Is it possible to generate a report of all of the business rules carried out on a user when they are disabled?

Question

I'd like to be able to either send an email report or export a CSV of all of the business rules carried out when a user is disabled. This would be useful for audit/compliance. We would be able to provide evidence that a user was disabled, removed from security groups etc.

I can view the activity in the Logging > Management Activity section but this includes things that weren't part of the disable operation.

Thanks

Comments

Hello,

This can be done using a Scheduled Task and a PowerShell script. The task will email a report containing the full execution log (names of Business Rules that were triggered and all the actions performed) of the disable operation performed for the user. To avoid duplicate notifications, the task will set a custom Boolean attribute (e.g. CustomAttributeBoolean1) to true for processed users. The execution log can be embedded into the email message body or attached as a text file. Unfortunately, there is no possibility to use a CSV file. Please specify which option meets your needs and we will provide you with detailed instructions. Any additional details regarding the desired report will be much appreciated.

---

Thanks for the reply!

An execution log attached as a text file would be useful, as we could then store that elsewhere.

How would I accomplish this?

---

Hello,

Thank you for the confirmation. For us to provide you with the script and detailed instructions, please, specify the following:

• What should be done if a log record for disabling a user is not found (e.g. when the user was disabled without using Adaxes)?
• What should be done if multiple log records for disabling a user are found (i.e. when a user was disabled using Adaxes multiple times)?
• What should be done if there were no Business Rules triggered when disabling a user?

---

• What should be done if a log record for disabling a user is not found (e.g. when the user was disabled without using Adaxes)?

Send an email saying "User was disabled but no log was found."

• What should be done if multiple log records for disabling a user are found (i.e. when a user was disabled using Adaxes multiple times)?

Is it possible to send a separate email for each log record?

• What should be done if there were no Business Rules triggered when disabling a user?

Send an email saying "User was disabled by Adaxes at timestamp", but don't include the attachment.

---

Hello,

Is it possible to send a separate email for each log record?

Yes, it is possible. Do we understand correctly that a separate email should be sent for each log record each time the task runs for a user? In such cases, you will receive similar notifications multiple times. For example, if a user was disabled twice, you will receive two notifications when the task runs for the user. If the user gets enabled and then disabled again, next time the task runs for them, you will receive 3 notifications and two of them will be absolutely the same as we send during the previous task execution. Does this meet your needs? Or maybe there should be some limit for such cases (e.g. only send the notification for the latest disable operation)?

---

Or maybe there should be some limit for such cases (e.g. only send the notification for the latest disable operation)?

This sounds like a good idea.

An email for only latest disable operation would meet our needs as that is the most relevent.

Thanks!

Answer 1

Hello,

Thank you for the confirmation. To create the Scheduled Task:

1. Launch Adaxes Administration Console.
2. In the Console Tree, right-click your service node.
3. In the context menu, navigate to New and click Scheduled Task.
4. On step 3 of the Create Scheduled Task wizard, select the User object type and click Next.
5. Click Add an action.
6. Select Run a program or PowerShell script.
7. Paste the below script into the script field. In the script:
   • $filePath - Specifies the path to the text file that will be created.
   • $removeFile - Specifies whether the text file should be removed after being emailed.
   • $to - Specifies the email address of the notification recipient.
   • $subject - Specifies the email notification subject.
   • $defaultMessage - Specifies the text of the email notification that will be sent when a log record for disabling the user with a non-empty execution log is found.
   • $messageNoLogFound - Specifies the text of the email notification that will be sent when no log records are found for disabling a user.
   • $messageNoExecutionLog - Specifies the text of the email notification that will be sent when the log record for disabling a user has an empty execution log. In the text\, the {0} placeholder will be replaced with the date when the user was disabled.
   • $from - Specifies the email address from which notifications will be sent.
   • $smtpServer -Specifies the SMTP server that will be used to send email notifications.

# File settings
$filePath = "C:\Scripts\MyFile.txt" # TODO: modify me
$removeFile = $True # TODO: modify me

# E-mail settings
$to = "recipient@domain.com" # TODO: modify me
$subject = "Disabled user %fullname%" # TODO: modify me
$defaultMessage = "Disabled user %fullname%" # TODO: modify me
$messageNoLogFound = "User %fullname% was disabled but no log was found." # TODO: modify me
$messageNoExecutionLog = "User %fullname% was disabled by Adaxes at {0}" # TODO: modify me
$from = "noreply@domain.com" # TODO: modify me
$smtpServer = "mail.domain.com" # TODO: modify me

function GetExecutionLog ($logEntryCollection, $executionLog, $tabbing)
{
    $tabbing++
    foreach ($logEntry in $logEntryCollection)
    {
        # Get operation info
        $type = $logEntry.Type
        $message = $logEntry.Message
        $source = $logEntry.Source

        # Build report record
        $messageBuilder = "".PadLeft(4 * ($tabbing - 1))
        if (-not([System.String]::IsNullOrEmpty($source)))
        {
            # Add source to the message
            $messageBuilder += "$source`: "
        }
        $messageBuilder += "$type - $message"
        $messageBuilder = $messageBuilder -replace "`t|`n|`r",""

        # Add message to report
        [void]$executionLog.AppendLine($messageBuilder)

        # Add subentries, if any
        $subEntries = $logEntry.SubEntries
        if ($subEntries.Count -ne 0)
        {
            GetExecutionLog $subEntries $executionLog $tabbing
        }
    }
}

# Get modification log records
$modificationLog = $Context.TargetObject.GetModificationLog()
$log = $modificationLog.Log

# Get the current page of log records
$logRecords = $log.GetPage(0)

# Get information contained in each record
$executionLog = New-Object System.Text.StringBuilder
foreach ($record in $logRecords)
{
    $operationTypes = $record.GetOperationTypes()
    if ($operationTypes -notcontains "disable account")
    {
        continue
    }

    # Get execution log
    GetExecutionLog $record.GetExecutionLog() $executionLog 0
    $completionTime = $record.CompletionTime
    break
}

$parameters = @{
    "To" = $to
    "From" = $from
    "SmtpServer" = $smtpServer
    "Subject" = $subject
}

if ($NULL -eq $completionTime)
{
    $parameters.Add("Body", $messageNoLogFound)
}
elseif ($executionLog.Length -eq 0)
{
    $parameters.Add("Body", [System.String]::Format($messageNoExecutionLog, @($completionTime)))
}
else
{
    $executionLog.ToString() | Out-File $filePath
    $parameters.Add("Body", $defaultMessage)
    $parameters.Add("Attachments", $filePath)
}

# Send report
Send-MailMessage @parameters

if ($removeFile)
{
    # Remove temporary file
    Remove-Item $filePath -Force -ErrorAction SilentlyContinue
}

8. Enter a short description and click OK.
9. Right-click the action you created and click Add New Action.
10. Select Update the user and click Add.
11. In the Property to modify drop-down, select CustomAttributeBoolean1.
12. In the New value drop-down, select True.
13. Click OK twice.
14. Right-click the action you created and click Add Condition.
15. Select If If <property> <relation> <value>.
16. Select If CustomAttributeBoolean1 does not equal True and click OK.
17. Right-click the action you created and click Add Condition again.
18. Select If account is enabled / disabled / locked.
19. Select disabled and click OK.
20. Click Next and finish creating the Scheduled Task. The task should look like the following:

Comments

This is great, thanks!