Deprovisioning approval denied -> Nice script

Question

Hello,

I've been looking for a long while to perform some actions when an approval has been denied.
Since i finally managed to get it done, i might as well share how to do it. :)

We have an automatic deprovisioning setup based on a date in attribute extensionattribute13 and the description of the user gets changed to 'waiting for approval when the approval is send, but it never got deleted. So here is my example on how to fix that issue automatically:

Create a business rule with the trigger AfterUpdating an Approval Request

Add a condition based on a powershell script. This script contains the following:

$approved = $Context.GetModifiedPropertyValue("adm-ApprovalState") 

if($approved -eq 2){ 
  $Context.ConditionIsMet = $true  
}

This will make the rule only triggers or denied approvals

Now we need to add an action run powerhsell script with the following code (Needs to be adapted to your situation of course)

import-module Adaxes
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$admService = $admNS.GetServiceDirectly("localhost")

    $path = $Context.TargetObject.AdsPath
    $request = $admService.OpenObject($path, $NULL, $NULL, 0)       
    [XML]$xml = $request.DescriptionOfOperationToApproveXml

    $requestor =  $request.requestor.get("name")   
### u can add another conditon to only execute the business rule based on the requestor 

###  Retract all the objects contained in the approval request    
    $targets = $xml.message.objectname  
    $targets = @($targets) 
### First object is my scheduled task, so i need the 2nde object (the user)  
    [STRING]$target =$targets[1]              
### need to retract the username out of the string         
    $target = $target.trimend(")")             
    $target = $target.split("(")[0].trimend(" ")

### get the DistinguishedName of the user we perfomed the approval on    
    $dn = (get-admuser -filter {name -eq $target}).DistinguishedName    

### Clear the attributes because of the denied deprovisioning    
    Set-AdmUser $dn -Clear description,extensionAttribute13                 

    $context.LogMessage("Description + end date cleared for user :  $target ", "Information") 

To get the the username out of the XML message u will need to do some testing on what XML message u get back from the approval request.
(For me it was the 2nd part of the array ( [STRING]$target =$targets[1]) because the first object was the scheduled task that called the approval request)

Hope it might help some other people out. ;)

Answer 1

Hello,

Thanks for sharing! However, there is already a solution for this on our support forum. Take a look at this topic: Correct Action Sequence For Using New Attributes.

Also, a few notes to your solution:

Add a condition based on a powershell script. This script contains the following:

$approved = $Context.GetModifiedPropertyValue("adm-ApprovalState") 

if($approved -eq 2){ 
  $Context.ConditionIsMet = $true  
}

Actually, there's no need for PowerShell scripts. Two simple conditions will do the job. Take a look at steps 5-10 in the post mentioned above.

Also, there's no need to parse the XML-formatted description of the operation. The $request variable in your script will support the IAdmApprovalRequest interface that provides access to all properties of the Approval Request, including the initiator, the target object and the user who denied it (if necessary). For more information, see IAdmApprovalRequest.

Thus, instead of this part of your script:

###  Retract all the objects contained in the approval request   
    $targets = $xml.message.objectname 
    $targets = @($targets)
### First object is my scheduled task, so i need the 2nde object (the user) 
    [STRING]$target =$targets[1]             
### need to retract the username out of the string         
    $target = $target.trimend(")")             
    $target = $target.split("(")[0].trimend(" ")

### get the DistinguishedName of the user we perfomed the approval on   
    $dn = (get-admuser -filter {name -eq $target}).DistinguishedName   

### Clear the attributes because of the denied deprovisioning   
    Set-AdmUser $dn -Clear description,extensionAttribute13    

you can have only 2 lines :)

$request.TargetObject.Put("extensionAttribute13", $NULL)
$request.TargetObject.SetInfo()

Comments

Thanks for the great reply.

The condition part in the other solution is good to know!
But i have some other conditions in my full version, so i needed the powershell part anyway.

I did indeed have a look on the IAdmApprovalRequest page and i gave it a try with the $request.targetobject before ,but the following issue made me think it does not work. Should have looked a little bit further ... :)

These commands don't give any result :

 $request.targetobject
 $request.targetobject.samaccountname

Tested now and should have used the following:

 $request.targetobject.get("samaccountname")

It is a lot easier then the XML reformatting indeed. Thanks for optimizing the script!
I do think it is one of the issues people struggle with though.(Performing actions after denied request)
So maybe it would be nice to have some info about it in the SDK.
The other topic is great, but the title does not make me think it has anything to do with denied requests. :)

Kr,
Serge Kerremans

---

Serge,

So maybe it would be nice to have some info about it in the SDK.

Actually, there's a whole article on it under Managing Adaxes Configuration :) Here it is: http://www.adaxes.com/sdk/?ManagingAppr ... uests.html.

The other topic is great, but the title does not make me think it has anything to do with denied requests. :)

Yes, it started over with a completely different thing and is quite hard to find :)