ActiveRoles – Using Previous Attribute Values

01/03/14 12:45 AM

ActiveRoles – Using Previous Attribute Values

                Sometimes we come across complex situations when dealing with scripting or workflows that require knowing not only the requested change but also the previous or old value of an attribute.  This can be used to determine the previous state of an object and some decision can be made based upon that value.

Unfortunately, within ActiveRoles Server, the previous value of an attribute is not available within the $Request array, but that doesn’t mean we cannot retrieve it for use.  The basis behind what we are talking about is, creating a script module with two sections to perform these actions.


This function will retrieve the previous value of the attribute in question and store it within the request for later use (within the same request).


The basis behind this function is to retrieve the original value from the request and perform some action on it.

In our example script module below, we are utilizing an ActiveRoles virtual attribute named vEmployeeStatus that has been used to store the employee status.  This status can be a word, an acronym, or just a plain letter as in ‘A’ for Active and ‘T’ for Terminated.

function   onPreModify($Request){if ($Request.Class -ne “User”)   { return; }# Use Parameters of the Request   object to pass the original value to onPostMOdify event handler.try



$strEmployeeStatus_orig =   $DirObj.Get(“vEmployeeStatus”)


catch {}

if ($strEmployeeStatus_orig -eq   $null)


$strEmployeeStatus_orig =   “”






function   onPostModify($Request)


if ($Request.Class -ne “user”)   { return; }

$strUserDN =   $DirObj.Get(“distinguishedName”)

$strEmployeeStatus_new =   $Request.Get(“vEmployeeStatus”)



$strEmployeeStatus_orig =   $Request.Parameter(“vEmployeeStatus”)


catch {}

$EventLog.ReportEvent($Constants.EDS_EVENTLOG_WARNING_TYPE,   “Original Status: $strEmployeeStatus_orig”)

$EventLog.ReportEvent($Constants.EDS_EVENTLOG_WARNING_TYPE,   “New Status: $strEmployeeStatus_new”)






Breaking down the script module further, let’s look at each function:


1)      First we check to make sure the request is for a ‘User’ object type

2)      Next we attempt to get the current employee status from the object

3)      Now a validation is taken to see if the current status is Null, if it is, we set the original employee status to blank

4)      Lastly, the employee status is written into the request for later retrieval.


1)      First we check to make sure the request is for a ‘User’ object type

2)      Next we get the new employee status and assign it a variable

3)      The old employee status is retrieved and assigned to a variable

4)      Two event log entries are created to show the old and new values

5)      Last, the old employee status value is output from the script for the workflow to read.

If this script were needed in a policy, the onPostModify could be modified to actually take some action or change an object.

Now, let’s take the example script into ActiveRoles Server and use it in a workflow example.

To begin, open the ActiveRoles MMC and create a new virtual attribute.

1)      Expand Configuration->Server Configuration

2)      Right Click on Virtual Attributes and select New->Virtual Attribute

3)      Click Next on the Welcome page

4)      Enter the Common Name and LDAP Display Name for the attribute.  Again, in our example, we are using vEmployeeStatus.  The description is also recommended for a note on what this attribute’s purpose is.


5)      We need to create a Directory String that is not multi valued.  Click Next.

6)      Select User class as people are the only objects that should have an employee status. Click Next.

7)      We do want to store this attribute in the database.  Click Next.

8)      Click Finish.


9)      Now, we must reconnect the MMC to the ARS services to make the new virtual attribute available to our console.  Right click on the Quest One ActiveRoles node and click Reconnect.

The next piece is to create a new script module. Let’s name it Script-EmployeeStatus.

1)      Expand Configuration->Script Modules

2)      Right Click on the container you want to create the Script Module inside and select New->Script Module

3)      In the New Object dialog, enter a name for the script, the language should be PowerShell, and enter a description if desired.  Click Next

4)      Select Policy Script and click Next.