Scribd
Upload
23 views

Workflow

Uploaded by

Saeed Nashar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views

Workflow

Uploaded by

Saeed Nashar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

Workflow

Fundamentals of IdentityIQ Implementation


Overview
Workflow
• What is a workflow?
• Workflows in IdentityIQ
• Configuring workflows
• Workflow troubleshooting

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 2


What is a Workflow?
• A sequence of steps with transition logic between them
• Each step performs one action
• For example, execution of code, or user-interaction
• Defined with Business Process Editor or by creating XML definitions
• Referred to in the SailPoint UI as “Business Processes”

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 4


LCM and Workflows
• Workflows are intimately tied to LCM
• Requests
• Entitlement/Role
• Account Requests
• Passwords
• Management of users’ passwords
• Reactions to Native Password
changes
• Identity
• Create/Edit
• Identity Change Events
• Mover
• Joiner
• Leaver
• Other Attribute Changes

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 5


Workflows throughout IdentityIQ
• Workflows are also used for…
• Role Creation
• Identity Update
• Identity Refresh
• Identity Correlation
• Entitlement Creation/Update
• Sunrise/Sunset Role Assignment
• Sunrise/Sunset Role Activation
• Policy Violations

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 6


Quicklinks and Workflows
Create Your Own Functionality
• Add business specific Quicklinks to the Quicklink menu
• Execute custom workflow (i.e. Emergency termination)

Step
For more information:
• SailPoint training course Provisioning with IdentityIQ
• Compass whitepaper: Quicklinks

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 7


What can Workflows do?
• Check for Policy Violations
• Gather information from users
• Get Approvals/Generate Workitems
• Send Emails
• Audit
• Adjust Provisioning Plan
• Call Subprocesses (child workflows)
• Run other Workflows
• Really anything you can code in Java/BeanShell

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 8


Workflow Execution
WorkflowCase Object
• Created when action in IdentityIQ triggers a workflow
• Contains details for a running workflow process
• Launcher, type of workflow, copy of the workflow, current step being processed, info about
target objective, etc.
• Exists only until workflow completes
Example: Catherine Simmons submits request for 3 employees
WorkflowCases
launcher: Catherine
targetName: Denise
Select
access launcher: Catherine
and
targetName: Louis
submit
launcher: Catherine
targetName: Irene
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 9
Workflow Execution
WorkItem
• Created by a workflow (or IdentityIQ) to obtain input from a person
• Exists until the input is acquired
• Examples
• Approvals
• Policy violations
• Request for manual provisioning
• Access review delegations
• Request for data

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 10


Workflow Editing
Options
• Business Process Editor (BPE)
• Debug Page
• Eclipse (with the Deployment Accelerator plug-in)

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 11


What Do Workflows Look Like in the GUI?

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 13


What Do Workflows Look Like in the XML?
<Workflow name='My Workflow'> <Step name='Approved‘ action='call:saveObject'>
<Arg name='object' value='ref:identity'/>
<Variable name='identity' input='true'/> <Transition to='end'/>
<Variable name='newRoles' input='true'/> </Step>
<Variable initializer='string:spadmin' input='true'
name=‘approvalOwner'/>
<Step name='Rejected' action=call:'audit'>
<Step name='start'> <Arg name='source' value='ref:launcher'/>
<Transition to='Approve'/> <Arg name='action' value='rejected'/>
</Step> Step <Arg name='target' value='script:identity.getName()'/>
<Arg name='string1' value='failure'/>
<Step name='Approve'> <Transition to='end'/>
</Step> Step
<Approval owner=‘ref:approvalOwner'
send='identity,newRoles'
renderer='myApproval.xhtml'/> <Step name='end'/> Step

<Transition to='Approved‘ when='approved'/> </Workflow>


<Transition to='Rejected'/>

</Step>
Step
Workflow
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 14
Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 15
Configuring Workflows

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 16


Configuring Workflows
Process Variables
• Set workflow defaults
• Provide for installation specific
workflow configurations
Example: Change approver
from owner to manager

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 17


Modifying Workflows
Process
• Always make changes to a
copy of the original workflow
• Ensures updates don’t
overwrite modifications Installation
specific
workflow
• Save using your installation
specific naming convention
Default
workflow
• Update IdentityIQ to point to
your workflow

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 18


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 19
Workflow
Troubleshooting

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 20


Debugging Workflows
• Tracing
• Turn on “trace” to “true” in workflows – Output goes to stdout for the app server
• Email Redirection
• redirect email to a file (“Gear”  Global Settings  IdentityIQ Configuration  Mail Settings 
Email Notification Type)
• Logging
• system.out.println() or log4j
• log4j.logger.sailpoint.api.Workflower=debug
• log4j.logger.sailpoint.workflow.WorkflowHandler=debug
• log4j.logger.sailpoint.workflow.WorkflowLibrary=debug
• Console
• list WorkItem
• list workflowcase
• The “workflow” console command can be used to launch a workflow case with an XML file
containing initial workflow variables

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 21


Workflow Status

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 22


Workflow Metrics
• Capture analytics for entire workflow
• Avg/Max/Min Execution Time, # of Executions
• Drill into individual steps and identify execution bottlenecks
• View metrics
• Process Metrics tab
• Intelligence  Advanced Analytics  Process Metrics Search

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 23


Workflow Monitoring
• Monitoring for whole process or individual steps

• Monitor Process

• Monitor step

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 24


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 25
Introduction to Creating Workflows
Fundamentals of IdentityIQ Implementation
Overview
Introduction to Creating Workflows
• Workflow components overview
• Steps
• Scriptlets
• Variables
• Step types
• Transitions

