4 Replies Latest reply on Feb 26, 2019 8:42 AM by armexpert

    Starting a 2nd template after job of 1st template is done

    swg

      Hello everyone,

       

      We use a template to create an AD user.

       

      If the job has finished we would like to immediately open a second template for different other things e.g. create a security group right after

       

      Or is it possible to put CreateNewUser  and  CreateNewGroup  inside one template which creates both user and the group?

       

       

      Thanks

        • Re: Starting a 2nd template after job of 1st template is done
          8paul

          Hi swg,

           

          the way to do that would be to execute a call against the Web API from the attached script execution. There are methods in the API that allow you to create Objects either by template or without (and also a bit more other stuff).

          Please ask your rep for documentation.

           

          Regards

          Paul

            • Re: Starting a 2nd template after job of 1st template is done
              paddy75

              I have the same question. It would be nice to open a second template then an open order for example.

              @8paul, do you have some examples how to emplement it?

              Regards,
              Patrick

                • Re: Starting a 2nd template after job of 1st template is done
                  8paul

                  Hi Patrick,

                   

                  i dont have an example that´s calling a template based function right now. I hope the following works as a general example, the different methods and parameters should be available in the docs. At the moment I am not aware of any method to call OpenTemplates through the API though.

                  Here is an example of how to use the API with powershell to add an account to a group (log in with username and password):

                   

                   

                  $baseUrl = "https://localhost"

                  $session = New-Object Microsoft.PowerShell.Commands.WebRequestSession

                  $loginUrl = $baseUrl + '/Session/login?username=demoadmin&domain=8man-demo&password=Passw0rd'

                   

                   

                  $webrequest = Invoke-RestMethod -uri $loginUrl -Method Get -SessionVariable websession

                  $webrequest

                  $cookies = $websession.Cookies.GetCookies($loginUrl)

                  $cookies

                  $session.Cookies.Add($cookies);

                   

                   

                  $body = '{"groupAccountDn":"CN=Clean - Marketing,OU=clean!,DC=8man-demo,DC=local","accountDnsToAdd":["CN=testuser,OU=Sales,OU=Berlin,DC=8man-demo,DC=local"],"comment":"blub"}'

                  $changeGM_URI= $baseUrl + "/api/v1/account/groupmember"

                   

                   

                  $webrequest = Invoke-RestMethod -Uri $changeGM_URI -WebSession $session -Method Post -Body $body -ContentType "application/json"

                   

                  When calling the API through a script that has been executed by ARM itself like in the suggested scenario you can also define {authZtoken} as an additional parameter and use that token value to authenticate to the API like this:

                   

                  param(

                  [string] $authZToken,

                  [string] $groupname,

                  ...

                  )

                   

                       ....

                   

                      $baseUrl = "https://localhost"

                      $session = New-Object Microsoft.PowerShell.Commands.WebRequestSession

                      $loginUrl = $baseUrl + "/Session/loginWithToken?token=$authZToken"

                   

                       ...

                   

                   

                  If you are using a self signed or untrusted SSL certificate you might also run into certificate verification errors using the above code. To temporarily disable the SSL verification you can execute this function:

                   

                  function Disable-SslVerification

                  {

                      if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type)

                      {

                          Add-Type -TypeDefinition  @"

                  using System.Net.Security;

                  using System.Security.Cryptography.X509Certificates;

                  public static class TrustEverything

                  {

                      private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,

                          SslPolicyErrors sslPolicyErrors) { return true; }

                      public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }

                      public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }

                  }

                  "@

                      }

                      [TrustEverything]::SetCallback()

                  }

                   

                  To enable it again you can use this function:

                   

                  function Enable-SslVerification

                  {

                      if (([System.Management.Automation.PSTypeName]"TrustEverything").Type)

                      {

                          [TrustEverything]::UnsetCallback()

                      }

                  }

                   

                  Best

                  8Paul

                  • Re: Starting a 2nd template after job of 1st template is done
                    armexpert

                    Hi Patrick and swg,

                     

                    unfortunately there is now way to generate new "Request" with Workflow for the GrantMa. The only ways is like 8Paul said, do everything within a script. There are two ways:

                     

                    1.) Within a template, but here you have not the possiblity of single sign on tooken ("AuthZToken"). Within the template you can add direct Group Membership. The Syntax is:

                     

                    "Memberof": {

                      "IsHiddenFromRequester": false,

                      "IsHidden": false,

                      "Accounts": [

                       "sid:///ad/S-1-5-21-1545227963-2195427628-2857504096-20134"

                      ]

                    },

                     

                    2.) After creating a user / Group you can define scripts within the ARM Configuration and here you can use the  ("AuthZToken") see Picture. The rest is like 8Paul descriped.

                     

                    Hope that helps too.

                     

                    regards,

                    Mike