This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

QARS Workflow/Policy Script to capture onPostModify of the mail attribute for a user and then write user's employeeID and mail attribute to a CSV file for export to our Workday HR system

I need to implement a workflow/policy script that triggers onPostModify of the mail attribute, both for new users and changes to the mail attribute of existing users, and writes the user's employeeID and mail attribute to a CSV file and uploads it to an sFTP site for collection by our Workday HR system.

I can manage the poweshell script to create the CSV and upload it to the sFTP site.

It is the configuration of the workflow/policy that I am a little unclear on.

Does anybody have any pointers please? Or perhaps a link?

  • You would setup a "change workflow" where the start conditions of the workflow trigger on User, properties change...for the mail attribute.  Into it you would insert a script "activity" containing the PoSh code you mention above.

    The Posh code itself has to be setup as a "script module" of type "Policy script".

     The only other thing to note is that you need to setup the PoSh code as a Function so:

    Function ExportMailAndUpload ($Request)

    {

    # PoSh code goes here

    # Note, here's a good way to grab the newly changed mail attribute (assuming the change was made through Active Roles)

    $NewMail = $Request.Get("mail")

    }

    Then, in the script activity you insert into the workflow, reference the above named Function.

    Hope this helps.

  • Thanks for the swift response Jonny.

    If I use a 'change workflow', as well as capturing changes to the 'mail' attribute will it also capture the 'change' that happens to the mail attribute shortly after the 'new-qaduser' command is run when creating a new user?

    I need to capture the mail attribute for both a new user and for when mail is changed on an existing user.

  • It would but you can add a filter in the workflow start conditions to get around this.  Suppose that you have a specific account that is making the changes you want to react to - you can set the workflow to react only to changes made by that user (or indeed a group of users if you like).  This is configured in the middle of the start conditions page - i.e. initiator

  • I need it to capture both new users and changes to existing users so that is good and no filter required:-)

    I have workflow/scripts in place already to receive Joiner/Changes/Leavers CSVs from ou HR Workday system. I need to add in some workflow to report back to the HR system with the users email address for joiners and changes. Hence the need for this 'change workflow'.

    Thanks for your help.

  • You are most welcome.

    You mentioned you are using New-QADUser to create new users.

    To have the AR workflow react to this request, make sure it is directed through the AR server so:

    $ARSession = Connect-QADService -proxy

    New-QADUser -Connection $ARSession <the rest of the parameters>

  • Thanks for the tip and yes, I am already using a proxy connect. Like so:

    function ConnectARSNorthAmerica ()
    {
    [string]$Function = "ConnectARSNorthAmerica()"
    WriteDebugLogEntry $workflow $Function "INFO" "Attempting to connect to ******************* North America ARS Service" | Out-Null
    # Conect to ARS in North America
    Add-PSSnapin Quest.ActiveRoles.ADManagement
    try {
    Connect-QADService -Service ******************* -Proxy
    if ($QADConnection) {
    WriteDebugLogEntry $workflow $Function "INFO" "Connected to ******************* North America ARS Service" | Out-Null
    }
    else {
    WriteDebugLogEntry $workflow $Function "ERROR" "Not connected to ARS Service" | Out-Null
    throw "Not connected to ARS Service"
    }
    }
    catch {
    WriteDebugLogEntry $workflow $Function "ERROR" "Not connected to ARS Service" | Out-Null
    throw "Not connected to ARS Service"
    }
    }

  • Hi Johnny,

    When you say a "chage request", if I configure the workflow 'Operation' to 'Modify...' filtered on 'mail, then will it also capture the 'mail' attribute being set upon the creation of a new user? Or do I need to have two workflows, one for 'Create' and one for 'Modify'?

    Also, presumably, in my PoSh script, when I Get-QADUser, I would do something like this (I only need to send mail and employeeID to the HR system):

    Get-QADUser -Proxy -Identity $Request.DN -IncludedProperties mail,employeeID -DontUseDefaultIncludedProperties

    I suppose that $Request would send other -Identity attributes attributes such as GUID, samAccountName, UPN, mail etc?

    It is this part of the workflow, passing the $Request from the onPostModify is the bit that I am least familiar with.

  • You would have to test it but I believe that setting the mail attribute upon user create is a separate "change" so you would only need the one workflow.

    Yes, your code for obtaining the new mail contents and the employeeID is correct - to be "cleaner", you could add '| select mail,employeeID' to the end.  That way you have less properties in the returned data.