers.
$predefinedAccountDN = "CN=John Smith,OU=Users,DC=company,DC=com" # TODO: modify me
$subject = "Division Manager not found for %adm-MemberFullName%." # TODO: modify me
$message = "Division Manager not found for %adm-MemberFullName%. Please check for alternative approver" # TODO: modify me
$businessUnitDN = "CN=My Unit,CN=Business Units,CN=Configuration Objects,CN=Adaxes Configuration,CN=Adaxes" # TODO: modify me

function SendMail ($recipientDN, $subject, $message)
{
    # Get recipient email
    $recipient = $Context.BindToObjectByDN($recipientDN)
    try
    {
        $recipientEmail = $recipient.Get("mail")
        $Context.SendMail($recipientEmail, $subject, $message, $NULL)
    }
    catch
    {
        $Context.LogMessage("The specified recipient has no email address. No notification will be sent.", "Warning")
    }
}

function GetApproverDN ($objectDN, $unit, $alreadyProcessedObjects)
{
    if (-not $alreadyProcessedObjects.Add($objectDN))
    {
        return $NULL
    }
    $object = $Context.BindToObjectByDN($objectDN)

    if ($unit.IsMember($object))
    {
        return $objectDN
    }
    else
    {
        # Get manager
        try
        {
            $managerDN = $object.Get("manager")
        }
        catch
        {
            return $NULL
        }
        $objectDN = GetApproverDN $managerDN $unit $alreadyProcessedObjects
    }
    return $objectDN
}

# Bind to the business unit
$unit = $Context.BindToObjectByDN($businessUnitDN)

# Bind to the member
$member = $Context.BindToObject("Adaxes://%member%")

# Check division manager
try
{
    $memberManagerDN = $member.Get("manager")
}
catch
{
    $Context.SubmitForApproval(@($predefinedAccountDN), $False, $False, $False, $False)
    SendMail $predefinedAccountDN $subject $message
}

$alreadyProcessedObjects = New-Object "System.Collections.Generic.HashSet[System.String]"
$approverDN = GetApproverDN $memberManagerDN $unit $alreadyProcessedObjects

# Submit for approval
if ($NULL -ne $approverDN)
{
    $Context.SubmitForApproval(@($approverDN), $False, $False, $False, $False)
}
else
{
    $Context.SubmitForApproval(@($predefinedAccountDN), $False, $False, $False, $False)
    SendMail $predefinedAccountDN $subject $message
}
0

Fantastic! I tested the script and it works exactly as requested.

Kudos. Your support is outstanding!

Thanks for the super fast help. Pudong

0

Hello Pudong,

Thank you for the confirmation and for your good words, it is much appreciated! Should you have any questions or need clarifications, do not hesitate to contact our Support Team.

Related questions

0 votes
1 answer

Hello I need some help to implement the following task: In a business rule "Before adding a member to a group" an approval should be sent to the manager of the member who will be added to the group. Do you have an example for this? Thanks and greetings Pudong

asked Jun 14, 2022 by pudong (680 points)
0 votes
1 answer

I need a specific user, when requesting another user to join a group, to have an approval sent to the AD management team. I tried to create a "Business Rule", but I'm getting an "Access Denied" error. Any idea what this could be?

asked Aug 20 by fgmello (40 points)
0 votes
0 answers

As the title mentions, I'm trying to figure out a way to have HR apply multiple modifications on a user's account (change of position, title, department, phone, etc...) ... phone number (in the same form), it sends two approval requests. Thanks for your help!

asked Jan 26, 2022 by lw.fa (130 points)
0 votes
1 answer

Adaxes seems to want to use the Manager field to specify who gets approval confirmation emails. What do you do about a user without a manager, such as the CEO? Let's assume they're not tech saavy, and the IT department needs to confirm their requests.

asked Feb 10, 2020 by Liam (20 points)
0 votes
1 answer

Hello, My "Employees" Security Role has the ability to write the 'Picture' property on Self only. Employees are able to edit and delete their own picture, but I ... set up the Business Rule to require manager approval before changing the picture? Thanks, Dan

asked Sep 6, 2012 by Dbradford (170 points)
3,538 questions
3,229 answers
8,222 comments
547,739 users