Correct Action Sequence For Using New Attributes

Question

Hi,

I'm trying to get an email sent to a users *new* manager after the field has been changed -see screenshot:-

Is this the correct sequence, as the email is still going to the old manager? I have another job that triggers *before* the change to email the old manager, and that is fine.

Rgds

Answer 1

Hello,

The thing is that when you use value references in your Business Rules, Adaxes collects all the value references used in the Business Rules and resolves them only once: before executing the main operation. So, in this specific case, Adaxes resolves the %adm-ManagerEmail% value reference before updating a user and uses the same resolved value for both Business Rules executed before updating a user, and Business Rules executed after updating a user.

To send an email to the new manager, you need to use the Get method provided by the IADs interface supported by any directory object to get the DN of the new manager. Then, you need to bind to the user account of the new manager and get his email. For example:

$newManager = $Context.TargetObject.Get("manager")
$newManagerObj = $Context.BindToObjectByDN($newManager)
$newManagerEmail = $newManagerObj.EmailAddress
$Context.SendMail($newManagerEmail, $subject, $NULL, $htmlBody)

For more information, see Adaxes SDK:

Get method of the IADs interface: http://adaxes.com/sdk/?IADs.html#iads_get,
Binding to directory objects: http://adaxes.com/sdk/?ServerSideScript ... dsiObjects,
BindToObjectByDN method of the ExecuteScriptContext Class: http://adaxes.com/sdk/?ExecuteScriptCon ... objectbydn,
Also, take a look at the first example in the Sending Emails and SMS section: http://www.adaxes.com/sdk/?ServerSideSc ... ailsAndSms .

Comments

Cool - many thanks.

Slight aside re: the scripts you helped with on account reviews.

The 'denied review' script that checks for outstanding approval tickets is having a 'hard time' as we have well over a 1000 pending approvals that it needs to iterate through.

Performance wise it may be easier for us to try and find a denied approval in the log, can I assume it will just be a case of changing:-

$requests = $container.GetApprovalRequests("ADM_APPROVALSTATE_PENDING")

to

$requests = $container.GetApprovalRequests("ADM_APPROVALSTATE_DENIED")

in order to search this container and look for a denied approval matching the scheduled task and the target user GUID?

Thanks

---

Hello,

As far as we can recollect, the 'Denied Review' Scheduled Task was made for the following purpose: it should check whether the CustomAttributeText10 property is set to "Review In Progress" for the user. If the value for the property is "Review In Progress", it should check whether there are any pending Approval Requests for the user created by the 'Review Initiation' Task. If there are no such Approval Requests, it is assumed that the Request to postpone revision has been denied, and the Task should proceed to user deletion.

If the above is correct, then actually we came up with a more elegant solution that is less stressing for your environment. The thing is that you can create a Business Rule triggered after denying an Approval Request. The only issue is that you cannot do this from the UI, you need to use a script to create such a Business Rule.

What we suggest is that you can create a Business Rule triggered after denying an Approval Request. When the Business Rule is triggered, it will check with the help of the If PowerShell script returns True condition whether the initiator of the Approval Request is the "Review Initiation" Scheduled Task. If the initiator of the Approval Request is the "Review Initiation" Scheduled Task, the Business Rule will perform the actions related to user deletion.

To create such a Business Rule:

1. To create a Business Rule triggered after denying an Approval Request, first, you need to create an empty Business Rule executed After Updating an Approval Request with the help of a PowerShell script. To do this:

   • Copy the following PowerShell script and save it to a file with a .ps1 extension.

       ```powershell
     
       $ruleName = "My Rule" # TODO: Modify me
     
       # Connect to the Adaxes service
       $admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
       $admService = $admNS.GetServiceDirectly("localhost")
     
       # Bind to the 'Business Rules' container
       $businessRulesPath = $admService.Backend.GetConfigurationContainerPath(
           "BusinessRules")
       $businessRulesContainer = $admService.OpenObject($businessRulesPath,
           $NULL, $NULL, 0)
     
       # Create a new Business Rule
       $rule = $businessRulesContainer.Create("adm-BusinessRule", "CN=$ruleName")
     
       # Triggering Operation: After updating an Approval Request
       $rule.ExecutionMoment = "ADM_BUSINESSRULEEXECMOMENT_AFTER"
       $rule.ObjectType = "adm-ApprovalRequest"
       $rule.OperationType = "set properties"
       $rule.Disabled = $False
       $rule.SetInfo()
     
       # Include All Objects in the Activity Scope of the Business Rule
       $scopeItem = $rule.ActivityScopeItems.Create()
       $scopeItem.BaseObject = $NULL
       $scopeItem.Type = "ADM_SCOPEBASEOBJECTTYPE_ALL_DIRECTORY"
       $scopeItem.Inheritance = "ADS_SCOPE_SUBTREE"
       $scopeItem.Exclude = $False
       $scopeItem.SetInfo()
       $rule.ActivityScopeItems.Add($scopeItem)
     
       # Save the Business Rule
       $rule.SetInfo()
     
       ```

   • In the script, $ruleName specifies the name of the Business Rule that will be created. Modify it per your requirements.

