Check role in Before User creation event

Question

Hi Team,

We are using a set of form/business rules/custom commands for user creation that move user account to the right OU given the Office attribute value.
I would like to check during On Before User creation BR if the the operator has the right on the target OU before creating the user account. Right now, if he hasn't got the rights, the account is created in the default OU and not moved, which is not exactly what we expect.
I'm sure it will be easy to do through a script, but can't find valuable information on the web site.

Thanks in advance

Regards

Stephen

Comments

Stephan,

We were hitting something like this as well, but we decided that Adaxes logs everything and we could reduce the visibility of AD, so being strict with the OU access was kind of a mute point. We set up home page actions for our help desk techs to be able to create users in a very specific OU. They do have the right to create in the other user OUs, but they do not see the AD organization or the OUs. We set different rules on office and company name to move the objects to other OUs after they have been created.

---

Well, that's more or less what we are doing right now in Europe but we are hitting the limits now for some of our affiliates.
Of course Adaxes logs everything but we want to prevent errors/misuse of the forms.
I'm sure that through a pre processing BR, it should be possible to check operator's role and then cancel the operation if needed, i just need the object model/script logic.

Thanks for your answer

Answer 1

Hello Stephen.

The issue is not in Security Roles. When an object is moved with a Business Rule, the permissions of the user who performed the initial operation are not checked. My guess is that something is wrong with the Business Rule (for example, there exist offices, for which no conditions are met).

Comments

I think you misunderstood me (which is perfectly normal, it's not very clear :-) )

I'm not facing an issue, i'm just trying to implement something.
I would like to check in a business rule (before user account creation) the role operator is member of, to allow or cancel the operation.
For instance, in the user creation form, i select "FR Office Paris" in the Office attribute. When i submit the form, i want to check if the operator is member of the role "FR Paris Administrator" and if not, i cancel the operation.

Quite simple on the paper.

Thanks

Stephen

---

Hello Stephen,

Yes, I misunderstood you, sorry. :)

I would like to check in a business rule (before user account creation) the role operator is member of, to allow or cancel the operation.
For instance, in the user creation form, i select "FR Office Paris" in the Office attribute. When i submit the form, i want to check if the operator is member of the role "FR Paris Administrator" and if not, i cancel the operation.

You can check if the initiator of the operation is assigned to a certain role with the help of a PowerShell script. You can use such a script in the If PowerShell script returns true condition to determine when to cancel the operation.

As to the actual script, our script guy is working on it. As soon as he comes up with something, I will post the script in this topic and provide you with more detailed instructions.

---

Hello Stephen,

To accomplish your task, you need to create a Business Rule that is triggered before creating a user. In this Business Rule, you can check whether the initiator of the operation has sufficient permissions to create users in the OU, to which the user will be moved after creation. The checking is performed by a PowerShell script using the If PowerShell script returns true condition. If the initiator does not have sufficient permissions, the Business Rule will cancel the operation. To create such a Business Rule:

1. Create a new Business Rule.

2. On the 2nd step of the Create Business Rule wizard, select User and Before Creating a User.
   

3. On the 3rd step, add the Cancel this operation action.

4. Specify the reason for cancelling, if necessary, and click OK.
   

5. Double-click Always.

6. Add the If PowerShell script returns true condition and paste the following script:

    # TODO: Specify offices in the following format: "Office name"="Office OU DN", each office should be followed by a semicolon
    # Example: $officesInfo = @{"Germany"="OU=Germany,DC=domain,DC=com";"Paris"="OU=Paris,OU=France,DC=domain,DC=com";}
    $officesInfo = @{"Germany"="OU=Germany,DC=domain,DC=com";"Paris"="OU=Paris,OU=France,DC=domain,DC=com";}
   
    $Context.ConditionIsMet = $False
    $targetUserOffice = $Context.GetModifiedPropertyValue("physicalDeliveryOfficeName")
   
    if($targetUserOffice -ne $NULL)
    {
        $ouDN = $officesInfo[$targetUserOffice]
    }
   
    if($ouDN -ne $NULL)
    {
        $targetOU = $Context.BindToObjectEx("Adaxes://"+ $officesInfo[$targetUserOffice], $True)
        $objectTypesAllowedToCreate = $targetOU.ObjectTypesAllowedToCreate
   
        if (-not($objectTypesAllowedToCreate -contains "user"))
        {
            $Context.ConditionIsMet = $True
        }
    }
   

   In the script, $officesInfo specifies a list of offices. Each office should be be specified in the "Office name"="Office OU DN" format,
   where:

   • "Office name" - the name of the office,
   • "Office OU DN" - the Distinguished Name (DN) of the OU, to which newly created users are moved when this office is specified.

   Each office should be followed by a semicolon, for example:
   $officesInfo = @{"Germany"="OU=Germany,DC=domain,DC=com";"Paris"="OU=Paris,OU=France,DC=domain,DC=com";}

   To get the DN of an Organizational Unit:

   • Right-click the OU you need in the Console Tree (Adaxes Administration Console).
   • In the context menu, open the submenu of the Copy item.
   • Click Copy DN. The DN of the selected OU will be copied to the clipboard.
     

7. Click OK and finish creation of the Business Rule.

---

Excellent, this exactly what i need.

Thanks !