workflow wchich prevents creaetion any object in specifc OU

Hi, I have
"Application" OU
under it I have a lot of APP-0000 OU. every APP-0000 OU has 3 other OU: let;s call it a,b,c. I would like to have workflow which prevents creaetion any object in OU 'c'.

Let's imagine:

Application
 -App 1 OU

  • a
  • b
  • c

 -App 2 OU

  • a
  • b
  • c

 -App 3 OU

  • a
  • b
  • c

 -App 4 OU

  • a
  • b
  • c

 -App 5 OU

  • a
  • b
  • c

In every C OU I would like to have Workflow which prevents creaetion any object. 

I thing I should have something like:

START -> If-Else Branches and then If Else OU='c' then Stop/Break, if OU=other then GO ahead. 

I have issues with Configuration - how to configure it so it will be applied only to 'c' OUs.

Thanks,Sus

Parents
  • Hi Sus

    If you want to filter via the if/else activity within a workflows activities, one way to do this would be with a script module.

    You'd create a script with similar code to the below:

    function Get-Value()
    {
        $SearchValue = "C"
        $WorkingParent = $Request.parent
        $WorkingParent = $WorkingParent.replace("EDMS://","")
        $WorkingParent = $WorkingParent.replace("OU=","")
        $ArrWorkingValue = $WorkingParent.split(",")
        $WorkingParentName = $ArrWorkingValue[0]
        
        if($WorkingParentName -eq $SearchValue)
        {
            return $true
        }
        else
        {
            return $false
        } 
    }

    Then within your if branch when adding your condition

    1. Select "Value generated by rule expression"
    2. Click "Add entry"
    3. Click "Value generated by script"
    4. Click "Select" next to "Script module"
    5. Browse to your script, and selected it
    6. Click Ok
    7. Choose the function to call from the "script function" drop down (combo box)
    8. Click Ok
    9. Click Ok
    10. Set your operator to "equals"
    11. Click "Define value to compare to"
    12. Click "Text string"
    13. Enter True
    14. Click Ok to accept and close the If branches properties.

    Another option would be to use the same script, and condition, but apply it as a Workflow start condition (Filtering Condition).

    Other options would be to ensure that the people you don't want to be able to create in those OUs are not granted permissions to create via Access Template (perferrably not via a Deny, but by not being granted permissions to create in those locations in the first place). This way the Create options are not even shown to them*

    * as long as they are not DSAdmins (Active Roles Admins)

    Hope this helps

    Stu

  • Hi, thanks! I found out today a way how to have it linked to specific OU name but... I have another problem I have now simple workflow:

    start -> stop/break -> OperationL execution: Create User

    but even that I linked to whole one test OU (so it should be linked properly) 

    It does allow me to create user object. 

    Is that workflow correct? 

    Thanks, Sus

  • If you're able to create a user, in an OU which matches the check in the script, then this could be one of a couple of issue

    So first, check the Change History on the object you successfully created (but shouldn't have been able to) and confirm if the Workflow fired (you'll need to expand the operations history, and the workflow if fired will be shown on the right hand side).

    If the workflow is not listed, this is due to the start conditions, IE:

    • What object class does it apply to (User)
    • What operation is being performed (Create, Modify etc)
    • Who is the initiator (person doing the create)
    • What is the scope of the workflow
    • What filtering conditions are defined

    If the workflow is not at a minimum (for you example) configured for

    • Object Type: User
    • Operation: Create
    • Initiator: anyone
    • Scope: <Domain>
    • Filter: Where the generated value of the script is equal to true (assuming you're using the script above)

    Then it wont fire. Also if the Parent OU Name is not defined as per the $SearchValue variable as "C", again it wont fire.

    Can you screenshot you're start conditions, and also the workflow?

Reply
  • If you're able to create a user, in an OU which matches the check in the script, then this could be one of a couple of issue

    So first, check the Change History on the object you successfully created (but shouldn't have been able to) and confirm if the Workflow fired (you'll need to expand the operations history, and the workflow if fired will be shown on the right hand side).

    If the workflow is not listed, this is due to the start conditions, IE:

    • What object class does it apply to (User)
    • What operation is being performed (Create, Modify etc)
    • Who is the initiator (person doing the create)
    • What is the scope of the workflow
    • What filtering conditions are defined

    If the workflow is not at a minimum (for you example) configured for

    • Object Type: User
    • Operation: Create
    • Initiator: anyone
    • Scope: <Domain>
    • Filter: Where the generated value of the script is equal to true (assuming you're using the script above)

    Then it wont fire. Also if the Parent OU Name is not defined as per the $SearchValue variable as "C", again it wont fire.

    Can you screenshot you're start conditions, and also the workflow?

Children
No Data