   • Copy the saved script to the computer where Adaxes service is installed.

   • On the computer where Adaxes service is installed, launch Windows PowerShell.

   • Navigate to the directory where you copied the PS1 file. For example, if you copied the script to the C:\Scripts folder, type:

       ```powershell
       cd C:\Scripts
       ```

   • Run the script using the following command:

       ```powershell
       .\Myscript.ps1
       ```
     
       where **Myscript.ps1** is the name of the **PS1** file created on the **1st** step.

2. Now, you need to add actions and conditions to the Business Rule. For this purpose, launch Adaxes Administration Console.

3. Navigate to and select the Business Rule with the name that you specified in $ruleName. You will find an empty Business Rule triggered After Updating an Approval Request.
   

4. First, you need to add actions to the Business Rule. Since the Business Rule is executed after updating an Approval Request, you should remember that the target object of the operation will be the Approval Request, not the user. As for accessing the user that is the target object of the Request, you can access the user's account with scripts. For example, the following script executed with the help of the Run a program or PowerShell script action sets the CustomAttributeText10 property of the user to Review Denied and disables the user:

    $targetUserAdsPath = $Context.TargetObject.TargetObject.ADsPath
    $targetUser = $Context.BindToObject($targetUserAdsPath)
    $targetUser.Put("adm-CustomAttributeText10", "Review Denied")
    $targetUser.AccountDisabled = $True
    $targetUser.SetInfo()
   

5. Now, you need to add conditions. Since denying an Approval Request actually means changing the ApprovalState property of the Request, we need to check whether the ApprovalState property has changed. Press the Add Condition button.
   

6. Select the If <property> <changed> condition.

7. Expand the <property> drop-down list.

8. Select the Show all properties option.

9. Select the ApprovalState property.

10. Select has changed and click OK.
    

11. When you deny an Approval Request, the ApprovalState property of the Request is set to 2. So, we also need to check whether the ApprovalState property now equals 2. Press the Add Condition button again.

12. Select the If <property> <relation> <value> condition.

13. Expand the <property> drop-down list.

14. Select the Show all properties option.

15. Select the ApprovalState property.

16. Select equals, type 2 and click OK.
    

17. Now, the final check. We need to make sure that the Approval Request has been initiated by the 'Review Initiation' Scheduled Task. Press the Add Condition button again.

18. Select the If PowerShell script returns True condition.

19. Paste the following PowerShell script in the Script field.

     $scheduledTaskName = "Review Initiation"
    
     $requestorName = $Context.TargetObject.Requestor.Get("name")
     $Context.ConditionIsMet = ($requestorName -ieq $scheduledTaskName)
    

    

20. In the script, $scheduledTaskName specifies the name of your 'Review Initiation' Scheduled Task. Modify the script to your requirements.

21. Enter a short description for the script and click OK.

22. When finished, save the Business Rule and retire the Scheduled Task that now becomes unnecessary.

---

Superb, detailed and concise support as always!

Out of interest (and as you obviously know your own product) would you recommend the previous way or this way as the more robust solution? This way looks perfect to me - but I'm guessing you advised the other way initially for a reason?

Ultimately, we only expect these very high numbers of simultaneous approval requests once per year, so if you think the previous solution is best, we'll stick with it for the time being.

Also - and I'll open a new forum post - we're going to be looking at distributing the load over multiple servers, so the problem may go away anyway :)

---

We would recommend the new approach with Business Rules. The main consideration here is the load on Adaxes service. You should take into account that the script used in the Scheduled Task approach needs to iterate through all Approval Requests every time it is executed on every user. If you have many pending Requests, it will take quite a lot of time to do that. Changing that from Pending to Denied Approval Requests is not the best decision either, as denied Approval Requests can also accumulate with the course of time.

One more tiny consideration here is the time gap between denying an Approval Request and the time when the script runs. With Scheduled Tasks, it usually takes some time before the Scheduled Task runs. On the other hand, With Business Rules, the required actions are performed immediately after the main operation completes.

---

Thank you very much.

I had thought that not having a 'on denial' trigger action was an oversight, but as always - there's a way!