Customizing a Process
You can change one or more of the Identity Manager processes to eliminate steps, include new steps, or customize existing steps. Each step in the process is represented by an activity.
The Workflow Toolbox facilitates workflow changes by providing pre-defined activities you can use when editing or creating a workflow.
To open the toolbox, right-click in the diagram view and select the toolbox option.
Default Workflow Activities
By category, these default activities are available.
Table 1–4 Default Workflow Activities|
Activity |
Description |
|---|---|
|
Add Deferred Task |
Adds deferred task scanner information to an object. |
|
Audit Object |
Creates audit log records. |
|
Authenticate User Credentials | |
|
Authorize Object |
Tests authorization for a subject on an object in the repository. |
|
Checkin Object |
Commits changes to an object. |
|
Checkin View |
Commits an updated view. |
|
Checkout Object |
Locks and retrieves a repository object for editing. |
|
Adds deferred task scanner information to an object. |
|
|
Checkout View |
Gets an updateable view. |
|
Create Resource Object |
Creates a resource object. |
|
Create View |
Initializes a new view. |
|
Delete Resource Object |
Deletes a resource object. |
|
Deprovision Primitive |
Deprovisions resource accounts. |
|
Disable Primitive |
Disables resource accounts. |
|
Disable User |
Disables an Identity Manager user account, resource accounts, or both. |
|
Email Notification |
Sends email notification of an action. |
|
Enable Primitive |
Enables resource accounts. |
|
Enable User |
Enables an Identity Manager user account, resource accounts, or both. |
|
Get Object |
Retrieves a repository object. |
|
Get Property |
Retrieves a property. |
|
Get View |
Gets a read-only view. |
|
List Resource Objects | |
|
Query Object Names |
Searches for objects with matching attributes. |
|
Query Objects |
Searches for objects with matching attributes. |
|
Query Reference | |
|
Refresh View |
Refreshes a view that was previously checked out. |
|
Remove Deferred Task |
Removes deferred task scanner information from an object. |
|
Remove Property |
Removes an extended property on an object. |
|
Reprovision Primitive |
Reprovisions resource accounts. |
|
Run Resource Actions | |
|
Set Property |
Adds an extended property to an object. |
|
Unlock Object |
Unlocks an object that was previously checked out. |
|
Unlock View |
Unlocks a view that was previously checked out. |
|
Update Resource Object |
Modifies an object managed by a resource. |
Table 1–5 Default Approval Workflows
|
Activity |
Description |
|---|---|
|
Approval |
Performs the fundamental single approver process. |
|
Approval Evaluator |
Recursively evaluates an Approval Definition Object to implement a complex approval process. Allows the form and template to be used to be passed in, but those can be overridden if specified in the set. |
|
Lighthouse Approval |
Performs the default Identity Manager approval process for assigned organizations, roles, and resources. Uses the Approval Evaluator process. |
|
Multi Approval |
Distributes approvals among multiple approvers. Users the Approval process for each approver. |
|
Notification Evaluator |
Recursively evaluates an Approval Definition Object to implement a complex notification process. The structure is expected to be the same as that defined for Approval Evaluator. In the standard workflow, approval definitions and notification definitions are maintained in the same structure. This is not required for a customized workflow. |
|
Provisioning Notification |
Standard process for notifying administrators after a provisioning operation has completed. |
Table 1–6 Default User Workflows
|
Activity |
Description |
|---|---|
|
DeProvision |
Performs the standard steps to deprovision an existing Identity Manager user, with granular control over resource account deletion, Identity Manager user deletion, unlinking, and de-assignment. Individual resource operations are re-tried until successful. |
|
Provision |
Performs the standard steps to create a new Identity Manager user and provision resource accounts. Individual resource operations are re-tried until successful. |
|
Set Password |
Changes the password of the Identity Manager account and resource accounts. |
|
Update User Object |
Checks out a WSUser object, applies a set of changes, and checks in the object. |
|
Update User View |
Checks out the user view, applies a set of supplied updates, and checks in the user view. |
|
Update View |
Applies a collection of changes to any view. |
Table 1–7 Default End User Workflows
|
Activity |
Description |
|---|---|
|
End User Update Groups |
Updates the group assignments on resources (that support groups) assigned to one of a manager’s reports. |
|
End User Update My Groups |
Updates the group assignments on resources (that support groups) assigned to the logged-in account. |
|
End User Update Roles |
Updates the role assignments for one of a manager’s reports. |
|
End User Update My Roles |
Updates the role assignments assigned to the logged-in account. |
|
End User Update Resources |
Updates the resource assignments and associated attributes for one of a manager’s reports. |
|
End User Update My Resources |
Updates the resource assignments and associated attributes for the logged-in account. |
Table 1–8 Default Compliance Workflows
|
Activity |
Description |
|---|---|
|
Access Review Remediation |
Remediation for a single remediator working with a single UserEntitlement |
|
Attestation |
Creates a work item for each Attestor, and marks the User entitlement record as APPROVED when all work items complete with approved status, or REJECTED as soon as the first work item rejects. When one work item rejects, all other work items are canceled. |
|
Launch Access Scan |
Either launches or schedules an Access Scan Task, depending upon the setting provided by the Access Review task. It is directly called from the Access Review Workflow/Task. |
|
Launch Entitlement Rescan |
Launch a rescan of an Access Scan for a single user |
|
Launch Violation Rescan |
Launch a rescan of an Audit Policy Scan for a single user |
|
Multi Remediation |
Remediation for a single Compliance Violation and multiple remediators |
|
Remediation |
Remediation for a single Remediator working with a single Compliance Violation |
|
Scan Notification |
Notifies Attestors at the end of each Access Scan that they have pending Attestation work items. Sends one notification to each Attestor, regardless of the number of pendng work items. Also notifies the can owner (if any) that the scan has started and completed. This workflow takes the following input: scanName -- name of access scan scanOwner -- name of access scan owner recipients -- list of Identity Manager user names which should be notified notificationType --Valid types include begin, end, attest userCount -- number of users to be scanned (only on begin) |
|
Standard Attestation |
Creates an Attestation Subprocess for each attestor specified. |
|
Standard Attestation |
Creates an Attestation Subprocess for each attestor specified. |
|
Test Auto Attestation |
Facilitates testing new Review Determination rules without creating Attestation work items. This workflow does not create any work items, and simply terminates shortly after it starts. It leaves all User Entitlement objects in the same state that they were created in by the access scan. Use the Terminate and Delete options to clean up the results from access scans run with this workflow. |
|
Update Compliance Violation |
Mitigates a Compliance Violation |
Scan Task Variables
The Audit Policy Scan Task and Access Scan Task task definitions both specify the forms to be used when initiating the task. These forms include fields that allow for most, but not all, of the scan task variables to be controlled.
Table 1–9 Scan Task Variables|
Variable Name |
Default Value |
Purpose |
|---|---|---|
|
maxThreads |
5 |
Identifies the number of concurrent users to work at one time for a single scanner. Increase this value to potentially increase throughput when scanning users with accounts on very slow resources. |
|
userLock |
5000 |
Indicates time (in mS) spent trying to obtain lock on user to be scanned. If several concurrent scans are scanning the same user, and the user has resources that are slow, increasing this value can result in fewer lock errors, but a slower overall scan. |
|
scanDelay |
0 |
Indicates time (in mS) to delay between issuing new scan threads. Can be set to a positive number to force Scanner to be less CPU-hungry. |
Workflow Task
Table 1–10 Workflow Activities|
Activity |
Description |
|---|---|
|
Add Result |
Adds a named data item to the task result. |
|
Add Result Error |
Adds an error message to the task result. |
|
Add Result Message |
Adds an informational message to the task result. |
|
Background Task |
Forces the workflow into the background if it was launched from the Identity Manager Administrator interface. |
|
Get Resource Result |
Retrieves the result object returned by a resource adapter on the last provisioning operation. |
|
Get Resource Result Item |
Retrieves one result item from the result object returned by a resource adapter on the last provisioning operation. |
|
Rename Task |
Renames the task instance in the repository. |
|
Scripted Task Executor |
Executes BeanShell or JavaScript based on a provided script. As a task, it can be scheduled to run periodically. For example, you can use it to export data from the repository to a database for reporting and analysis. Benefits include the ability to write a custom task without writing custom Java code. (Custom Java code requires a re-compile on every upgrade and must be deployed to every server because the script is embedded in the task there is no need to recompile or deploy it.) |
|
Set Result |
Adds an entry to the task entrance result. This will appear in the workflow summary report. |
|
Set Result Limit |
Sets the number of seconds the task instance should be retained in the repository when it finishes. A non-negative value indicates that the task instance will be kept for this many seconds after the task has completed. A negative value indicates that the task instance will never be removed automatically. However, you can remove it manually. |
Using the Default Rename Task
To use the default rename task without customization, include the following action in your workflow:
<Action process=’Rename Task’> <Argument name=’name’ value=’New Task Name’/> </Action>
Using the Handle Native Change To Account Attributes Workflow
Whenever Identity Manager detects a native change (that is, a change not performed through the Identity Manager) to the values of an auditable attribute of a resource account, it responds by running the handleNativeChangeToAccountAttributes workflow. This workflow is associated with this System Configuration object attribute:
<Attribute name='process'>
<Object>
<Attribute name='handleNativeChangeToAccountAttributes' value='Audit Native
Change To Account Attributes'/>
</Object>
</Attribute>
This workflow logs the native change events to the event log if you have enabled the Changes Outside Lighthouse audit filter. Otherwise, Identity Manager ignores the event. Warning: Be careful which methods you call from any workflow that replaces the default workflow listed above.
