Concurrency in scheduled task

Question

Hello all,

New to Adaxes but a quick search didn't turn up anything relevant thusfar.. here's the scenario:

3 App access groups, Platinum, Gold and Silver.

There are business rules to determine Platinum and Gold and Silver is 'everyone else'.

I setup a scheduled task (to start) to check and assign permissions (will eventually use a on create rule, but when it runs isn't the point yet!)

The business rules successfully assign the user to the right group (Platinum or Gold), but it then assigns everyone regardless to Silver, altho the silver rule is:

If
User IS NOT in Platinum
AND
User IS NOT in Gold

If I move that exact rule to a second task, and run them sequentially, it works fine.. so it looks like a concurrency problem?

I don't mind making them separate tasks, but then, is there a good way to chain tasks together? Can I trigger a scheduled task to start when one finishes?

Any guidance would be appreciated!

Comments

Hello Ryan,

For troubleshooting purposes, could you post here or send us (support[at]adaxes.com) configuration screenshots of the Business Rules and Scheduled Task that are involved in the workflow? Make sure that screenshots of the Business Rules include the triggering operations. Below are examples of the screenshots we need.
Business Rule configuration:

Scheduled Task configuration:

---

Will it work correctly if you use an OR operator instead of AND?

---

Hello,

We need to see your configuration to provide any details.

---

Yup, sorry, just getting back into the office today!

OK so, start by emptying groups, otherwise everyone ends up in all the groups.

Our first two rules then establish the top level of application access, based on job description or OU.

The next 4 rules establishes the second group, based on higher level OUs that capture big swaths of users discounting anyone who has their permission assigned to the top group (hence all the ANDs.. it would be very helpful to mix ANDs and ORs in the same action, but its really not too difficult to work around)

The second screenshot is the last rule that only runs correctly if we run is separately.

Answer 1

Hello Ryan,

All users get added to the Piction Silver group because all conditions are resolved before executing the Scheduled Task. There is no possibility to group the actions/conditions to achieve what you need. We recommend using a Business Rule triggering After Creating a User and the following PowerShell script:

# First Group Settings
$firstGroupDN = "CN=FirstGroup,OU=Groups,DC=domain,DC=com" # TODO: modify me
$firstGroupContainers = @("OU=IT,OU=Users,DC=domain,DC=com", "OU=Sales,OU=Users,DC=domain,DC=com") # TODO: modify me

# Second Group Settings
$secondGroupDN = "CN=SecondGroup,OU=Groups,DC=domain,DC=com" # TODO: modify me
$secondGroupContainers = @("OU=Marketing,OU=Users,DC=domain,DC=com", "OU=Administrators,OU=Users,DC=domain,DC=com") # TODO: modify me

# Third Group Settings
$thirdGroupDN = "CN=ThirdGroup,OU=Groups,DC=domain,DC=com" # TODO: modify me

function IsLocatedUnderContainers($userDN, $containersDNs)
{
    foreach ($dn in $containersDNs)
    {
        if ($userDN.IsDescendantOf($dn))
        {
            return $True
        }
    }

    return $False
}

# Check conditions for First group
$userDN = New-Object Softerra.Adaxes.Ldap.DN "%distinguishedName%"
if ("%title%" -eq "Graphic Designer" -or
    "%title%" -eq "Print/Digital Designer" -or
    (IsLocatedUnderContainers $userDN $firstGroupContainers))
{
    # Add to first group
    $group = $Context.BindToObjectByDN($firstGroupDN)
    $group.Add($Context.TargetObject.AdsPath)
}
elseif (IsLocatedUnderContainers $userDN $secondGroupContainers)
{
    # Add to second group
    $group = $Context.BindToObjectByDN($secondGroupDN)
    $group.Add($Context.TargetObject.AdsPath)
}
else
{
    # Add to third group
    $group = $Context.BindToObjectByDN($thirdGroupDN)
    $group.Add($Context.TargetObject.AdsPath)
}

In the script:

• $firstGroupDN, $secondGroupDN, $thirdGroupDN – Specify distinguished names of Platinum, Gold and Silver groups accordingly;
• $firstGroupContainers – Specifies distinguished names of OUs where the user should be located to be added to the Platinum group;
• $secondGroupContainers – Specifies distinguished names of OUs where the user should be located to be added to the Gold group.

To create the Business Rule:

1. Launch Adaxes Administration Console.
2. Right-click your Adaxes service node, navigate to New and click Business Rule.
   
3. On step 2 of the Create Business Rule wizard, select User Object type.
4. Select After Creating a User and click Next.
   
5. Click Add Action.
6. Select Run a program or PowerShell script.
7. Paste the script into the Script field.
8. Enter a short description and click OK.
   
9. Click Next and finish creating the Business Rule.

Comments

Sorry for the delay thanks for the help, will give this a try!