Automating our Soft Transfer Process

Question

We have a rather manual process that we follow here when we have a user that changes from one role to another...and the user still needs access of both roles for a short period of time (Soft Transfer)

What we do when this occurs is create a new active directory group (include the username and date in the group name), place/nest all of the groups the user had on their account for their old role within the new group, Add this group to the user, Remove all other groups on the account, and then apply new groups to the account.

We then have a rather manual process to check the OU where these groups live and delete them when the access is no longer needed. (not looking to automate this at the moment).

I have had luck implementing the following for copying User to User group memberships

https://www.adaxes.com/script-repositor ... rs-s31.htm
OR
For Group to Group Copying
https://www.adaxes.com/script-repositor ... ip-s32.htm

But am struggling to find (if it's even possible) anything referencing what we're looking for (A users object's group membership to a group).

Thoughts? Thanks!

Comments

Hello,

What version of Adaxes are you currently using? To check that, do the following:

1. Launch Adaxes Administration Console.
2. Right-click your service.
3. Click Properties in the context menu.
   
4. Adaxes version is displayed on the General tab.
   

Does the user role stored in a property of the user (e.g. Title or Department)?
How do you get the groups associated with a user role?

---

You bet, we are using version 3.9.15526.0.

Are the user roles indicated by a user property in Active Directory (e.g. Title or Department)?

We have both the title or department fields populated on our users that does come from our HR system. We do not have any business rules currently created around those since it's often those user properties are inaccurate. This is something we are working on addressing.
That being said, if we want to call on those fields during this transfer process I have no issues with that.

How do you get the groups associated with a user role?
Currently it's a manual process where we create a group in a identified OU, name it (with the date and userID), and then add each group to that role, then nest it under the user. For account creation, it's done via a "copy user" process today. We are working towards creating role groups but need to get HR's buy-in prior to doing so.

---

Hello,

Sorry for the confusion, it looks like our questions were not quite straight. Let us clarify the information we need to help you with the solution.

What exactly do you call a user role? When it changes, what exactly happens except for adding/removing the user from groups? Do specific properties of the user account get changed? If so, which exactly?

In your initial request, you mentioned that after a role update a user is added to new groups. We understand the part about removing from current groups (including the part regarding the group that contains groups for the previous user role), but what about the groups for the new role? How do you indicate that a specific user role requires the user to be a member of a specific group(s)?

---

What exactly do you call a user role? When it changes, what exactly happens except for adding/removing the user from groups? Do specific properties of the user account get changed? If so, which exactly?

This is a manual trigger today that the "new" manager submits via our ticket system (unfortunately).

In your initial request, you mentioned that after a role update a user is added to new groups. We understand the part about removing from current groups (including the part regarding the group that contains groups for the previous user role), but what about the groups for the new role? How do you indicate the a specific user role requires the user to be a member of a specific group(s)?

We receive a request via our ticket system with a copy person (similar to our Onboarding process) and then use the script here to "Copy" there group membership.

Really the piece we're missing is the ability to copy the group membership of a user object and then "paste" those into a group object.

Answer 1

Hello,

Thank you for clarifying. The solution will include an Action and a Business Rule triggering After Updating a User. The Action form will include only an Adaxes custom text attribute (e.g. CustomAttributeText1) that will be used to specify the name of the new group. The Business Rule will trigger once the custom attribute is updated, create a new group, add the user to members of the new group, add the new group to members of current user groups and then remove the user from all the groups except for the new one.

i. Creating the Action

1. Open Adaxes Web Interface Configurator.
2. In the top left corner, select the Web Interface you need.
   
3. In the Actions section, click Add.
   
4. Select Modify User and click Next three times.
   
5. Select Use customized form and click Customize form.
   
6. Remove all the sections except for one (e.g. General).
7. Remove all the properties from the Fields section and click Add below.
   
8. Select CustomAttributeText1 and click OK twice.
   
9. Click Finish.

For information on how to specify custom display names for properties, see https://www.adaxes.com/help/,HowDoI.Man ... Names.html.

ii. Creating the Business Rule

1. Launch Adaxes Administration Console.

2. In the Console Tree, right-click your service node.

3. In the context menu, navigate to New and click Business Rule.
   

4. On step 2 of the Create Business Rule wizard, select User Object type.

5. Select After Updating a User and click Next.
   

6. Click Add an action.

7. Select Run a program or PowerShell script.

8. Paste the below script into the Script field.
   In the script:

   • $groupNameAttribute – Specifies the LDAP name of the property that stores the name of the group to be created(e.g. adm-CustomAttributeText1);
   • $ouDN - Specifies the distinguished name (DN) of the container where the new group will be created;
   • $groupType - Specifies the type of group to create.

    $groupNameAttribute = "adm-CustomAttributeText1" # TODO: modify me
    $ouDN = "OU=Groups,DC=Domain,DC=com" # TODO: modify me
    [Softerra.Adaxes.Interop.Adsi.ADS_GROUP_TYPE_ENUM]$groupType = "ADS_GROUP_TYPE_GLOBAL_GROUP, ADS_GROUP_TYPE_SECURITY_ENABLED" # TODO: modify me
   
    # Get group name
    try
    {
        $groupName = $Context.TargetObject.Get($groupNameAttribute)
    }
    catch
    {
        $Context.LogMessage("Group name not specified", "Warning")
        return
    }
   
    # Create group
    $ou = $Context.BindToObjectByDN($ouDN)
    $newGroup = $ou.Create("group", "CN=$groupName")
    $newGroup.Put("groupType", [Int32]$groupType)
    $newGroup.Put("sAMAccountName", $groupName)
   
    try
    {
        $newGroup.SetInfo()
    }
    catch
    {
        $Context.LogMessage("An error occured when creating group '$groupName'. Error: " + $_.Exception.Message, "Warning")
        return
    }
   
    # Copy user groups
    try
    {
        $groupGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
    }
    catch
    {
        $groupGuidsBytes = @()
    }
   
    # Get the Primary Group ID
    $primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
   
    foreach ($guidBytes in $groupGuidsBytes)
    {
        $guid = [GUID]$guidBytes
        $group = $Context.BindToObject("Adaxes://<GUID=$guid>")
   
        # Skip Primary Group
        if ($group.Get("primaryGroupToken") -eq $primaryGroupId)
        {
            continue
        }
   
        # Remove user from group
        $group.Remove($Context.TargetObject.AdsPath)
   
        # Add created group to group
        $group.Add($newGroup.AdsPath)
    }
   
    # Add user to new group
    $newGroup.Add($Context.TargetObject.AdsPath)

9. Enter a short description and click OK.
   

10. Right-click the action you created and click Add Condition in the context menu.
    

11. Select If <property> changed.

12. Select If CustomAttributeText1 has changed and click OK.
    

13. Right-click the action you created and click Add Condition in the context menu again.

14. Select If <property><relation><value>.

15. Select If CustomAttributeText1 is not empty and click OK.
    

16. Click Next and finish creating the Business Rule. You should have something like the following:
    

Comments

I appreciate the fast response here. I have not had time to test this but it looks like this will do what we need. Thanks!