Order temporary administrative permissions

In this example, we will create a custom shop item, which when ordered will grant the user local administrative permissions for two hours.

The item will require approval from the manager.

This feature requires the SoftwareCentral Active Directory Module.

The first step is to create the actual item from the Custom Shop Items interface:

 

In order to trigger the approval flow, we must add an approver. If the request does not need to be approved, you can skip this step.

Go to the approval tab:

Select the approval type from the drop-down. In this example we use "single approval", meaning that just one approver has to approve the order. You can read more abort approval flows under Approval Flow.

If you don’t select an approver but simply clicks on the “Add” button, it will add the users AD defined manager. This means that the users own managers will approve this item, giving a more dynamic flow.

Click save to add the item.

 

Next we need to add the script that will give the user the local administrative permissions. Below is an example of the script. Note that their are two examples, one for local usage and one for the SoftwareCentral Cloud.

 

Script for local usage

This script will need a few modifications, described below the example.

GrantLocalAdministrativePermission.vbs
Copy Code 
'================================Version 2.0===============================
' NAME: Grant Local Administrative Permission
'
' AUTHOR: SoftwareCentral
' DATE  : 03-03-2017
'
' COMMENT:
' This script adds "strUsername" to the defined local group on the computer with name "strComputerName"
' Parameters required from SoftwareCentral: "Hostname", "Username", ("Action" if approval is required)
'
' ** SET THE swcAddress VARIABLE **
' ** SET THE strLocalGroupName VARIABLE **
' ** SET THE hoursBeforeExpiration VARIABLE **
'==========================================================================
'======================Variables that can be modified======================
' ** The SoftwareCentral address. E.g.: http://softwarecentral or http://localhost:8080
swcAddress = "http://localhost:8080"
' ** The local group name. E.g.: "Administrators"
strLocalGroupName = "Administrators"
' ** Number of hours before the user will lose the local administrative
hoursBeforeExpiration = 2
' ** Force the user to log off when permissions are given
forceLogOffAtStart = False
'** Force the user to log off when permissions are removed
forceLogOffAtEnd = False
'Get the current date time
strStartDate = RIGHT(String(2, "0") & Day(Date), 2) & "/" & RIGHT(String(2, "0") & Month(Date), 2) & "/" & Year(Date) & "_" & Right("0" & Hour(Time), 2) & ":" & Right("0" & Minute(Time), 2) & ":" & Right("0" & Minute(Time), 2)
'==========================================================================
'Load properties from SoftwareCentral
strComputerName = WScript.Arguments.Named("Hostname")
strUsername = WScript.Arguments.Named("Username")
'Create output streams for log messages
Set fso = CreateObject ("Scripting.FileSystemObject")
Set stdout = fso.GetStandardStream (1)
Set stderr = fso.GetStandardStream (2)
'The object that will make the call to the WS
Set oXMLHTTP = CreateObject("Microsoft.XMLHTTP")
'The object that will receive the answer from the WS
Set oXMLDoc = CreateObject("Microsoft.XMLDOM")
If WScript.Arguments.Named("Action") <> "declined" Then
    GrantLocalAdmin()
End If
Function GrantLocalAdmin()
    'Set the name of the subroutine that will handle the response
    oXMLHTTP.onreadystatechange = getRef("HandleStateChange")
    'Initialize the request
    oXMLHTTP.open "POST", swcAddress & "/Api/WS_ActiveDirectory.asmx/AddToLocalGroup", False
    'Content type
    oXMLHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    
    'Send the request to the Web Service
    oXMLHTTP.send _
 "strComputerName=" & strComputerName &_
 "&strUsername=" & strUsername &_
 "&strLocalGroupName=" & strLocalGroupName &_
 "&strStartDate=" & strStartDate &_
 "&hoursBeforeExpiration=" & hoursBeforeExpiration &_
 "&forceLogOffAtStart=" & forceLogOffAtStart &_
 "&forceLogOffAtEnd=" & forceLogOffAtEnd
End Function
Sub HandleStateChange()
    Dim szResponse
    'When the call has been completed (ready state 4)
    If oXMLHTTP.readyState = 4 Then
        szResponse = oXMLHTTP.responseText
        oXMLDoc.loadXML szResponse
        'If the WS response is not in XML format, there is a problem
        If oXMLDoc.parseError.errorCode <> 0 Then
            stderr.WriteLine "ERROR in GrantLocalAdministrativePermission.vbs:"
            stderr.WriteLine oXMLHTTP.responseText
            stderr.WriteLine oXMLDoc.parseError.reason
        Else
            stdout.WriteLine oXMLDoc.text
        End If
    End If
End Sub

