• State Suggested Answer
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 1074 views
  • Users 0 members are here
Options
Related

Workflow and using value generated by rule expression with script

todd harrison
2 months ago

Hi,

I am currently attempting to write a workflow that would dynamically update the AD attribute "accountExpires" for all users provisioned via our HRIS system.

My idea was to use a workflow to search for any user with an expiring account within 15 days or less. For all found accounts, I would update the "accountExpires" attribute with a date 1-year in the future of whatever the current date is of the accountExpires attribute.

So, if the current date of the "accountExpires" attribute is 05/07/2023, then we would update the value to /05/07/2024.

Within the workflow, I am using a "Search for objects" following by a "Change object properties > Target Properties > Property: "accountExpires" > "Value generated by rule expression".

The problem I am running into is I don't know how to reference the found object. I have tried the following method:

    $user = (Get-QADUser -Identity ($workflow.FoundObject("Search for objects").get("distinguishedName"))).UserPrincipalName

This generated the follow error:

DEBUG:     ! CALL function 'GenerateAccountExpiration'
DEBUG:    5+      >>>> $user = (Get-QADUser -Identity ($workflow.FoundObject("Search for objects").get("distinguishedName"))).UserPrincipalName

  Call '$Workflow.FoundObject'
ERROR: 
At line: 5 char:5. You cannot call a method on a null-valued expression.

Here is the code within the script I am running:

 function GenerateAccountExpiration ()
 {
 
    $user = (Get-QADUser -Identity ($workflow.FoundObject("Search for objects").get("distinguishedName"))).UserPrincipalName

    $Integer8 = ((Get-ADUser -Filter { userPrincipalName -eq $user } -Properties accountExpires).accountExpires)
    $newExpiryDate = ([datetime]::FromFileTimeUTC($Integer8)).AddDays(365)
 
    $newExpiryDate
    
 }

I know this script can probably be more efficient, I am just trying to work on a POC at the moment Slight smile

Is it not possible to reference the $workflow.FoundObject values from within a "Change object properties" script?

Thank you!

P.S. Does anyone know how to post screenshots? I saw someone else ask this and they said you can just paste the screenshot in. When I try that the space I am pasting into just gets deleted. Do you have to post screenshots on an external source first?

  • 0 2 months ago

    At first glance, the code looks ok for accessing the found item in the workflow. In the Run History of the Workflow, you can see the LDAP query Active Roles is generating to search for users. Use this query in the MMC, in a Custom Search, to verify that the query is actually finding the desired users. I also find it a little easier to use Out-File in the script to output variables to a text file for debugging.

  • 0 2 months ago in reply to Richard.Lambert

    There are a few limitations with scripts accessing found items, say within If-Else activities for example. I'm not sure if there a similar issue/limitation running scripts within a Change Object Properties step contained within a Search activity.

  • 0 2 months ago in reply to Richard.Lambert

    Thank you Richard.

    I was able to verify that my search is returning my desired test user by the error message that is generated. It actually shows me the user that is attempting to get changed, so I know at least I have a target user.

    I didn't think about the using the MMC to test out queries though, that is a fantastic tip thank you!

    And I too love out-file's! I use them like crazy since I am sort of horrible at scripting and it is usually a lot of trial and error. Only downside right now is that because the script is completely erroring out, I can't get much info.

  • 0 2 months ago in reply to Richard.Lambert

    I just read the KB about this scenario that someone else had posted. I remembered I had run into this issue recently in another major automation I built, but at the time I had no idea why it was happening.

    I had already considering trying to do everything within PS, but I was trying to be fancy with the ARS GUI Slight smile

    I will try just running a script to accomplish what I need to do and see if I can get that working.

  • 0 2 months ago

    This is the code sample for this functionality from the Active Roles SDK:

    Function SavedDisplayName($Request)
{
    return $workflow.SavedObjectProperties("Save Object Properties 1").get("displayName") 
}

    Notice that you have to pass the $Request object into your custom function in order to get access to the constructed variables.

    You missed that in your function. Try and add $Request into your GenerateAccountExpiration declaration and see if that helps.

  • 0 2 months ago in reply to todd harrison

    Out-files are great, sure, but this is also useful:

    Solution Title: How to Enable Debug Logging on Script Modules
    Solution Number: 4334332
    Solution URL: https://support.oneidentity.com/kb/4334332

  • 0 2 months ago in reply to Terrance.Crombie

    Agreed, the debug is awesome as well. Combining the Out-File's and the debug logging together makes debugging much easier.

  • 0 2 months ago in reply to Terrance.Crombie

    Thank you, Terrance.

    I tested out the snippet of code above, it still generates an error, but it is slightly different:

     Call method '$Request.Get'
     Arguments list:
         [1] : Value=distinguishedName : Type=System.String
DEBUG:    5+      >>>> Write-Output "GUID $Request.GUID" | Out-File -Append C:\Temp\GenerateAccountExpiry.txt

DEBUG:    9+      >>>> $user = return $workflow.SavedObjectProperties("Save object properties").get("UserPrincipalName")

DEBUG:    9+     $user = return  >>>> $workflow.SavedObjectProperties("Save object properties").get("UserPrincipalName")

  Call '$Workflow.SavedObjectProperties'
ERROR: 
At line: 9 char:20. Exception calling "SavedObjectProperties" with "1" argument(s): "The given key was not present in the dictionary."

    Not sure if I am interpreting the error properly, but it would seem to indicate that $Request doesn't contain the "$workflow.SavedObjectProperties" values.

    I also tried outputting $Request.GUID to see if this would give me the GUID of the user who is currently going through the workflow, but the GUID is blank.

    Just curious if this could have anything to do with the age of our ARS. We are currently running version 7.4.3 (which we are planning to upgrade next week). Maybe this is working in a newer version.

  • 0 2 months ago in reply to todd harrison

    These new errors are good - they mean that the $Workflow object now exists and is accessible inside your function.

    "The given key was not present in the dictionary." tells me that either the name of the "Save object properties" activity is incorrect, or that the userPrincipalName attribute isn't in it.

    Don't forget that you can export the entire object to a file in order to see what it contains:

    $Request | Select * | Out-File C:\temp\request.txt

    $Workflow | Select * | Out-File C:\temp\workflow.txt

    If you see something that interests you, export that to a file using a dot-reference and/or select with -expandProperty

    You can also use Get-Member to dig into the methods of these constructed objects, as well as Get-Variable to find things that you didn't know were there.

    There absolutely were some issues with Active Roles 7.4.3 related to instantiating the $Workflow object correctly... I'm not sure if you are experiencing something like that in this scenario, but examining your Out-Files should confirm if the expected properties and methods exist.

  • 0 2 months ago in reply to Terrance.Crombie

    Thank you for correcting my interpretation of the error message. I will need to remember for that for next. I have been reading that error message entirely.

    I was also curious about how to properly dump the contents of $Request and $Workflow. I will give this a try and see what I can figure out.

    Will provide an update.

    As a side note, I did get it working with a PowerShell script. But it would be cool if I could get it working the way I originally wanted to do it.