For more training on workflow creation, see SailPoint course Provisioning with IdentityIQ

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 31


Workflow Steps – Overview
• A workflow involves a
minimum of three steps
• Start step
• Processing step
• Stop step (or END)
• Specifying a step includes
• Name
• Action
• What the step does
Description
• Arguments
• Values to be passed to the action
• Transition
• Which step to move to after the
action finishes

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 32


Workflow Variables
• Variables are global to the workflow and available to all
steps
• Input
• Option means it may be passed into the workflow
• Lack of the “input” option means it is an internal variable
• Initial Value
• Used to provide a value if one is not passed in
• Description
• Should be meaningful
• Variables are initialized when the case is launched
• Variables may be changed by BeanShell later in the
workflow

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 33


Key Workflow Concept – Scriptlets
Specifying Values
• In UI, you select scriptlet type and specify source

• In XML, scriptlets begin with type, followed by a colon, followed by the “source”
string:spadmin supplies a literal string
ref:approver references a workflow variable
script:identity.getManager().getName() runs a piece of BeanShell
rule:My Approver Rule calls a rule
call:buildOwnerApproval calls a method in the registered
WorkflowHandler class or Library
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 34
Key Workflow Concepts – XML
Scriptlet - call
<Workflow name='My Workflow'> <Step name='Approved‘ action='call:saveObject'>
Variables
<Arg name='object' value='ref:identity'/>
<Variable name='identity' input='true'/> <Transition to='end'/>
<Variable name='newRoles' input='true'/> Scriptlet - ref
</Step>
<Variable initializer='string:spadmin' input='true'
name=‘approvalOwner'/>
Scriptlet - string <Step name='Rejected' action=call:'audit'>
<Step name='start'> <Arg name='source' value='ref:launcher'/>
<Transition to='Approve'/> <Arg name='action' value='rejected'/> Scriptlet - script

</Step> Step <Arg name='target' value='script:identity.getName()'/>


<Arg name='string1' value='failure'/>
<Step name='Approve'> <Transition to='end'/>
Approval
</Step> Step
<Approval owner=‘ref:approvalOwner'
send='identity,newRoles'
renderer='myApproval.xhtml'/> <Step name='end'/> Step
Transition

<Transition to='Approved‘ when='approved'/> </Workflow>


<Transition to='Rejected'/>

</Step>
Step
Workflow
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 35
Global Variables (Reserved Words)

Variable Name Purpose


context SailPoint Context
log Log object for log4J
wfcontext An instance of WorkflowContext containing
details about the state of the workflow
handler An instance of the registered WorkflowHandler
step The Step object currently being evaluated
approval The Approval object currently being evaluated
item The WorkItem being opened or assimilated
trace Whether to trace or not (if set to true, we trace
the workflow process)

NOTE: Additional variables are added to specific types of LCM requests and vary from request to
request

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 36


Types of Steps
• Placeholders
• Used for visual cues and flow (Start/Stop)
• Code Steps
• Script or Rule – BeanShell code
• Call – call into compiled Java code
• Interaction Step
• Approval (Interaction)
• WorkItem created and provides a Form or Renderer
• SubProcess
• Execute a subprocess within the current flow
• Additional Options (implemented in XML)
• Wait (causes specific step to pause)
• Catches=Complete (guarantees step will run after workflow ends for whatever reason)

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 37


Step Action: Script
• Step action is a BeanShell script of any complexity
• All current workflow variables are accessible as top-level symbols
• “identity” and “project” are both workflow variables

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 38


Step Action: Call
• Step action is to call a method in the StandardWorkflowHandler
• Method “audit” is called with arguments
• Argument values can be specified on tab or using scriptlets

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 39


Step Action: Subprocess
• Calls another workflow
• Defines parameter passing behavior to map subprocess variable using Return tags

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 40


Step Action: Approval
• Approvals are special kind of step that interacts with users
• Approval steps cannot have call or script actions or call subprocesses
• Approval objects may be nested

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 41


Step Action: Approval
Approval Work Items
• Work item creation
• Each approval generates a work item
• Workflow variables may be passed into the work item
• Work item sent to configured owner

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 42


Step Action: Approval
Approval Work Items
• Work item completion
• User must complete work item for workflow to continue
• Validation can occur on entered data and response returned to work item
• Messages can indicate what was missing
Example: Email address has incorrect format or Approver Comments Missing
• Submitted data may be used for future transition logic or saved in workflow variables
Example: Approval or Rejection, Approver comments

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 43


Step Action: Approval
Approval Work Item Options

• CSV of workflow variable


names to send/return

• JSF fragment or form to


render work item contents
• Default provided by IdentityIQ
(if not set)

• Sets description of work item


• If not set, Approval name is
used

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 44


Step Action: Approval
Form Basics

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 45


Transitions
• Define which step to pass control to
• Are valuated when the step action or approval completes
• Can be multi-valued
• Evaluation is in the order specified in the transition
• Transfer control to first transition that evaluates to true or
which has no condition
• The workflow ends
• If there are no transitions
• If all of the transition conditions are false

• Best practice
• Always provide an unconditional option

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 46


Transition Examples
Conditional Transitions

Unconditional Transition

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 47


Pre-Conditions

• A conditional statement executed prior to running a step


• Used to determine if the step should be executed
• Alternative to conditional transition

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 48


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 51
Next Step?

Practice
Exercises

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 52


Exercise Preview
Section 4, Exercise 6
• Exercise 6: Use Lifecycle Manager to Create a Lifecycle Event
• Create a department change lifecycle event
• Configure a new Business Process to be used when the department change occurs

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 53

You might also like