0 votes

Hello,

I've been looking for a long while to perform some actions when an approval has been denied.
Since i finally managed to get it done, i might as well share how to do it. :)

We have an automatic deprovisioning setup based on a date in attribute extensionattribute13 and the description of the user gets changed to 'waiting for approval when the approval is send, but it never got deleted. So here is my example on how to fix that issue automatically:

Create a business rule with the trigger AfterUpdating an Approval Request

Add a condition based on a powershell script. This script contains the following:

$approved = $Context.GetModifiedPropertyValue("adm-ApprovalState") 

if($approved -eq 2){ 
  $Context.ConditionIsMet = $true  
}

This will make the rule only triggers or denied approvals

Now we need to add an action run powerhsell script with the following code (Needs to be adapted to your situation of course)

import-module Adaxes
[Reflection.Assembly]::LoadWithPartialName("Softerra.Adaxes.Adsi")

$admNS = New-Object("Softerra.Adaxes.Adsi.AdmNamespace")
$admService = $admNS.GetServiceDirectly("localhost")

    $path = $Context.TargetObject.AdsPath
    $request = $admService.OpenObject($path, $NULL, $NULL, 0)       
    [XML]$xml = $request.DescriptionOfOperationToApproveXml

    $requestor =  $request.requestor.get("name")   
### u can add another conditon to only execute the business rule based on the requestor 

###  Retract all the objects contained in the approval request    
    $targets = $xml.message.objectname  
    $targets = @($targets) 
### First object is my scheduled task, so i need the 2nde object (the user)  
    [STRING]$target =$targets[1]              
### need to retract the username out of the string         
    $target = $target.trimend(")")             
    $target = $target.split("(")[0].trimend(" ")

### get the DistinguishedName of the user we perfomed the approval on    
    $dn = (get-admuser -filter {name -eq $target}).DistinguishedName    

### Clear the attributes because of the denied deprovisioning    
    Set-AdmUser $dn -Clear description,extensionAttribute13                 

    $context.LogMessage("Description + end date cleared for user :  $target ", "Information") 

To get the the username out of the XML message u will need to do some testing on what XML message u get back from the approval request.
(For me it was the 2nd part of the array ( [STRING]$target =$targets[1]) because the first object was the scheduled task that called the approval request)

Hope it might help some other people out. ;)

by (470 points)

1 Answer

0 votes
by (216k points)

Hello,

Thanks for sharing! However, there is already a solution for this on our support forum. Take a look at this topic: Correct Action Sequence For Using New Attributes.

Also, a few notes to your solution:

Add a condition based on a powershell script. This script contains the following:

$approved = $Context.GetModifiedPropertyValue("adm-ApprovalState") 

if($approved -eq 2){ 
  $Context.ConditionIsMet = $true  
}

Actually, there's no need for PowerShell scripts. Two simple conditions will do the job. Take a look at steps 5-10 in the post mentioned above.

Also, there's no need to parse the XML-formatted description of the operation. The $request variable in your script will support the IAdmApprovalRequest interface that provides access to all properties of the Approval Request, including the initiator, the target object and the user who denied it (if necessary). For more information, see IAdmApprovalRequest.

Thus, instead of this part of your script:

###  Retract all the objects contained in the approval request   
    $targets = $xml.message.objectname 
    $targets = @($targets)
### First object is my scheduled task, so i need the 2nde object (the user) 
    [STRING]$target =$targets[1]             
### need to retract the username out of the string         
    $target = $target.trimend(")")             
    $target = $target.split("(")[0].trimend(" ")

### get the DistinguishedName of the user we perfomed the approval on   
    $dn = (get-admuser -filter {name -eq $target}).DistinguishedName   

### Clear the attributes because of the denied deprovisioning   
    Set-AdmUser $dn -Clear description,extensionAttribute13    

you can have only 2 lines :)

$request.TargetObject.Put("extensionAttribute13", $NULL)
$request.TargetObject.SetInfo()
0

Thanks for the great reply.

The condition part in the other solution is good to know!
But i have some other conditions in my full version, so i needed the powershell part anyway.

I did indeed have a look on the IAdmApprovalRequest page and i gave it a try with the $request.targetobject before ,but the following issue made me think it does not work. Should have looked a little bit further ... :)

These commands don't give any result :

 $request.targetobject
 $request.targetobject.samaccountname

Tested now and should have used the following:

 $request.targetobject.get("samaccountname")

It is a lot easier then the XML reformatting indeed. Thanks for optimizing the script!
I do think it is one of the issues people struggle with though.(Performing actions after denied request)
So maybe it would be nice to have some info about it in the SDK.
The other topic is great, but the title does not make me think it has anything to do with denied requests. :)

Kr,
Serge Kerremans

0

Serge,

So maybe it would be nice to have some info about it in the SDK.

Actually, there's a whole article on it under Managing Adaxes Configuration :) Here it is: http://www.adaxes.com/sdk/?ManagingAppr ... uests.html.

The other topic is great, but the title does not make me think it has anything to do with denied requests. :)

Yes, it started over with a completely different thing and is quite hard to find :)

Related questions

0 votes
1 answer

In a custom command where an approval is added in Powershell code ($Context.SubmitForApproval) or as an action Send this operation for approval' how can you run specific ... is denied a mail is sent to requestors manager and requestors account is disabled.

asked Mar 28, 2023 by Pihl (20 points)
0 votes
1 answer

I have have admin rights and am in the "Request Approvers" group. I have a dearth of old approval requests to delete. I saw I could not delete them until I denied them ... says I have "No approval requests." How can I delete these denied entries? Thanks, Scott

asked Feb 26, 2021 by chappyshi (90 points)
0 votes
1 answer

I previously had access to this area but when I now look at the area I can see All Requests > Pending but not My Requests or My Approvals. when I attempt that I get the ... accessing. I've asked our other Admins and no one has made changes as far as I know.

asked Feb 21, 2018 by AlanWJ (150 points)
0 votes
1 answer

Hello, We have a script that checks for expiring accounts (temp/contractor) and emails the users manager requesting that they respond to the email either approving an extension of the ... has expired, or at least send an email to the security group to do so.

asked Mar 11, 2013 by DFassett (710 points)
0 votes
1 answer

I'm trying to create a business rule that is executed before a user is created. I used the Adaxes tutorial Run PowerShell Script after Creating a User for ... execute. Are there permissions I'm forgetting somewhere? Thanks in advance for the assistance.

asked Jun 29, 2021 by lgibbens (320 points)
3,549 questions
3,240 answers
8,232 comments
547,817 users