Passing Variables from Workflow into Powershell Script

Question

So we have a workflow that we set up to stop the helpdesk from adding users to a group who are members of another group. The users cannot be in both groups at the same time, these are 365 licensing groups. 
 What we are trying to accomplish is having a powershell script run that will remove the user they are trying to add to the group, from the other group (that they shouldnt be in). 
 The powershell script is simple enough, but I cannot find really any good documentation on how to pass a variable from the workflow into the script. The variable would be the user the heldpesk is trying to add to the group, that needs to get passed to the script so the script can remove that user from the other group which they shouldn't be in. Can anyone assist? Thank you.

JohnnyQuest · Answer

Have you considered an entirely different approach? What I have done with some success is used dynamic groups populated using Active Roles virtual attributes . Here's an example... I want to give a user only an E3 license OR an E5 license First group: E3_License_Group Second group E5_License_Group Don't allow the Help Desk to directly manage the membership of either group. 
 Make the groups dynamic as follows: Membership Rule for E3 group: License_Granted = E3 Membership Rule for E5 group: License_Granted = E5 Add the License_Granted virtual attribute to your web interface and add a PVG rule to your provisioning policy that allows only E3 , or E5 or None as acceptable values. Your "audit trail" for the licensing will be the change to the contents of the virtual attribute.

JohnnyQuest · Answer

There's a few ways to think about "variables" when it comes to Active Roles. 
 Typically, when you are integrating scripts, you want to work values from the current transaction that AR is processing. Let's take a simple example - updating the Description of a user. When you change a user description through the Active Roles UI, a "$Request" object is generated (this is what I call a transaction and its contents the "payload"). 
 Within this $Request object are several useful things that can be accessed using various properties and methods: 
 $Request.DN is the distinguished name of the object being modified 
 $Request.RequestedAttributes is an array containing the property(ies) being modified in the current transaction If you know which property is being changed, you can pull its value directly from the transaction like this: 
 $ChangedPropertyContents = $Request.Get("description") 
 OR if it's a multi value: $ChangedProperty Contents = $Request.GetEx("somemultivalueproperty") 
 'Hope this is helpful.

JohnnyQuest · Answer

It's not quite that simple. You would want to run your script to check whether the user is "allowed" to be a member of that group. 
 The thing to keep in mind is that the addition of a member to a group is a group change and thus the object in the $Request is the group. The user being added is part of the group's member property change. To learn a bit about the structure of your request, I would suggest you take this code and execute it with a change workflow triggered by a group member add to see what an inbound membership change $Request looks like: 
 function DumpMembershipChangeRequest($Request) { $str += [System.Environment]::NewLine + "Property values modified in the directory object" + [System.Environment]::NewLine # This will get you the group being changed $str += "Object DN: " + $Request.Name + [System.Environment]::NewLine # ---- Retrieve properties from in-process data ----- for($i = 0; $i -lt $Request.PropertyCount; $i++) { $item = $Request.Item($i) $str += "Property name: " + $item.Name $str += ", Property value(s): " # ----- Retrieve Property values ----- # This will give you the list of the members being added foreach($value in $item.Values) { $str += [string]$value + "// " 
 $str += [System.Environment]::NewLine } #End of values parsing loop # ----- Write output into a log file on the AR server ---- 
 Add-Content "C:\TEMP\AR_Request_contents_dump.txt" $str } # End of request property iteration 
 } # End of dump membership change request

JohnnyQuest · Answer

So the crux of it is that you need to get the AD object name of "Added Member" which is what I was trying to illustrate with the script above. You start with $Request.Item which contains a list of property / value pairs. 
 Referring to the above script: $Item.name will be "member" (the group property) $Item.Values will be your added member name(s)

JohnnyQuest · Answer

You could also try $AddedMembers = $Request.GetEx("member") which should return a list / array...though I am not 100% sure that will work.

Endpoint Privilege Management

Passing Variables from Workflow into Powershell Script

Top Replies