 

 

Change the variable called “swcAddress” on line 18 to your address for SoftwareCentral.

The other variables can be changed as you like and you can add other functions to the script.

 

Save the script.

 

Script for Cloud usage

You must provide login information for the script.

Set companyName to your company name.

Set domainUser to a user in your Active Directory with access to the web service.

Set password to the corresponding password for your domain user.

GrantLocalAdministrativePermissionCloud.vbs
Copy Code 
'================================Version 1.0===============================
' NAME: Grant Local Administrative Permission Cloud
'
' AUTHOR: SoftwareCentral
' DATE  : 21-12-2017
'
' COMMENT: 
' This script adds "strUsername" to the defined local group on the computer with name "strComputerName"
' Parameters required from SoftwareCentral: "Hostname", "Username", ("Action" if approval is required)
'
' ** SET THE swcAddress VARIABLE **
' ** SET THE strLocalGroupName VARIABLE **
' ** SET THE hoursBeforeExpiration VARIABLE **
'==========================================================================
'======================Variables that can be modified======================
' ** The SoftwareCentral address. E.g.: https://softwarecentral.cloud
swcAddress = "https://softwarecentral.cloud"
' ** The local group name. E.g.: "Administrators"
strLocalGroupName = "Administrators"
' ** Number of hours before the user will lose the local administrative
hoursBeforeExpiration = 2
' ** Force the user to log off when permissions are given
forceLogOffAtStart = False
'** Force the user to log off when permissions are removed
forceLogOffAtEnd = False
'Get the current date time
strStartDate = RIGHT(String(2, "0") & Day(Date), 2) & "/" & RIGHT(String(2, "0") & Month(Date), 2) & "/" & Year(Date) & "_" & Right("0" & Hour(Time), 2) & ":" & Right("0" & Minute(Time), 2) & ":" & Right("0" & Minute(Time), 2)
'==========================================================================
'Load properties from SoftwareCentral
strComputerName = WScript.Arguments.Named("Hostname")
strUsername = WScript.Arguments.Named("Username")
'================== Log in paramaters start ===================
strSwcLogInUrl = "https://softwarecentral.cloud:443/Api/WS_Cloud.asmx"
strLogInWebServiceMethod = "LogIn"
strLogOutWebServiceMethod = "LogOut"
companyName = "YourCompany"
domainUser = "domain\username"
password = "password"
'=================== Log in paramaters end ====================
'Create output streams for log messages
Set fso = CreateObject ("Scripting.FileSystemObject")
Set stdout = fso.GetStandardStream (1)
Set stderr = fso.GetStandardStream (2)
'The object that will make the calls to the Web Services. It is important to use the same oXMLHTTP object for all requests.
Set oXMLHTTP = CreateObject("Microsoft.XMLHTTP")
Set oXMLDoc = CreateObject("MSXML2.DOMDocument")
If WScript.Arguments.Named("Action") <> "declined" Then
    GrantLocalAdmin()
End If
Function GrantLocalAdmin()
    If LogIn Then
        'Call the Web Services after a successfull log in.
        AddToLocalGroup
    
        'Log out after all Web Services has been called.
        LogOut
    End If
End Function
Function AddToLocalGroup
    oXMLHTTP.open "POST", swcAddress & "/Api/WS_ActiveDirectory.asmx/AddToLocalGroup", False
    oXMLHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    oXMLHTTP.send _
        "strComputerName=" & strComputerName &_
        "&strUsername=" & strUsername &_
        "&strLocalGroupName=" & strLocalGroupName &_
        "&strStartDate=" & strStartDate &_
        "&hoursBeforeExpiration=" & hoursBeforeExpiration &_
        "&forceLogOffAtStart=" & forceLogOffAtStart &_
        "&forceLogOffAtEnd=" & forceLogOffAtEnd
    If oXMLHTTP.readyState = 4 Then
        szResponse = oXMLHTTP.responseText
        oXMLDoc.loadXML szResponse
        If oXMLDoc.parseError.errorCode <> 0 Then
            stderr.WriteLine oXMLHTTP.responseText
            stderr.WriteLine oXMLDoc.parseError.reason
        Else
            stdout.WriteLine oXMLDoc.text
        End If
    End If
End Function
Function LogIn
    oXMLHTTP.open "POST", strSwcLogInUrl & "/" & strLogInWebServiceMethod, False
    oXMLHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    oXMLHTTP.send _
        "companyName=" & companyName &_
        "&domainUser=" & domainUser &_
        "&password=" & password
    If oXMLHTTP.readyState = 4 Then
        szResponse = oXMLHTTP.responseText
        oXMLDoc.loadXML szResponse
        If oXMLDoc.parseError.errorCode <> 0 Then
            stderr.WriteLine oXMLHTTP.responseText
            stderr.WriteLine oXMLDoc.parseError.reason
        Else
            If oXMLDoc.text = "true" Then
                stdout.WriteLine "Logged in"
                LogIn = True
            Else
                stderr.WriteLine "Wrong username and or password."
            End If
        End If
    End If
End Function
Function LogOut
    oXMLHTTP.open "POST", strSwcLogInUrl & "/" & strLogOutWebServiceMethod, False
    oXMLHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    oXMLHTTP.send
    If oXMLHTTP.readyState = 4 Then
        szResponse = oXMLHTTP.responseText
        oXMLDoc.loadXML szResponse
        If oXMLDoc.parseError.errorCode <> 0 Then
            stderr.WriteLine oXMLHTTP.responseText
            stderr.WriteLine oXMLDoc.parseError.reason
        Else
            If oXMLDoc.text = "true" Then
                stdout.WriteLine "Logged out"
                LogOut = True
            End If
        End If
    End If
End Function

 

Now we go back to SoftwareCentral and open our Custom Shop Item again using the edit button:

 

The “Edit Custom Shop Item” window is now open again. Go to the “Action” tab:

 

This interface is described in more details in the chapter Custom Actions.

For this example, we will add our script, “GrantLocalAdministrativePermission.vbs” to the “When approved/declined” option. Under “New” we click on the “Select” button and browses to our modified script. (Note that the script will be copied to the Uploads folder)

We need the parameters “Hostname”, “Username” and “Action” for this script, as seen in the screenshot above.

 

We must select a user under "Run as". We select a user that is a member of the "SoftwareCentral Administrator" group, so that it has access to all computers and all users.

We can also choose a user with limited access. To configure a users access, see Web Service Security.

 

Click on the save button to save the changes.

 

If we want the rights to be given as soon as the user orders them, without approval, we can set the action settings like this:

 

 

Now we will go to the shop and order the item:

 

We will place the order and go to the “Manage Orders” or “Approvers View” page in SoftwareCentral:

 

The job will run immediately after the order was approved.

 

If the order is approved, we can see from the log that our script was executed and that a request was made to the web service.

We will also see that a GrantLocaleAdministrator and RemoveLocalAdministrator job has been created.

 


 

If the script fails for some reason, we can see error messages from the script in the log as well:

 

 

© Copyright - SoftwareCentral

https://softwarecentral.cloud/help