Adaxes

CLI: How to modify approvers list for existing rule

0 votes

I am attempting to update a business rule using PowerShell to include additional approves. This is what I have so far

$account = "username"

# Connect to the Adaxes service
$admNS = New-Object "Softerra.Adaxes.Adsi.AdmNamespace"
$admService = $admNS.GetServiceDirectly("localhost")

# Connect to Business Role Object
$businessRolesPath = $admService.Backend.GetConfigurationContainerPath("AccessControlRoles")
$businessRolesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $businessRolesPath
$businessRoleObj = $businessRolesPathObj.CreateChildPath( "CN=Account Manager")
$businessRole = $admService.OpenObject($businessRoleObj, $NULL, $NULL, 0)

# Create Business Role Assignment
$businessRoleAssignment = $businessRole.Assignments.Create()
$businessRoleAssignment.Trustee = "DOMAIN\" + $account
$businessRoleAssignment.SetInfo()
$businessRole.Assignments.Add($businessRoleAssignment)

# Connect to Business Unit Object
$businessUnitsPath = $admService.Backend.GetConfigurationContainerPath("BusinessUnits")
$businessUnitsPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $businessUnitsPath
$businessUnitAdsPath = $businessUnitsPathObj.CreateChildPath("CN=" + $Department + ",CN=Departments")
$businessUnitObj = $admService.OpenObject($businessUnitAdsPath, $NULL, $NULL, 0)

# Apply Scope to Business Role
$businessRoleScope = $businessRoleAssignment.ActivityScopeItems.Create()
$businessRoleScope.BaseObject = $businessUnitObj
$businessRoleScope.Type = "ADM_SCOPEBASEOBJECTTYPE_BUSINESSUNIT"
$businessRoleScope.Inheritance = "ADS_SCOPE_SUBTREE"
$businessRoleScope.Exclude = $False
$businessRoleScope.SetInfo()
$businessRoleAssignment.ActivityScopeItems.Add($businessRoleScope)

# Connect to Business Rule Object
$businessRulesPath = $admService.Backend.GetConfigurationContainerPath("BusinessRules")
$businessRulesPathObj = New-Object "Softerra.Adaxes.Adsi.AdsPath" $businessRulesPath
$businessRuleAdsPath = $businessRulesPathObj.CreateChildPath("CN=" + $Department + " Group Rule,CN=Departments")
$businessRuleObj = $admService.OpenObject($businessRuleAdsPath, $NULL, $NULL, 0)

After that I have this code: 

$actionsAndConditions = $businessRuleObj.ConditionedActions
$approvalAction = $actionsAndConditions.GetAction() | ?{$_.ApproversInfo}
$approvalUser = $admService.OpenObject("Adaxes://" + $user.DistinguishedName, $NULL, $NULL, 0)
$approvalAction.ApproversInfo.ApproverTrustees.Add($approvalUser)

At this point I can access the object and get the correct number of ApproverTrustees. 

$approvalAction.ApproversInfo.ApproverTrustees.Count

But I'm unable to save it (SetInfo). I think I am not defining something correctly in the second code block. Any assistance would be appreciated.

(love the powershell!)

by (70 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The 1st part of your code looks OK, however the 2nd part doesn't seem to be functional at all.

To locate an action that creates an Approval Request, you need to iterate through all the sets of actions and conditions of the Business Rule. In each set, you need to check whether an action performs an operation of the "approval request info" type. Here's a script that does what you need. Replace the 2nd part of your script with this code.

$approvalUser = $admService.OpenObject("Adaxes://" + $user.DistinguishedName, $NULL, $NULL, 0)
foreach ($actionsAndConditions in $businessRuleObj.ConditionedActions)
{
    $actions = $actionsAndConditions.Actions
    foreach ($action in $actions)
    {
        $actionObj = $action.GetAction()
        if (($actionObj.IsOperationOfType($NULL, "approval request info")) -and (-not($actionObj.ApproversInfo.IsApprover($approvalUser, $NULL))))
        {
            $actionObj.ApproversInfo.ApproverTrustees.Add($approvalUser)
            $action.SetAction($actionObj)
            $action.SetInfo()
        }
    }
}
0

Yes - that 2nd part was certainly not working.

Thank you!

by (70 points)

Related questions

0 votes
1 answer
How do I generate a report that will out put a list of all Approvers.

We have a rule setup that when a user requests membership into a group it will email approvers of the group for approval. I would like to create a report that sends out a list of ALL approvers for every group we have approvals setup for.

asked Dec 18, 2023 by jujones79 (20 points)
0 votes
1 answer
How can I insert into an existing Sharepoint task list using a Powershell script

I'm in the process of creating a Web interface for requesting IT accounts. Upon submission, I want to run a Powershell script that will create an item in a Sharepoint task list.

asked May 14, 2021 by sandramnc (870 points)
0 votes
1 answer
How to pass Adaxes variables (%username% as an example) into a powershell script for a business rule?

In a business rule, I'd like to pass Adaxes variables into a powershell script that I'll run. For example, pass %username% into the script so it can be used inside the script.

asked Sep 5 by P-Sysadmin (20 points)
0 votes
1 answer
Is there a way to create new users, modify existing users or terminate users based on a scheduled CSV file received?

We are working with an HR package that will send us a CSV file every 4 hours with a list of users that need to be created, modified or deleted from our environment. The CSV ... change, etc.) Is there a script that can manage all of that on a scheduled basis?

asked Sep 2, 2020 by RayBilyk (240 points)
0 votes
1 answer
How to assign rights to an existing home directory?

we used the adaxes "move home directory" tool, but after all the directories were moved, they were all set to the default security of the parent folder. The per user ... there a way to go through each user and assign their rights to the home directory?

asked Feb 27, 2017 by mdedmon (150 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users