ISE Identity Manager Workflow

IDMDownloadObject4.png!

This tutorial is part of the Identity Manager track within the Identity Suite Essentials program.

Description

This tutorial covers the creation, configuration, and use of a custom self service workflow for Identity Manager 8 with the Netbeans development environment.

Top

Learning Objectives

After completing this tutorial, the following topics should be understood.

  1. Creating and modifying a new Self Service workflow with Netbeans
  2. Configuring Identity Manager to use a new workflow
  3. Using the Identity Manager debugger with a self service workflow
  4. Using a custom audit in a workflow and an audit report

Top

Prerequisites

The following items must be completed before starting this tutorial.

Top

Setup

The following steps need to performed to enable the demonstration.

Section 1: Deploy Custom Objects

The Identity Manager artifacts for this module are in the extracted zip file for the [Identity Suite Essential]. The specific artifacts for this tutorial are located in the custom/WEB-INF/config/ISE/module8 folder.

Follow these instructions to deploy the custom objects.

Download the ISE tutorial bundle.
Uncompress the bundle and copy the extracted files to custom/WEB-INF/config directory
under Idm8 project directory.
Start Netbeans 6.1 and open the Idm8 project. Expand the Custom Identity Manager Objects
folder to view the custom objects from the tutorial bundle.
Right click Idm8 in the Projects tab. Select Run to deploy and run the project.

Section 2: Summary of Custom Objects

This section provides a summary of the custom objects in the project for this module.

TaskDefinition-ISERequestSecureLocationAccess.xml Custom Self Service which allows a user to request access to a secure badge location. This workflow also assigns a BadgeAccess resource to users if they do not already have it.
UserForm-ISESecureLocationApprovalForm.xml This is a custom approval form for this workflow which lists the specifics of the requested secure location for the approver.
UserForm-ISESecureLocationRequestForm.xml This is a form for the requestor to use for filling values to request access to a secure location.
EmailTemplate-GenericEmailNotification.xml This is a email template which is used for this tutorial.
End User Request Menu.xml This is the end user menu addition to allow the user see a link for the new workflow
End User Tasks.xml This is the configuration object which gives the end users the permission to run the new workflow
Resource-BadgeAccess.xml This is the simulated resource adapter which is used in this tutorial.
RuleLibrary-ISELibrary.xml This is a rule library with a few rules used by this module.
User-itadministrator.xml This is a administrator who is used for approvals in this module.
User-tuser1.xml This is a test user used in this module.

Top

Section 2: Configure Workflow for end users

  • Once the Netbeans project is run, the artifacts for the workflow will be imported into the
    Identity Manager repository. This steps shows how the workflow was configured to be executable by end users.
    NOTE: this step should already be done, so this step is for validation.
    First download the object for End User Tasks.
  • The default password is configurator / configurator
  • Expand the Common Configuration Object Types
  • Open the End User Tasks configuration object.
  • Edit the End User Tasks to include the new workflow.
    This allows this workflow to be run from the end user interface.
 
      <List>
        <String>ISE - Request Secure Location Access</String>
        <String>ISE Request Secure Location Access</String>
      </List>
  • If changes are made to the object, the file can be uploaded back to the Identity Manager repository.

End User menu

  • Once the workflow is available to be run a link can be added to the end user menu to launch the workflow.
    This can be done by editing the End User Request Menu.
    download the End User Request Menu
    (use the same process as above) to change the end user options.

The following section was added to allow the end user request menu to contain a link to launch the custom workflow used in this module: 

            <Field>
                <Display class='Link'>
                    <Property name='name' value='ISE Request Secure Location Access'/>
                    <Property name='URL' value='user/processLaunch.jsp?id=ISE+-+Request+Secure+Location+Access'/>
                </Display>
            </Field>
  • Upload this file to the Identity Manager repository if any changed are made.

Generic Email Template

ISE - Generic Email Template

An email template is used in this module for notifications. This template is intended to be reused for multiple different types of scenarios. Variables are used in the workflow to pass values to the emails (examples: $(headerText) and $(bodyText))

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE EmailTemplate PUBLIC 'waveset.dtd' 'waveset.dtd'>
<EmailTemplate id='#ID#EMAILTEMPLATE:ISEGenericEmailNotification' name='ISE - Generic Email Notification'
smtpHost='$(smtpHost)' fromAddress='administrator@example.com' htmlEnabled='false'>
    <Variable name='accountId' external='true'/>
    <subject>$(subjectText)</subject>
    <body>
$(headerText)
-------------
$(bodyText)
    </body>
    <MemberObjectGroups>
        <ObjectRef type='ObjectGroup' id='#ID#All' name='All'/>
    </MemberObjectGroups>
</EmailTemplate>

Section 3: Test the new Workflow

  • To test the default behaviour of the custom workflow, login to Identity Manager's self service
    interface http://localhost:8080/Idm8/user as tuser1 / password
  • Select the Requests tab
  • Select the Launch Requests subtab, then select ISE Request Secure Location Access

Select a secure Location to request access to. The default workflow does not contain any approvals.
Once the access is requested, the user should be provisioned that access immediately.

The steps will describe how to add an approval to the workflow.

Section 5: Workflow enhancements

This section will edit the supplied self service workflow to configure different approval options.

