This section contains information and instructions for configuring task templates. The topics include:
This section provides instructions for configuring the General tab, which is available as part of the task template configuration process. For instructions on how to start the configuration process see Configuring the Task Templates.
In the Administrator interface, the pages for editing the Create User Template and Update User Template are identical, so configuration instructions are provided in one section.
When you open either the Edit Task Template Create User Template form or the Edit Task Template Update User Template form, the General tab page displays by default. This page consists of a Task Name text field and a Insert an attribute menu, as shown in Figure 9–4. For instructions on how to start the configuration process see the Configuring the Task Templates section.
Task names can contain literal text and/or attribute references that are resolved during task execution.
Type a name into the Task Name field.
You can edit or completely replace the default task name.
The Task Name menu provides a list of attributes that are currently defined for the view associated with the task configured by this template. Select an attribute from the menu (optional).
Identity Manager appends the attribute name to the entry in the Task Name field. For example:
Create user $(accountId) $(user.global.email)
When you are finished, you can
Select a different tab to continue editing the templates.
Click Save to save your changes and return to the Configure Tasks page.
The new task name will display in the Identity Manager task bar, located at the bottom of the Home and Accounts tabs.
Click Cancel to discard your changes and return to the Configure Tasks page.
When you open the Edit Task Template ’Delete User Template' page the General tab page displays by default. (For instructions on how to start the configuration process see Configuring the Task Templates.)
Use the Delete Identity Manager Account buttons to specify whether an Identity Manager account can be deleted during a delete operation.
These buttons include:
Never. Select to prevent accounts from being deleted.
Only if user has no linked accounts after deprovisioning. Select to allow user account deletions only if there are no linked resource accounts after deprovisioning.
Always. Select to always allow user account deletions, even if there are still resource accounts assigned.
Use the Resource Accounts Deprovisioning boxes to control resource account deprovisioning for all resource accounts.
Unassigning or unlinking an external resource from a user does not generate a provisioning request or a work item. When you unassign or unlink an external resource Identity Manager does not deprovision or delete that resource account, so there is nothing for you to do.
These boxes include:
Delete All. Enable this box to delete all accounts representing the user on all assigned resources.
Unassign All. Enable this box to unassign all resource accounts from the user. The resource accounts will not be deleted.
Unlink All. Enable this box to break all links from the Identity Manager system to the resource accounts. Users with accounts that are assigned but not linked will display with a badge to indicate that an update is required.
These controls override the behaviors in the Individual Resource Accounts Deprovisioning table.
Use the Individual Resource Accounts Deprovisioning boxes to allow a more fine-grained approach to user deprovisioning (compared to Resource Accounts Deprovisioning).
These boxes include:
Delete. Enable this box to delete the account that represents the user on the resource.
Unassign. Enable this box and the user will no longer be assigned directly to the resource. The resource account will not be deleted.
Unlink. Enable this box to break the link from the Identity Manager system to the resource accounts. Users with accounts that are assigned but not linked will display with a badge to indicate that an update is required.
The Individual Resource Accounts Deprovisioning options are useful if you want to specify a separate deprovisioning policy for different resources. For example, most customers do not want to delete Active Directory users because each user has a global identifier that can never be re-created following deletion. However, in environments where new resources are added, you might not want to use this option because the deprovisioning configuration would have to be updated every time you add a new resource.
This section provides instructions for configuring the Notification tab, which is available as part of the task template configuration process. For instructions on how to start the configuration process see Configuring the Task Templates.
All of the Task Templates support sending email notifications to administrators and users when Identity Manager invokes a process (usually after the process has completed). You can use the Notification tab to configure these notifications.
Identity Manager uses email templates to deliver information and requests for action to administrators, approvers, and users. For more information about Identity Manager email templates, see the section titled Customizing Email Templates in this guide.
Figure 9–5 shows the Notification page for the Create User Template.
When specifying users to be notified, you must also specify the name of an email template to be used to generate the email used for notification.
To notify the user being created, updated, or deleted enable the Notify user checkbox, as shown in Figure 9–6, and then select an email template from the list.
To specify how Identity Manager determines administrator notification recipients, select an option from the Determine Notification Recipients from menu.
The available options are:
None (default). No administrators will be notified.
Attribute. Select to derive notification recipients’ account IDs from a specified attribute in the user view. For more information see Specifying Administrator Notification Recipients by Attribute.
Rule. Select to derive notification recipients’ account IDs by evaluating a specified rule. For more information see Specifying Administrator Notification Recipients by Rule.
Query. Select to derive notification recipients’ account IDs by formulating a query to a particular resource. For more information see Specifying Administrator Notification Recipients by Query.
Administrator List. Select to choose notification recipients’ explicitly from a list. For more information see Specifying Administrator Notification Recipients by Attribute.
The attribute must resolve to a string that represents a single account ID or to a list in which the elements are account IDs.
Select Attribute from the Determine Notification Recipients from menu and new options display, as shown in the following figure.
These options include:
Notification Recipient Attribute. Provides a list of attributes (currently defined for the view associated with the task configured by this template) used to determine recipient account IDs.
Email Template. Provides a list of email templates.
Select an attribute from the Notification Recipient Attribute menu.
The attribute name displays in the text field adjacent to the menu.
Select a template from the Email Template menu to specify a format for the administrators’ notification email.
When evaluated, the rule must return a string that represents a single account ID or to a list in which the elements are account IDs.
Select Rule from the Determine Notification Recipients from menu and the following new options display in the Notification form.
Notification Recipient Rule. Provides a list of rules (currently defined for your system) that, when evaluated, returns the recipients’ account IDs.
Email Template. Provides a list of email templates.
Select a rule from the Notification Recipient Rule menu.
Select a template from the Email Template menu to specify a format for the administrators’ notification email.
Only LDAP and Active Directory resource queries are supported at this time.
Select Query from the Determine Notification Recipients from menu and new options display in the Notification form, as shown in Figure 9–9.
The Notification Recipient Administrator Query table consists of the following menus, which you can use to construct a query:
Resource to Query. Provides a list of resources currently defined for your system.
Resource Attribute to Query. Provides a list of resource attributes currently defined for your system.
Attribute to Compare. Provides a list of attributes currently defined for your system.
Email Template. Provides a list of email templates.
Select a resource, a resource attribute, and an attribute to compare from these menus to construct the query.
Select a template from the Email Template menu to specify a format for the administrators’ notification email.
Select Administrator List from the Determine Notification Recipients from menu and new options display in the Notification form, as shown in the following figure.
These options include:
Administrators to Notify. Provides a selection tool with a list of available administrators.
Email Template. Provides a list of email templates.
Select one or more administrators in the Available Administrators list and move them to the Selected Administrators list.
Select a template from the Email Template menu to specify a format for the administrators’ notification email.
This section provides instructions for configuring the Approvals tab, which is available as part of the task template configuration process. For instructions on how to start the configuration process see the Configuring the Task Templates section.
You can use the Approvals tab to designate additional approvers and to specify attributes for the task approval form before Identity Manager executes the create, delete, or update user tasks.
Traditionally, administrators who are associated with a particular organization, resource, or role are required to approve certain tasks before execution. Identity Manager also allows you to designate additional approvers. additional administrators who will be required to approve the task.
If you configure Additional Approvers for a workflow, you are requiring approval from the traditional approvers and from any additional approvers specified in the template.
Figure 9–11 illustrates the initial Approvals page Administrator user interface.
Complete the Approvals Enablement section (see Enabling Approvals (Approvals Tab, Approvals Enablement Section)).
Complete the Additional Approvers section (see Specifying Additional Approvers (Approvals Tab, Additional Approvers Section)).
Complete the Approval Form Configuration section for the Create User and Update User Templates only (see Configuring the Approval Form (Approvals Tab, Approval Form Configuration Section)).
When you are finished configuring the Approvals tab, you can
Select a different tab to continue editing the templates.
Click Save to save your changes and return to the Configure Tasks page.
Click Cancel to discard your changes and return to the Configure Tasks page.
Use the following Approvals Enablement checkboxes to require approvals before the create user, delete user, or update user tasks can proceed.
By default, these checkboxes are enabled for the Create User and Update User Templates, but they are disabled for the Delete User Template.
Organization Approvals. Enable this checkbox to require approvals from any configured organizational approvers.
Resource Approvals. Enable this checkbox to require approvals from any configured resource approvers.
Role Approvals. Enable this checkbox to require approvals from any configured role approvers.
Use the Determine additional approvers from menu to specify how Identity Manager will determine additional approvers for the create user, delete user, or update user tasks.
The options on this menu are listed in Table 9–1.
Table 9–1 Determine Additional Approvers From Menu Options
Option |
Description |
---|---|
None (default) |
No additional approvers are required for task execution. |
Attribute |
Approvers’ account IDs are derived from within an attribute specified in the user’s view. |
Rule |
Approvers’ account IDs are derived by evaluating a specified rule. |
Query |
Approvers’ account IDs are derived by querying a particular resource. |
Administrator List |
Approvers are chosen explicitly from a list. |
When you select any of these options (except None), additional options display in the Administrator user interface.
Use the instructions provided in the following sections to specify a method for determining additional approvers.
Use the following steps to determine additional approvers from an attribute.
Select Attribute from the Determine Additional Approvers from menu.
The attribute must resolve to a string that represents a single account ID or to a list in which the elements are account IDs.
New options display, as shown in the following figure.
Approver Attribute. Provides a list of attributes (currently defined for the view associated with the task configured by this template) used to determine approvers’ account IDs.
Approval times out after. Provides a method for specifying when the approval will time out.
The Approval times out after setting affects both initial approvals and escalated approvals.
Use the Approver Attribute menu to select an attribute.
The selected attribute displays in the adjacent text field.
Decide whether you want the approval request to timeout after a specified period of time.
If you want to specify a timeout period, continue to To Configure Approval Timeouts for instructions.
If you do not want to specify a timeout period, you can continue to Configuring the Approval Form (Approvals Tab, Approval Form Configuration Section) or save your changes and go on to configure a different tab.
Use the following steps to derive the approver's accountIDs from a specified rule.
Select Rule from the Determine additional approvers from menu.
When evaluated, the rule must return a string that represents a single account ID or to a list in which the elements are account IDs.
New options display, as shown in the following figure.
Approver Rule. Provides a list of rules (currently defined for your system) that, when evaluated, returns the recipients’ account IDs.
Approval times out after. Provides a method for specifying when the approval will time out.
The Approval times out after setting affects both initial approvals and escalated approvals.
Select a rule from the Approver Rule menu.
Decide whether you want the approval request to timeout after a specified period of time.
If you want to specify a timeout period, continue to To Configure Approval Timeouts for instructions.
If you do not want to specify a timeout period, you can continue to Configuring the Approval Form (Approvals Tab, Approval Form Configuration Section) or save your changes and go on to configure a different tab.
Use the following steps to derive approvers accountIDs by querying a specified resource.
Only LDAP and Active Directory resource queries are supported at this time.
Select Query from the Determine Additional Approvers from menu and new options display, as shown in the following figure.
Approval Administrator Query. Provides a table consisting of the following menus, which you can use to construct a query:
Resource to Query. Provides a list of resources currently defined for your system.
Resource Attribute to Query. Provides a list of resource attributes currently defined for your system.
Attribute to Compare. Provides a list of attributes currently defined for your system.
Approval times out after. Provides a method for specifying when the approval will time out.
The Approval times out after setting affects both initial approvals and escalated approvals.
Construct a query as follows:
Decide whether you want the approval request to timeout after a specified period of time.
If you want to specify a timeout period, continue to To Configure Approval Timeouts for instructions.
If you do not want to specify a timeout period, you can continue to Configuring the Approval Form (Approvals Tab, Approval Form Configuration Section) or save your changes and go on to configure a different tab.
Use the following steps to explicitly choose additional approvers from the administrators list.
Select Administrator List from the Determine Additional Approvers from menu and new options display, as shown in the following figure.
Administrators to Notify. Provides a selection tool with a list of available administrators.
Approval Form. Provides a list of user forms additional approvers can use to approve or reject an approval request.
Approval times out after. Provides a method for specifying when the approval will time out.
The Approval times out after. Affects both initial approvals and escalated approvals.
Select one or more administrators in the Available Administrators list and move the selected names to the Selected Administrators list.
Decide whether you want the approval request to timeout after a specified period of time.
If you want to specify a timeout period, continue to To Configure Approval Timeouts for instructions.
If you do not want to specify a timeout period, you can continue to Configuring the Approval Form (Approvals Tab, Approval Form Configuration Section).
Use the following steps to configure approval timeouts in the Approval times out after section.
Select the Approval times out after checkbox.
The adjacent text field and menu become active, and the Timeout Action options display, as shown in the following figure.
Use the Approval times out after text field and menu to specify a timeout period as follows:
Use the Timeout Action buttons to specify what happens when the approval request times out.
Click one of the following:
Reject Request. Identity Manager automatically rejects the request if it is not approved before the specified timeout period.
Escalate the approval. Identity Manager automatically escalates the request to another approver if the request is not approved before the specified timeout period.
When you enable this button, new options display because you must specify how Identity Manager will determine approvers for an escalated approval. Continue to To Configure the Determine Escalation Approvers From Section for instructions.
Execute a task. Identity Manager automatically executes an alternate task if the approval request is not approved before the specified timeout period.
Enable this button and the Approval Timeout Task menu displays so you can specify a task to execute if the approval request times out. Continue to To Configure the Approval Timeout Task Section for instructions.
When you select Escalate the approval in the Timeout Action section (To Configure Approval Timeouts), the Determine escalation approvers from menu displays, as shown in the following figure.
Choose an option from this menu to specify how approvers are determined for an escalated approval.
The options include:
Attribute. Determine approver account IDs from within an attribute specified in the new user’s view.
The attribute must resolve to a string that represents a single account ID or to a list in which the elements are account IDs.
When you select this option, the Escalation Administrator Attribute menu displays. Select an attribute from the list and the selected attribute displays in the adjacent text field, as shown in the following figure.
Rule. Determine approver account IDs by evaluating a specified rule.
When evaluated, the rule must return a string that represents a single account ID or to a list in which the elements are account IDs.
When you select this option, the Escalation Administrator Rule menu displays, as shown. Select a rule from the list.
Query. Determine approvers account IDs by querying a particular resource.
The Escalation Administrator Query menus display as shown in the following figure.
Build your query as follows:
Select a resource from the Resource to Query menu.
Select an attribute from the Resource Attribute to Query menu.
Select an attribute from the Attribute to Compare menu.
Administrator List (default). Choose approvers explicitly from a list.
The Escalation Administrator selection tool displays as shown in the following figure.
Select approvers as follows:
Select one or more administrator names from the Available Administrators list.
Move the selected names to the Selected Administrators list.
When you select the Execute a task option in the Timeout Action section (To Configure Approval Timeouts), the Approval Timeout Task menu displays as shown in the following figure.
Choose a task definition to execute if the approval request times out.
For example, you might allow the requester to submit a help desk request or send a report to the Administrator.
The Delete User Template does not contain an Approval Form Configuration section. You can configure this section for Create User and Update User Templates only.
You can use features in the Approval Form Configuration section to select an approval form, and add attributes to (or remove attributes from) the approval form.
By default, the Approval Attributes table contains the following standard attributes:
user.waveset.accountId
user.waveset.roles
user.waveset.organization
user.global.email
user.waveset.resources
The default approval form was instrumented to allow approval attributes to display. If you are using an approval form other than the default form, you must instrument your form to display the approval attributes specified in the Approval Attributes table.
Select a form from the Approval Form menu.
Approvers will use this form to approve or reject an approval request.
Enable checkboxes in the Editable column of the Approval Attributes table to allow approvers to edit the attribute value.
For example, if you enable the user.waveset.accountId checkbox the approver can change the user’s account ID.
If you modify any account-specific attribute values in the approval form, you will also override any global attribute values with the same name when the user is actually provisioned. For example, if resource R1 exists in your system with a description schema attribute, and you add user.accounts[R1].description attribute to the approval form as an editable attribute, any changes to the description attribute value in the approval form will override the value propagated from global.description for resource R1 only.
Click the Add Attribute orRemove Selected Attributes buttons to specify attributes from the new user’s account data to display in the approval form.
To add attributes to the form, see To Add Attributes to the Approval Form.
To remove attributes from the form, see Removing Attributes.
You cannot remove the default attributes from an approval form unless you modify the XML file.
Click the Add Attribute button located under the Approval Attributes table.
The Attribute name menu becomes active in the Approval Attributes table, as shown in the following figure.
Select an attribute from the menu.
The selected attribute name displays in the adjacent text field and the attribute’s default display name displays in the Form Display Name column.
For example, if you select the user.waveset.organization attribute, you can:
Change the default attribute name or the default Form Display Name if necessary by typing a new name into the appropriate text field.
Enable the Editable checkbox to allow the approver to change the attribute’s value.
For example, the approver might want to override information such as the user’s email address.
Repeat these steps to specify additional attributes.
You cannot remove the default attributes from an approval form unless you modify the XML file.
Enable one or more checkboxes in the leftmost column of the Approval Attributes table.
Click the Remove Selected Attributes button to immediately remove the selected attributes from the Approval Attributes table.
For example, user.global.firstname and user.waveset.organization would be removed from the following table when you clicked the Remove Selected Attributes button.
This section provides instructions for configuring the Audit tab, which is available as part of the task template configuration process. For instructions on how to start the configuration process see Configuring the Task Templates.
All of the configurable Task Templates support configuring workflows to audit certain tasks. Specifically, you can configure the Audit tab to control whether workflow events will be audited and specify which attributes will be stored for reporting purposes.
Select the Audit entire workflow checkbox to activate the workflow auditing feature.
For information about workflow auditing, see Creating Audit Events From Workflows. Note that auditing workflows degrades performance.
Click the Add Attribute button located in the Audit Attributes section to select the attributes you want to audit for reporting purposes.
When the Select an attribute menu displays in the Audit Attributes table, select an attribute from the list.
The selected attribute name displays in the adjacent text field.
Enable the checkbox adjacent to the attribute you want to remove.
Click the Remove Selected Attributes button.
This section provides instructions for configuring the Provisioning tab, which is available as part of the task template configuration process. For instructions on how to start the configuration process see Configuring the Task Templates.
This tab is available for the Create and Update User Templates only.
You can use the Provisioning tab to configure the following options, which are related to provisioning:
Provision in the background. Enable this checkbox to run a create, delete, or update task in the background instead of running the task synchronously.
Provisioning in the background allows you to continue working in Identity Manager while the task executes.
Add Retry link to the task result. Enable this checkbox to add a Retry link to the user interface when a provisioning error results from task execution. The Retry link allows the user to attempt the task again if it failed on the first attempt.
This section provides instructions for configuring the Sunrise and Sunset tab, which is available as part of the task template configuration process. For instructions on how to start the configuration process see Configuring the Task Templates.
This tab is available for the Create User task template only.
You use the Sunrise and Sunset tab to select a method for determining the time and date when the following actions will occur.
Provisioning will take place for a new user (sunrise).
Deprovisioning will take place for a new user (sunset).
For example, you can specify a sunset date for a temporary worker whose contract expires after six months.
Figure 9–24 illustrates the settings on the Sunrise and Sunset tab.
The topics that follow provide instructions for configuring the Sunrise and Sunset tab.
Configure the sunrise settings to specify the time and date provisioning will take place for a new user, and to specify the user who will own the work item for sunrise.
Select one of the following options from the Determine sunrise from menu to specify how Identity Manager determines a time and date for provisioning.
Specifying a Time. Delays provisioning until a specified time in the future. Continue to To Delay Provisioning Until a Specified Time for instructions.
Specifying a Date. Delays provisioning until a specified calendar date in the future. Continue to To Delay Provisioning Until a Specified Calendar Date for instructions.
Specifying an Attribute. Delays provisioning until a specified date and time based on the attribute’s value in the user’s view. The attribute must contain a date/time string. When specifying an attribute to contain a date/time string, you can specify a data format to which the data is expected to conform.
Continue to To Determine Provisioning Date and Time by Specifying an Attribute for instructions.
Specifying a Rule. Delays provisioning based on a rule that, when evaluated, produces a date/time string. As when specifying an attribute, you can specify a data format to which the data is expected to conform.
Continue to To Determine Provisioning Date and Time by Evaluating a Rule for instructions.
The Determine sunrise from menu defaults to the None option, which allows provisioning to take place immediately.
Select a user from the Work Item Owner menu to specify who will own the work item for sunrise.
Sunrise work items are available from the Approvals tab.
This section provides instructions to help you delay provisioning until a specific time.
Select Specified time from the Determine sunrise from menu.
When a new text field and menu display to the right of the Determine sunrise from menu, type a number into the blank text field and select a unit of time from the menu.
For example, to provision a new user in two hours, specify information shown in the following figure.
This section provides instructions to help you delay provisioning until a specific date.
Select Specified day from the Determine sunrise from menu.
Use the menu options that appear to specify which week in the month, which day of the week, and which month the provisioning should occur.
For example, to provision a new user on the second Monday in September, specify the following information.
This section provides instructions to help you determine a provisioning date and time based on attribute values in the users account data.
Select Attribute from the Determine sunrise from menu.
The following options become active:
Sunrise Attribute menu. Provides a list of attributes currently defined for the view associated with the task configured by this template.
Specific Date Format checkbox and menu. Enables you to specify a date format string for the attribute value (if necessary).
If you do not enable the Specific Date Format checkbox, date strings must conform to a format that is acceptable to the FormUtil method’s convertDateToString. Consult the product documentation for a complete list of supported date formats.
Select an attribute from the Sunrise Attribute menu.
If necessary, enable the Specific Date Format checkbox and when the Specific Date Format field becomes active, enter a date format string.
For example, to provision a new user based on their waveset.accountId attribute value using a day, month, and year format specify the information shown in the following figure.
This section provides instructions to help you determine the provisioning date and time by evaluating a specific rule.
Select Rule from the Determine sunrise from menu.
The following options become active:
Sunrise Rule menu. Provides a list of rules currently defined for your system.
Specific Date Format checkbox and menu. Enables you to specify a date format string for the rule’s returned value (if necessary).
If you do not enable the Specific Date Format checkbox, date strings must conform to a format that is acceptable to the FormUtil method’s convertDateToString. Consult the product documentation for a complete list of supported date formats.
Select a rule from the Sunrise Rule menu.
If necessary, enable the Specific Date Format checkbox and when the Specific Date Format field becomes active, enter a date format string.
For example, to provision a new user based on the Email rule using a year, month, day, hours, minutes, and seconds format specify the information shown in the following figure.
The options and procedures for configuring sunsets (deprovisioning) are essentially the same as those provided for sunrises (provisioning) in the Configuring Sunrises section.
The only difference is that the Sunset section also provides a Sunset Task menu because you must specify a task to deprovision the user on the specified date and time.
Use the Determine sunset from menu to specify the method for determining when deprovisioning will take place:
The Determine sunset from menu defaults to the None option, which allows deprovisioning to take place immediately.
Specified time. Delays deprovisioning until a specified time in the future. See To Delay Provisioning Until a Specified Timefor instructions.
Specified date. Delays deprovisioning until a specified calendar date in the future. See To Delay Provisioning Until a Specified Calendar Date for instructions.
Attribute. Delays deprovisioning until a specified date and time based on the attribute’s value in the users’ account data. The attribute must contain a date/time string. When specifying an attribute to contain a date/time string, you can specify a date format to which the data is expected to conform. Review To Determine Provisioning Date and Time by Specifying an Attribute for instructions.
Rule. Delays deprovisioning based on a rule that, when evaluated, produces a date/time string. As when specifying an attribute, you can specify a date format to which the data is expected to conform.
See To Determine Provisioning Date and Time by Evaluating a Rule for instructions.
Use the Sunset Task menu to specify a task to deprovision the user on the specified date and time.
This section provides instructions for configuring the Data Transformations tab, which is available as part of the task template configuration process. For instructions on how to start the configuration process see Configuring the Task Templates.
This tab is available for the Create and Update User Templates only.
If you want to alter user account data as the workflow executes, you can use the Data Transformations tab to specify how Identity Manager will transform the data during provisioning.
For example, if you want forms or rules to generate email addresses that conform to company policy, or if you want to generate sunrise or sunset dates.
When you select the Data Transformations tab, the following page displays.
This page consists of the following sections:
Before Approval Actions. Configure the options in this section if you want to transform user account data before sending approval requests to specified approvers.
Before Provision Actions. Configure the options in this section if you want to transform user account data before a provisioning action.
Before Notification Actions. Configure the options in this section if you want to transform user account data before notifications are sent to specified recipients.
You can configure the following options in each section:
Form to Apply menus. Provide a list of the forms currently configured for your system. Use these menus to specify forms that will be used to transform data from the users accounts.
Rule to Run menus. Provide a list of the rules currently configured for your system. Use these menus to specify rules that will be used to transform data from the users accounts.