Possible to run Powershell script in workflow with user rights, not AR service account rights?

Is it possible to run a PS script module in a workflow but have it run as the user who started the workflow, not the AR service account?  

In the "run-as" setting for the workflow,  we have it set to run as the user, not the AR service account.  Also in the script, we are using the -proxy parameter but when we look at logs, its still using the AR service account to modify the AD groups.  We can see the workflow is indeed getting started by the user account, but the script still runs under the AR service account.   We don't want this script to work unless the user running the workflow has rights to modify the groups. 

Thank you. 

  • All script modules will execute under the security context of the Active Roles service account. If you want to execute under another security context, then you would need to store the credential and then leverage that credential using PowerShell.

    It is not possible to have Active Roles execute a script module under the security context of an Active Roles User.

  • Thank you Terrance.  We want to give some application groups rights to bulk add a list of users to the groups they have rights to manage.  They do this periodically.

    The thought was have them run a workflow that ran script that basically did all the work for them.  All they had to do was pick the AD group when prompted (from the workflow) and populate a text file.  This worked well but the issue is they can now modify any AD group, which we cant allow. 

    Is there a better way to accomplish this using AR?

  • Perhaps use an Automation Workflow (on a 5 minute schedule) that checks for the presence of the text file in a specific location and then cleans it up when it's done?

  • Thanks but they need to be able pick the group they want to modify.  We've actually gotten this request from several IT groups so we wanted to make this available to any IT group, but just need it to run as the user.  

  • I would create an Active Roles Virtual Attribute that is linked to Groups. The Virtual Attribute accepts a UNC path to an input file. They can only modify the attribute value for groups that they have delegated access to. Modifying the attribute fires a script that picks up the path value, processes the file, and then clears the Virtual Attribute value. This would meet all of your requirements.

  • Thanks Terrance, that may just work for us.  Much appreciated.  

    Side note - is there a reason AR does not offer any sort of import CSV option in the web console?  Something similar to how Azure allows you to do for bulk updates to Azure groups would be really nice.  Certainly this has been requested before...

  • It has. We are tracking the Feature Enhancement Request for a built-in Active Roles Administration Service Workflow activity to import a CSV file under FE ID 241713. Product Management would need to accept this before it will be included in the product. Sending this FE ID to your account manager may help grease the wheels.

Reply Children
No Data