Because Identity Manager launches this workflow whenever a resource account fetch reveals a native change, it must not invoke any method or workflow that would trigger another fetch of the same resource account. For example, an infinite loop will result if you call any workflow services method that assembles the User view: getView(User), checkoutView(User), and possibly checkinView(User).
The fact that Identity Manager handles each native change by running a workflow allows you to hook the native change event, and to handle that native change however you see fit by replacing or adding to the default native change workflow. For example, you might choose to send email to an administrator or a user, to record the event in a database, to queue an update that would back out the native change, or even to pull that native change into Identity Manager and push it back out to the other resources.
Specifying the Administrator for a Source Adapter Task
You can assign a subject or administrator to a Source adapter task and designate the server on which it runs by editing the sources.subject and sources.host attributes of the System Configuration object. For more information, see Editing the System Configuration object in Deployment Guide.
Implementing the Identity Manager Whitelist Feature
You can use the whitelist feature to check forms and workflows that use the SaveNoValidate action against a list of IDs or form names. Identity Manager checks the whitelist for either form names or form-owner IDs. The list of IDs, called saveNoValidateAllowedFormsAndWorkflows, is located in the security attribute in the System Configuration object. If the form name or owner ID is on the whitelist, the form or workflow can use the SaveNoValidate action. If the form name or the owner ID is not on the list, the form or workflow is processed using a Save action. If the list is not present, all forms and workflows can be processed as SaveNoValidate.
To implement this feature in your deployment, you must add any forms or workflows using SaveNoValidate to the saveNovalidateAllowedFormsAndWorflows list in the System Configuration object. To see the IDs or form names that you must add, check the syslog or turn trace level 4 on for com.waveset.ui.util.GenericEditForm and submit any custom forms or workflows that use SaveNoValidate. Identity Manager will log a warning including the ID. If you are getting “null” form names in the syslog, confirm that the form in the TaskDefinition that was run has a name attribute.
Tracking Workflow Progress
The designated owner of a task can always check on the status of a Workflow task. The owner is usually the person that initiated the task, but ownership can be redefined. Because tasks are objects in the repository, they will also be visible to anyone else with sufficient permissions.
Workflow status is typically represented in the Task List State column by the strings executing, pending, creating, and suspended. You can add additional, more informative strings summarizing workflow status to this column display.
Implement this feature by adding one of two possible expressions to the WFProcess file:
<WFProcess name=’queryRoleTask’ maxSteps=’0’>
<Status>
<s>Customized Status</s>
</Status>
<Activity id=’0’ name=’start’>
<Transition to=’GetReferencingRoles’/>
</Activity>
<Activity name=’GetReferencingRoles’>
<Action id=’0’>
<expression>
<Status> can be any XPRESS statement that results in a string. For example,
<Status> <s>custom string</s> </Status>
or
<Status>
<block>
<s>not appearing</s>
<s>custom string</s>
</block>
</Status>
The results of this expression, if any, are displayed in the Status column when a result is pending (for example, pending (custom status)).
- © 2010, Oracle Corporation and/or its affiliates