• State Not Answered
  • Replies 4 replies
  • Subscribers 62 subscribers
  • Views 503 views
  • Users 0 members are here
Options
Related

ARS workflow parameter based on a script

justin.sleith
2 months ago

Hi,

I'm trying to write an approval workflow based on a specific attribute.

We populate an attribute with "Deprovisionned by <name>"

Now I need to run a check on the <name> to see if they are included in a specific group. 

function GSOC($Request)
{

# Specify the user and group names
$group = "Approval-TEST"
$userattributes = get-aduser -identity $request -properties "attributeX"

##remove first 42 characters
$deproBy = $userattributes.attributeX -replace "^.{42}"

# Get all members of the specified group (including nested groups)
$members = Get-ADGroupMember -Identity $group -Recursive | Select-Object -ExpandProperty Name

# Check if the user exists in the group
if ($members -contains $deproBy) {
$result = "memberOf"
}
$result

}

I then use this in a workflow which only runs if Parameter (XX) equals "memberOf"

I'm pretty sure my issue is with the "$userattributes = get-aduser -identity $request -properties "attributeX"" line.

The context of the workflow is to force an approval on an undo-depro if the account was deprovisioned by someone in a specific group. 

 

  • 0 2 months ago

    You can specify the group in the start conditions of the workflow.

    By default, "Any User" performing an action in the Active Directory container triggers a workflow.

    But you can change that so it's not any user but rather a group.  No fancy code needed.

    See Initiator Conditions here.

  • 0 2 months ago in reply to JohnnyQuest

    Hi Johnny,

     

    Maybe I didn’t explain it properly :)

     

    Scenario is like this.

     

    When a user is deprovisioned we write into “attributeX” who did the deprovision. That way we can see who has done a manual deprovision.

    We have a need now for an approval workflow IF the user was deprovisioned by someone in a specific group, in this case it would a GSOC group and the user trying to reverse the deprovision is NOT in the group.

     

    My thought was to retrieve attributeX from the user being undo-depro’d, check if the name from attributeX is included in the GroupA. If it is and the user doing the undo-depro is NOT in groupA then and approval notice is sent to members of GroupA

     

    Step 1: get attributeX from user object being undepro’d

    Step2: check if <name> is in GroupA

                    If yes: check if initiator is in GroupA

                                    If yes: no approval

                                    If no: approval notice is sent

  • 0 2 months ago in reply to justin.sleith

    I get it now.

    Question:  Does the name of the original initiator of the deprovision really matter?

    I would propose a simplification (?) of your process.

    Create a stored Boolean virtual attribute for users - DeprovRequiresApprovalCheck (or something equally meaningful to you)

    Stamp the VA TRUE when the original initiator is in your GSOC group - you can have a simple one step workflow to do this for all deprov events that are performed by people in the GSOC group (see my original suggested approach above for checking the group membership of the initiator as part of the workflow start condition).

    Then, when a deprov comes along,  in the start conditions of your "GSOC Check workflow", check if this attribute is TRUE on the "Workflow Target" - if it is, perform the group membership check on the initiator to determine whether the approval is required or not.  It will save you a call to AD to check the membership of the original initiator.

  • 0 2 months ago in reply to JohnnyQuest

    Hi Johnny,

    We wanted to avoid having to use an attribute in GAD to do this. 

    We spent some time setting up event logs today to see if we could figure it out .. and got it working Slight smile

    It works if we use get-qaduser instead of get-aduser to get the targets attributeX back and then calculate on that.