david.hitchen

Automatically getting the users’ manager from AD

Discussion created by david.hitchen Employee on Jun 26, 2017
Latest reply on Aug 21, 2017 by kevinj

In its default implementation, a Software Request with organisation approval will ask the requester (user) for their manager. This is a live lookup in AD as they type and designed as an example use case; the reason being that we don’t know where companies store their single source of truth for organisational hierarchy (org chart) – some will store it in AD, others in SAP, HR systems, Spreadsheets, etc.

 

Checkout Page

 

One of the first configuration changes you’ll want to make is to automatically lookup their manager and make it read only, thus preventing any ‘accidental’ approvals from the wrong person.

 

The lookup is controlled in the workflow “install software” in the task “Wait for organisational approval (Task)”, and assigned to the parameter “Owners_Primary” (Displayed as ‘Select manager approver’) – NB, changing it at this level will affect all services using this workflow, if you want to test it at service level, simply override it in “Service admin”

 

In this blog, I’ll explain how to change this to a custom lookup and provide an example script to accomplish the task.@

 

First, you need to create the PowerShell to perform the lookup, this can be created and tested independently of the Automation Platform (AP) meaning it can be completed by someone with no knowledge of AP.

 

The following PowerShell will take a parameter (the requester) and return a manager object (from the AD managers property of their AD object). This is an AS-IS script and you'd probably want to change it to use a Global Catalog server for multi-domains and cross forest functionality.

 

#############################################
function GetUserManager
{
param($userid)

if ($userid.Contains("\"))
{
$userid = $userid.Split("\")[1]
}
#import-module activedirectory
$user = Get-ADUser -Identity $userid -properties manager
if (-not $user.manager)
{
$manager = new-object PSCustomObject

#$manager | Add-Member -Type NoteProperty -Name "myDisplayName" -Value "Application approval group" -Force
#$manager | Add-Member -Type NoteProperty -Name "samAccountName" -Value "..." -Force

$manager | Add-Member -Type NoteProperty -Name "myDisplayName" -Value "No manager found in AD" -Force
$manager | Add-Member -Type NoteProperty -Name "samAccountName" -Value "" -Force
}
else
{
$manager = Get-ADUser -Identity $user.manager -properties displayName
$manager | Add-Member -Type NoteProperty -Name "myDisplayName" -Value "$($manager.displayName) ($($manager.samAccountName))" -Force
}
$manager
}
#############################################

 

Now that we have the script ready and tested, create a new entry in the “PowerShell web services” menu under “Administer” in the AP console. Let’s call it “GetUserManager”

 

Now we update the “Owners_Primary” parameter in the workflow:

 

As you can see, we pass the “userid” to the PowerShell and it returns an object which we use to populate the field, specifically, the object parameters “MyDisplayName” and “SamAccountName”.

 

You could have the PowerShell script look up the managers in any data source, such as a database, HR system, or via any API. All you need to do is be write the PowerShell.

 

Feel free to like or comment if you find this useful or have questions.

David

Outcomes