Hello,
Is it possible to grant members of a business unit permission to run a custom command?
There is no such possibility.
Or, create a task/rule that will add members of a business unit to a security group that can run the command.
Yes you need to create a Scheduled Task that will add members of a Business Unit to a group and remove users from the group if they are no longer members of the Business Unit. To grant permissions to execute Custom Commands to members of the group, check the following tutorial:http://www.adaxes.com/tutorials_Delegat ... mmands.htm.
To create the Scheduled Task:
-
Launch Adaxes Administration Console
-
Right-click your Adaxes service node, navigate to New and click Scheduled Task.
-
On step 3 of the Create Scheduled Task wizard select User Object type.
-
Click Add Action, select Add the User to a group and click Select Group.
-
Select a group and click OK twice.
-
Double-click Always and select If PowerShell script returns true.
-
Enter a short description and paste the following code into the Script field.
$businessUnitName = "My Unit" # TODO: modify me
# Search Business Units
$Context.ConditionIsMet = $False
$businessUnitsPath = $Context.GetWellKnownContainerPath("BusinessUnits")
$searcher = $Context.BindToObject($businessUnitsPath)
$searcher.SearchFilter = "(&(objectCategory=adm-BusinessUnit)(name=$businessUnitName))"
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
try
{
$searchResult = $searcher.ExecuteSearch()
$units = $searchResult.FetchAll()
if ($units.Count -eq 0)
{
$Context.LogMessage("A Business Unit with name '$businessUnitName' was not found", "Warning")
return
}
foreach ($unit in $units)
{
# Bind to the Business Unit
$unitObject = $Context.BindToObject($unit.AdsPath)
# Check whether the target object is a member
if ($unitObject.IsMember($Context.TargetObject))
{
$Context.ConditionIsMet = $True
return
}
}
}
finally
{
# Release resources used by the search
$searchResult.Dispose()
}
-
Click OK.
-
Right-click the set you have created and click Add Condition.
-
Select If is a member of <Group> and click Select Group.
-
Select the same group as in step 5 and click OK.
-
Select is not and click OK.
-
Right-click the set again and click Copy.
-
Right-click the free space and click Paste.
-
Double-click the first condition in the second set and input the following code into the Script field.
$businessUnitName = "My Unit" # TODO: modify me
# Search Business Units
$Context.ConditionIsMet = $True
$businessUnitsPath = $Context.GetWellKnownContainerPath("BusinessUnits")
$searcher = $Context.BindToObject($businessUnitsPath)
$searcher.SearchFilter = "(&(objectCategory=adm-BusinessUnit)(name=$businessUnitName))"
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$searcher.PageSize = 500
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
try
{
$searchResult = $searcher.ExecuteSearch()
$units = $searchResult.FetchAll()
if ($units.Count -eq 0)
{
$Context.LogMessage("A Business Unit with name '$businessUnitName' was not found", "Warning")
return
}
foreach ($unit in $units)
{
# Bind to the Business Unit
$unitObject = $Context.BindToObject($unit.AdsPath)
# Check whether the target object is a member
if ($unitObject.IsMember($Context.TargetObject))
{
$Context.ConditionIsMet = $False
return
}
}
}
finally
{
# Release resources used by the search
$searchResult.Dispose()
}
-
Click OK and double-click the second condition in the second set.
-
Select If the user is member of and click OK.
-
Double-click the action in the second set and select Remove the User from a group.
-
Click Select Group and select the same group as in steps 5 and 11.
-
Click OK twice.
-
Click Next and finish creating the Scheduled Task.
You Should have something like the following:
