How to implement deferred actions in ARS

People often ask about possibility of implementing deferred actions in ARS. What does it mean? For example, some employee will be absent from work for period of time, and we would like his account to be disabled for period of his absence.

As we know, ARS does not support such kind of planning out-of-box. But we also know that it is exactly how the temporal group membership works. So we can use some similar mechanism for such deferred actions.

The idea is to use an approval activity to pause the action. Some scheduled task will periodically check and approve all such pending operations, when it is time to execute the action. In our case we require two actions: one to enable account and one to disable it.

Let's start with creating two non-stored virtual attributes edsvaTriggerThisAction (string), edsvaTriggerDate (date/time). These attributes will be used for triggering "action". Then we will create workflows for each type of action with starting conditions as shown on below screenshot.

After that we add approval, where approver is some special account. Let's call it DefReqAccount. After approval we add some script activity, which will actually perform our "action" (disabling or enabling user). This "action" would notwon't be executed until it is approved.

Now we require the scheduled task, which checks all pending tasks and approves these tasks at specified time.

I have written some draft script that must be enough to demonstrate how it works. This script checks all pending operations, which include requests for edsvaTriggerDate (date/time) attribute change, finds requests, where date to trigger action has come and approves all tasks linked with this operation.

Add-PSSnapIn Quest.ActiveRoles.ADManagement

Connect-QADService -proxy -Service lemonars670fix2

$defop=Get-QARSOperation -OperationStatus Pending -ChangedAttributes 'edsvaTriggerDate'

foreach ($r in $defop)

{

$triggerdate=$r.AttributeChanges | where {($_.name -eq 'edsvaTriggerDate')} | %{$_.Values}

$today=Get-Date

$TaskID=($r.ID).ToString()

$triggerdate=Get-Date($triggerdate)

if ($today -gt $triggerdate)

{

Get-QARSApprovalTask -Approver 'Lemon\DefReqAccount' -TaskStatus Pending | where {$_.ID -like $TaskID+'*'} | %{Approve-QARSApprovalTask $_.ID}

}

}

 

Now we can check our solution. To do so, we will create deliberately outdated action request with Set-QADUser –Identity 'SomeUser' –ObjectAttributes @( edsvaTriggerThisAction='some action';edsvaTriggerDate=get-date(10.10)). After that we can wait until our scheduled task will be performed or just run script from file. On screenshot below we can see how it works.

About the Author