Note: The Identity Manager artifacts includes in this module include a new administrator for escalation approvals: ITAdministrator / Passw0rd

  • Open the TaskDefinition-ISERequestSecureLocationAccess workfow
    This is under the Idm8 project Custom Identity Manager Objects
    under ISE/module8.
    The default workflow configuration will not use any workflow approvals. The Design Diagram for the workflow shown to the right
    shows a transition to the Provision step after the user confirmation step.
    Two other approval flows are available in the supplied workflow.
    * Approval Queue - send approvals to a queue and will require all approvers to respond before moving to the provision step.
    * Do Parallel Approval - this will send independent approval threads to separate
    approvers simultaneously and wait until both respond before moving the the Provision step.
    This is a more advanced configuration which
    can be extended to include complex parallel tasks by multiple individuals in addition
    to just processing an approval.

    The style value can be changed and the workflow can be uploaded if you want to see the results.

Approval Queue

This step will describe how to change the workflow to use a transition to use an approval Queue. This transition will use an activity which uses the out of the box Multi Approval subprocess.

  • The workflow transition can be changed to Approval Queue by moving the
    transition arrow (from the Display Confirmation Page to the Provision step) to goto
    the Approval Queue.

    *Perform this step now*
  • To test the default behaviour of the custom workflow, login to Identity Manager's self service
    interface http://localhost:8080/Idm8/user as tuser1 / password
  • Select the Requests tab
  • Select the Launch Requests subtab, then select ISE Request Secure Location Access
    Select a Badge access location to request. Select Submit
  • Once the request is submitted, the status of the request can be seen by the end user by selecting the request.
  • The details show the request is awaiting approval from the Administrator and Configurator users.
  • Login to the Identity Manager admin interface http://localhost:8080/Idm8 as configurator / configurator.
    Select the Work Items tabs, then the Approvals subtab.
    select List Approvals for: All Approvals
    Select the Request details for each of these approvals and Approve the request.
    Logout
  • Login to the Identity Manager end user interface http://localhost:8080/Idm8/user

    ] as the requestor. Select the Request tab, View subtab. Select the request request to view the details.
  • Open the TaskDefinition-ISERequestSecureLocationAccess workfow.
    Look at the details of the Approval Queue activity.
    The workflow is initially set to use a style of allapprove. This causes the workflow to require that all the approvers in the list will be required to approve the request prior to provisioning. This can be changed to change the workflow behaviour.
  • To see the other options for the Multi Approval workflow, you can expand the Identity Manager Palette.
    The options for the style which can be configured are:
    * first - once a single approver in the list approves the request, it will be aproved.
    * allapprove - all aprovers in the list will be required to approve the request
    * allreject - anyone can approve but stop as soon as anyone in the list rejects

Parallel approval

Change the transition to use a parallel approval

  • The workflow transition can be changed to Do Parallel Approval by moving the
    transition arrow (from the Display Confirmation Page to the Provision step) to goto the Do Parallel Approval.
    This change will add two separate paths for parallel approvals
    which are processed independently. This allows more flexibility in the
    workflow to use separate approval notifications and approval
    templates for each path. This is an example to the robust an
    flexible workflow which is available in
    Sun Identity Manager. Once the workflow transition is changed, run through the workflow again and this time a approval will be required by the users manager and the security officer ( this approval is defined by the workflow variable: appOwner which is set to use: Configurator by default)

Serial Approval

A simple serial approval can be optionally added to the workflow if necessary by chaining the Approval Queue and the Do Parallel approval activity in the workflow. This step is optional for this tutorial. It would simply require changing the transitions from the Display Confirmation Page to the Approval Queue the from the Approval Queue to the Do Parallel Approval. If this step is done, then the appOwner variable should be changed to be a new user since the configurator user is already part of the approval queue step. All the approvers can be easily changed in the workflow to control the workflow process.

Section 7: Audit Report Creation

This section will describe the creation of an Audit Report for all provisioning activity for the Badge Access resource used by this self service workflow.

  • Select the Reports tab, from the New drop down box, select AuditLog report
  • Enter a report title.
  • Add the Top organization
  • Select the resource BADGEACCESS
  • Save the new report
  • Run the new report
  • Select the details of one of the audit events to see what was provisioned (note the changes to the attribute value: ALLOWEDLOCATIONS, note: the audit records are converted to upper case.)

Top

Demonstration

After completing the setup above, the following steps should be performed to complete this tutorial.

Section 1: Demonstrate the extended end user request workflow

  • To test the default behaviour of the custom workflow, login to Identity Manager's self service
    interface http://localhost:8080/Idm8/user as tuser1 / password
  • Select the Requests tab
  • Select the Launch Requests subtab, then select ISE Request Secure Location Access
    Select a Badge access location to request. Select Submit
  • Once the request is submitted, the status of the request can be seen by the end user by selecting the request.
  • The details show the request is awaiting approval from the requestors manager and Configurator users.
  • Login to the Identity Manager admin interface http://localhost:8080/Idm8 as configurator / configurator.
    Select the Work Items tabs, then the Approvals subtab.
    select List Approvals for: All Approvals
    Select the Request details for each of these approvals and Approve the request.
    Logout
  • Login to the Identity Manager end user interface http://localhost:8080/Idm8/user

    ] as the requestor. Select the Request tab, View subtab. Select the request request to view the details.

Section 2: Run audit report

login to Identity Manager as Configurator / Configurator

Select the Reports tab

  • Run the new report: Badge Access - Secure Locations Granted
  • Select the details of one of the audit events to see what was provisioned (note the changes to the attribute value: ALLOWEDLOCATIONS, note: the audit records are converted to upper case.)

Top

Resources

The following links provide more information:

Copyright (c) 2008, Sun Microsystems, Inc.
All rights reserved

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact