Custom Drop down list for policy defined attribute - Totally lost

Question

Hello, 
 I am relatively new to the ARS backend orchestration engine, so I'm not ensure if what I would like to achieve is possible. But here goes.... 
 I am trying to use ARS to restrict group membership to specific types of users, using attributes. We have an integer attribute in our AD for groups named "custMemberIdType". Under policies, I have managed to create a policy to only accept one of 7 integers which would define one of the following user types (Validates the 'custMemberIDType' property values for 'Group' object).... 0 (-T1 Admins) 1 (-T1 Server Operators) 2 (-T1 Service Accounts) 3 (-T2 Admins) 4 (-T2 Device Operators) 5 (-T2 Service Accounts) 6 (-Generic Application Privileged Acct) 7 (-Normal Account) (Default) 
 What I would like to do is, when a user creates a new group, they are prompted to select a group type for the group, based on a friendly name (indicated above in brackets), rather than a cryptic number. So far, I can only get the list of integers to show in the GUI. Is there a way to map the friendly names above, to the integers for each type, used in the GUI and web client? Regards, Jay

Stu.Pollock · Accepted Answer

To implement the method I mentioned previously (without using Administration Policy/Worksflow Scripts) I would do the following: Create two virtual attributes, one for the “Friendly” name (custMemberType), the other to store to store the related number (custMemberIDType). The below table gives the names, and the options to put into the steps below Friend Name Common Name Syntax Multi value Object Classes Stored custMemberIDType custMemberIDType Integar No Group Yes custMemberType custMemberType Case Ignore String No Group Yes With the ARS console navigate toe Configuration | Server Configuration | Virtual Attributes Right click Virtual Attributes an select “ New | Virtual Attribute ” At the Welcome to the Add Virtual Attribute Wizard click Next (if shown) On the Attribute Identification page provide a common name and LDAP Display name and a description , then click Next On the Attribute Syntax page select the appropriate syntax for the attribute you’re creating, leave the multi value option unchecked, then click Next On the Object Classes page select the appropriate object class for attribute you’re creating, then click Next On the Attribute Storage page, if the VA should be stored check Store values of this virtual attribute in the Active Roles Administration database and click Next Click Finish Create an Administration Policy to control both attributes Controlled Property Policy Rule custMemberIDType Must be specified Must be: · 7 (default) · 1 · 2 · 3 · 4 · 5 · 6 custMemberType Must be specified Must be: · Normal Account (default) · T1 Admins · T1 Server Operators · T1 Service Accounts · T2 Admins · T2 Device Operators · T2 Service Accounts · Generic Application Privileged Acct Navigate to Configuration | Policies | Administration Navigate into a sub container that holds your company’s custom Administration Policies, if one does not exist: Create a company container by right clicking Administration and selecting New | Container On the Policy Objects Container wizard enter your company Name and a Description which indicates that this container holds your company’s custom administration policies, then click Next Click Finish Navigate into the newly created container Right click the related container, and click New | Provisioning Policy At the Welcome to the New Provisioning Policy Object Wizard click Next (if shown Enter a Name and a description for the new Administration Policy, then click Next , IE Name: Group – Restricted Member Types Description: This administration policies sets the possible values for the custMemberIDType and custMemberType attributes of groups On the Policy to configure page select Property Generation and Validation , then click Next On the Controlled property page, click Select Change the Object type to Group (group) Type custMemberType in the Look For Property field Select the custMemberType property from the list of available values, then click Ok Click Next On the Configure Policy Rule page, select (check) the following options: ‘custMemberType’ must be specified ‘custMemberType’ must be (generated default value) For each of the available Friendly text options, click Enter one of the possible 8 values For Normal Account check Default Value , then click Ok Click Next On the Policy Description page click Next On the Enforce Policy page, click Add to link the Policy object to some location Select the OU/Managed Unit where you want to link the Policy object to Click Ok Click Next On the Completing the New Provisioning Policy Object Wizard , click Finish Re-open the newly created Administration Policy by double clicking (or right click, and selecting properties) On the properties page click on the Policies tab Click Add On the Welcome to the Add Provisioning Policy Wizard page, click Next (if shown) On the Policy to configure page select Property Generation and Validation , then click Next On the Controlled property page, click Select Change the Object type to Group (group) Type custMemberIDType in the Look For Property field Select the custMemberIDType property from the list of available values, then click Ok Click Next On the Configure Policy Rule page, select (check) the following options: ‘custMemberIDType’ must be (generated default value) For each of the available integer values options, click Enter one of the possible 8 values (0 à 7) For 7 check Default Value , then click Ok Click Next On the Policy Description page click Next On the Completing the Add Provisioning Policy Object Wizard , click Finish At this point we have 2 virtual attributes linked to a group object, where the custMemberType has to be one of the 8 values defined in the Administration Policy, which will default to “Normal Account” and custMemberIDType, which can be blank but defaults to 7. The policy object will look like: Create a new change workflow, which executes if the custMemberTyTest-Grope attribute is set/changed. Navigate to Configuration | Policies | Workflow Navigate into a sub container that holds your company’s custom Workflows, if one does not exist: Create a company container by right clicking Workflow and selecting New | Container On the Workflow Definition Container wizard enter your company Name and a Description which indicates that this container holds your company’s custom workflowd policies, then click Next Click Finish Navigate into the newly created container Right click the related container, and click New | Workflow On the Welcome to the New Workflow Wizard click Next (if shown) On the Name and Description page, provide an appropriate name and description, then click Next , IE: Name: Set custMemberIDType from Set custMemberType Description: Set the integar value of custMemberIDType of inscope groups, from the friendly name held in custMemberType On the Workflow Type page, select Upon a request to change data in the directory (change workflow) then click Next On the Completing the New Workflow Wizard page, click Finish From the list of Workflow under the container, click on the newly created workflow On the right hand page (under Workflow options and start conditions ) click Configure… (if the configure button is not shown, expand the section by clicking on the downward pointing arrow) Under the Operation Conditions, Click Select Operation Set the Target object type to Group Set the Operation that starts the workflow to Any Operation (you can be more selective if you wish) Click Finish Under the Initiator Conditions , click Add Click Add Select Any User (or if you only wish specific users or groups to trigger the workflow, select Specific users or groups, and choose the groups or user which should trigger the workflow) Click Browse , and select the OU or managed unit, where the group objects must be being created or updated for the workflow to be triggered, then click Ok Click Finish Repeat steps 2a to 2d for any additional Initiator Conditions you may have Under Filtering Conditions (operational) , click the PLUS symbol to insert a new condition Click Configure condition to evaluate… Select Change value of workflow target object property On the Configure Entry form, click on the Click to Choose option next to Target Property From the list of options, click More choices… Type custMemberType in the Look For Property field Select custMemberType from the available properties Click Ok Click Ok Click on the equals operator Select Is not empty from the list Click Ok The conditions for which the workflow will be triggered has now been set, the next step will be to configure the update of the custMemberIDType using If/Else conditions From the list of Workflow steps on the left hand side, select and drag the If-Else object found under Basic Activities on to the workflow on the pre (or before) side of the option (place it under the Green arrow) Right Click the If-Else branch, and select Add Branch , repeat this action for 6, for each of the 8 possible options, plus an additional for one where its not configured correctly For Each If-Else branch (except the last one), do the following: Double click the branch Change the name to be the name of the Friendly Text Click Configure condition to evaluate… in the Conditions field Select Change value of workflow target object property On the Configure Entry form, click on the Click to Choose option next to Target Property From the list of options, click More choices… Type custMemberType in the Look For Property field Select custMemberType from the available properties Click Ok Click Ok Click on the Define value to compare to Click Text string… Enter the Friendly Text value for the current if-else branch Click Ok Click Ok NB: The Friendly Text value MUST match one of the values held in the Administration Policy controlling the value of custMemberType Repear for the 8 valid friendly text values For the final If-Else branch , Double click the branch Change the name to be Other Click Ok (no condition is being provided) For each of the If-Else Branches , add a Modify Requested Changes activity from the Object Management on the left hand side For each Modify Requested Changes activity step, double click to set the steps activities in turn On the Name and Description tab, enter the name as the Friendly text, you can leave description blank or populate as required On the Target Changes tab click Add Property Click More Choices Type custMemberIDType into the Look for Property field Select custMemberIDType from the available properties, and click Ok Click Define in the Value column Select Numeric value… Set the appropriate numeric value related to the Friendly Text Repeat this section for each of the 8 Friendly text possibilities For the Modify Requested Changes activity step under the Other If-Else branch, double click to set the steps on the activity. On the Name and Description tab, enter the name as Other , you can leave description blank or populate as required On the Target Changes tab click Add Property Click More Choices Type custMemberIDType into the Look for Property field Select custMemberIDType from the available properties, and click Ok Click Define in the Value column Select Numeric value… Set the appropriate numeric value to the default 7 On the Target Changes tab click Add Property Click More Choices Type custMemberType into the Look for Property field Select custMemberType from the available properties, and click Ok Click Define in the Value column Select Text string… Set the text string value to the default Normal Account Click Ok Click Ok Click Save Changes The workflow will look something like: Test the Administration Policies and Workflow by Creating a new Group in the console (within the inscope OU), give it a meaningful name, and ensure that the custMemberType property if visible in the Wizard (custMemberIDType will not be shown), select a value in custMemberType other than the default, then finish the creation of the object. Open the object, view the advanced properties, as show that the custMemberIDType value is correctly linked to the custMemberType value Modify the newly created group, changing the custMemberType value to another possible value. Check the advanced properties again, to show that the custMemberIDType value is correctly linked to the custMemberType value, the change will only be made after apply is clicked.

Stu.Pollock · Answer

So we need to add the property to the appropriate forms within all the Active Roles Web Sites you need it to be present (ignore the colours of the ARWebAdmin site below, I&rsquo;m in the middle of writing something for a customer).

Go to the website you want to change, with a user account that is a member of the ARS Full Admin group 
 Expand Customization and click Directory Objects

From the list of Directory Objects, select the object class where the command appears (IE new group would be visible under container and organization unit , where as group properties would be under group).

Find the command where you want to add the property, then click the command link

One the command propery opens, click Edit Form from the action pane

The form properties are now displayed.

As this is the first time you are adding the custMemberType property, click Add Entry and select Create

On the Create New Entry form, select Show all possible properties and Show LDAP Display names . Find and select the custMemberType attribute, then click Next

Populate the Entry Name, Entry Description , and Entry Tooltip , then click Finish

Next click Save

Click Reload to publish the working change to be part of the current configuration

The customization is now live.

To test the change (in this example) create a new group that is in scope of the Administration Policy created in the previous instructions, and you should now see the Member Type entry created above is now present at the bottom on the General Properties tab of the New Group form

This entry you added to the form can be moved around, IE up and down on the General Properties tab, or you could move it to another tab (by deleting it from the general tab, clicking on the tab you want to put it in, then choosing Add Entry and clicking Select, then choosing the entry you created [in this instance ctr;l + f is your friend, you&rsquo;ll need to scroll to the bottom of the page to click Finish, but then it&rsquo;s the save as steps 11 and 12])

Endpoint Privilege Management

Custom Drop down list for policy defined attribute - Totally lost

Top Replies