Tech_Implementation of Complex ITIM Workflows

1362 - Implementation of Complex ITIM Workflows Fred Santos

Fred Santos Pan EMEA Subject Matter Expert Group IBM Software Group ®

Agenda ITIM Workflow Concepts: a quick Overview Workflow Types Workflow Data Workflow Elements Workflow and JavaScript Workflow Extensions Complex ITIM Workflows by Example

Abstract ITIM manages security policies by using workflows. The ability to develop customized workflows are essential to getting value out of an ITIM deployment and in high demand during customer engagements. Skills Level: Advanced

Workflow Types Operation Workflows Lifecycle Management Persons and BPPersons Accounts Global Entitlement Workflows Provisioning Processing Accounts

Operation Workflows Associated with manipulation of Entities: Account Person BPPerson Global workflows can be defined and called from other operation workflows

Operation Workflows Can be defined at two levels: Entity Type Entity The Entity Type Workflows are inherited by all entities of that type. E.g.: Operation Workflows defined at the level of Entity Type Account, will be inherited by all Accounts, regardless of profile The Entity Workflows override those inherited from the Entity Type level E.g.: a customized Modify NT account workflow overrides the modify workflow inherited from the Account Entity Type

Operation Workflows Person and BPPerson operations: Add Modify Delete Suspend Restore Transfer SelfRegister

Operation Workflows Account Operations: Add Modify Delete Suspend Restore ChangePassword

Entitlement Workflows Specified in Provisioning Policies Entitlement Workflows are NOT mandatory Triggered by: Account Add Account Modify Executed before the relevant Operation Workflow The Operation Workflow do not start before the Entitlement Workflow completes

Workflow Data Three types of Workflow Data: Javascript variables Relevant Data Workflow Context Objects

Javascript Variables Defined in Javascript code: Javascript Nodes Postscript tabs “ Custom” code in some other Nodes Start and End Nodes Can’t be Serialized or made Persistent Exist in the context of their definition When the node completes, all variables will be out of scope

Relevant Data Defined in the Workflow Properties page Exists throughout the life of the workflow Stored in the ITIM Database Can be associated with contexts: Subject Requestee Both Not Applicable

Relevant Data Types of Relevant Data: Input/Output Parameters Workflow Defined User Defined

Input/Output Parameters in Entitlement Workflows Input Parameters: Entity – Account: In an add request, it contains the data for the new account In an a modify request, it contains only the modified attributes Service The Service where the account exists or will be create Owner - Person: The Person associated with the account Output Parameters: Entity – Account

Input Parameters in Operation Workflows Static Operations: Add: Person or Account (Account) Modify: Account SelfRegister: Person Non-Static Operations: Delete: Person or Account (Person) Modify: Person Suspend: Person or Account Restore: Person or Account Transfer: Person ChangePassword: Account

System Defined and User Defined Data System Defined Data: Defined only in some workflows User Defined Data: Defined in the Workflow Properties Page Made persistent in the ITIM Database Accessed in Javascript with userObject = ItemName.get(); Changed in Javascript with ItemName.set(userObject);

Workflow Context Objects Contain information about the object in question Activity Process Accessible in Javascript code

Workflow Elements Start and End Approval Request for Information Work Order Script Loop Operation and Subprocess Extension Transition Lines

Workflow and JavaScript Most Elements Allow Javascript code to be executed: Start and End Nodes Script Nodes Postscript Tabs (Approval, Extension, …) Transition Lines Allows: Manipulation of Relevant Data Conditional logic in Transition Lines

Workflow and Javascript FESI Extensions can be used in Javascript code Created as Java classes implementing the Javascript API Installed in the ITIM classpath Registered in enRole.properties Used as Objects var userObj = new extObject(); Functions var userVar = extFunction(val1, val2);

Workflow Extensions Java classes implementing the Workflow API Installed in the ITIM classpath Registered in workflowextensions.xml Used by adding an Extension node in the Workflow Select the class name in Extension Name Map the Input and Output Parameters to Relevant Data The Input and Output Parameters are defined in the Java class

Workflow Extensions Can be used to Hide sensitive processing logic Access external data stores Files Databases LDAP Servers Implement logic difficult to code or inefficient in Javascript Number crunching Encapsulate processing in a single node

Complex Workflows: Example 1 Global Operation (Account Entity Type) Approval_Process

Complex Workflows: Example 1 // Initialise loop instance counter to zero and exitloop switch to false. loopinstance.set(0); exitloop.set("false"); // Check current process type. If not Account Process Type, Loop back through Parent Processes // until Account Process type is found or until the root Parent reached. Default value is et to unknown. current = process; exitwhile = false; parentType = ""; parentTypeDesc.set("Unknown"); while (!exitwhile) { if ((current.type.substring(0,1)=="A" || current.type.substring(0,1)=="L") && current.type.length == 2){ parentType=current.type; exitwhile = true; } else if (current.parentId == 0 || current.parentId == "0"){ exitwhile = true; } else {current=current.getParent();} } if (parentType=="AA") {parentTypeDesc.set("Account Add");} else if (parentType=="AC") {parentTypeDesc.set("Account Change");} else if (parentType=="AP") {parentTypeDesc.set("Account Password Change");} else if (parentType=="LS") {parentTypeDesc.set("Suspend Multiple Accounts");} else if (parentType=="LR") {parentTypeDesc.set("Restore Multiple Accounts");} else if (parentType=="LD") {parentTypeDesc.set("Delete Multiple Accounts");} else if (parentType=="LP") {parentTypeDesc.set("Change Password for Multiple Accounts");} else if (parentType=="AS") {parentTypeDesc.set("Suspend Account");} else if (parentType=="AR") {parentTypeDesc.set("Restore Account");} else if (parentType=="AD") {parentTypeDesc.set("Delete Account");} // otherAccount Check if (service.get().getProperty("erservicename")[0] == "otherAccount") { otherAccountCheck.set("true") } parentTypeDesc.get();

Complex Workflows: Example 1 Subject <JS>function getprop(ob, prop){x=ob.getProperty(prop);if (x.length != 0){return x[0];}else{return "";}}"";</JS>ARMS <JS>if (otherAccountCheck.get() == "false") {return (service.get().getProperty("erservicename")[0]);} else {return (getprop(entity.get(), "erOtherAccountService"));}</JS> <JS>if (otherAccountCheck.get() == "false") {return (parentTypeDesc.get());} else {return (getprop(entity.get(), "erOtherAccountOperation"));}</JS> Request For <JS>o=owner.get();getprop(o,"cn");</JS> Waiting for Your approval Message <JS>function getprop(ob, prop){ x=ob.getProperty(prop); if (x.length != 0) { return x[0]; } else { return ""; }}"";</JS>There is a <JS>if (otherAccountCheck.get() == "false") {return (service.get().getProperty("erservicename")[0]);} else {return (getprop(entity.get(), "erOtherAccountService"));}</JS> account <JS>if (otherAccountCheck.get() == "false") {return (parentTypeDesc.get());} else {return (getprop(entity.get(), "erOtherAccountOperation"));}</JS> request for <JS>o=owner.get();getprop(o,"cn");</JS> waiting for your approval.<JS>if (otherAccountCheck.get() != "false") {return ("\nAccount Information: " + getprop(entity.get(), "erotheraccountcontent") +"\n");} else {return ("");}</JS>Please see the service charging information for <JS>if (otherAccountCheck.get() == "false") {return (service.get().getProperty("erservicename")[0]);} else {return (getprop(entity.get(), "erOtherAccountService"));}</JS> account from http://www.ibm.com To approve/reject the request, go to MyTodo List >> Pending Requests. Login to ITIM:http://www..ibm.com/ITIM Thank you for using ITIM. If you have any questions please see the ITIM service pages or contact your local Service Desk. Please, do not reply to this message. ITIM is a central webtool for requesting, generating, maintainingand managing System and Application accounts in IBM . http://www.itim.ibm.com/ITIM

Complex Workflows: Example 1 Relevant Data Account Entity Type AND Split Type AND Join Type 1 Days 0 Hours 0 Minutes 0 Seconds Escalation Limit Escalation Participant Participant Approval Rrequest Description Approval with a 1 Day Timeout Activity Name OneDayApprovalTimeout ActivityID Approval node Node Type Attribute Value Attribute Name participant = new Participant(ParticipantType.SUPERVISOR); Custom Attribute Value Attribute Name participant = new Participant(ParticipantType.SUPERVISOR); Custom Attribute Value Attribute Name owner Person owner service Service service entity Account entity Relevant Data ID Type ID

Complex Workflows: Example 1 true; Script AND Split Type AND Join Type LOOP_START ActivityID Script node Node Type Attribute Value Attribute Name exitloop.set("true"); true; Script AND Split Type AND Join Type EXIT_LOOP ActivityID Script node Node Type Attribute Value Attribute Name loopinstance.set(loopinstance.get()+1); true; Script AND Split Type AND Join Type LOOP_END ActivityID Script node Node Type Attribute Value Attribute Name

Complex Workflows: Example 1 getApproverDN process.auditEvent("Attempting to get approver details"); if (supervisorApproval.get() == "true" ) { process.auditEvent("Getting normal approver"); person = owner.get(); manager = person.getProperty("erSupervisor"); //managers erglobalId approver.set(manager[0]); approver2.set(manager[0]); approver3.set(manager[0]); process.auditEvent("Normal approver resolved"); } else { //Special Approver process.auditEvent("Getting special approver"); personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in fesiextension.properties file to use PersonSearch searchFilter = "(employeeNumber=" + approverEmpNum.get() +")"; searchResult = personSearch.searchByFilter("ibmPerson", searchFilter, 2); //2 means search scope is subtree approverEntity = searchResult[0]; //The search result is an array of the directory objects approver.set(approverEntity.dn); if (approverEmpNumDeputy1.get() != null) { personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in fesiextension.properties file to use PersonSearch searchFilter = "(employeeNumber=" + approverEmpNumDeputy1.get() +")"; searchResult = personSearch.searchByFilter("ibmPerson", searchFilter, 2); //2 means search scope is subtree approverEntity1 = searchResult[0]; //The search result is an array of the directory objects

Complex Workflows: Example 1 getApproverDN approver2.set(approverEntity1.dn); } else { approver2.set(approverEntity.dn); // Same approver as the first } if (approverEmpNumDeputy2.get() != null) { personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in fesiextension.properties file to use PersonSearch searchFilter = "(employeeNumber=" + approverEmpNumDeputy2.get() +")"; searchResult = personSearch.searchByFilter(“ibmPerson", searchFilter, 2); //2 means search scope is subtree approverEntity2 = searchResult[0]; //The search result is an array of the directory objects approver3.set(approverEntity2.dn); } else { approver3.set(approverEntity.dn); // Same approver as the first } process.auditEvent("Special approver resolved"); } /* //For debugging if needed process.auditEvent("approverEmpNum " + approverEmpNum.get() ); process.auditEvent("approver " + approver.get() ); process.auditEvent("approver2 " + approver2.get() ); process.auditEvent("approver3 " + approver3.get() ); process.auditEvent("approverEmpNumDeputy1 " + approverEmpNumDeputy1.get() ); process.auditEvent("approverEmpNumDeputy2 " + approverEmpNumDeputy2.get() ); */

Complex Workflows: Example 1 (continued) Account Restore uses Approval_Process

Complex Workflows: Example 2 Add Account

Complex Workflows: Example 3 IBM Software Group Restore Account

Complex Workflows: Example 3 current = process; exitwhile = false; parentType = ""; parentTypeDesc.set("Unknown"); while (!exitwhile) { if (current.parentId == 0 || current.parentId == "0"){ parentType=current.type; exitwhile = true; } else { current=current.getParent(); } } process.auditEvent("Parent Type: " + parentType); if (parentType=="AR") { sendEmail.set("false"); } else { sendEmail.set("true"); } process.auditEvent("sendEmail set to : " + sendEmail.get()); parentTypeDesc.get();

Complex Workflows: Example 4 ChangePassword

Complex Workflows: Example 4 CHECK_REQUESTOR // Check to see if Requestee is also requestor requestorCheck.set("false"); sysUserDN = CurrentProcess.getRequestorDN(); if (sysUserDN=="null" || sysUserDN=="-1" || sysUserDN==null) { // Not a human requestor requestorCheck.set("false"); } else { sysUserAccount = SystemUser.getByDN(sysUserDN); curr_parent = sysUserAccount.parent.toString(); requestorPersonDN=curr_parent.substring(curr_parent.indexOf(':') + 2, curr_parent.length); requesteeDN = process.requesteeDN; test = "-" + requesteeDN + "- compared with -" + requestorPersonDN + "- "; if (requesteeDN == requestorPersonDN) { requestorCheck.set("true"); } else { requestorCheck.set("false"); } } test += "with result " + requestorCheck.get(); process.auditEvent(test); test;

Complex Workflows: Example 4 Set_Pwd_change_attrs // Set Service curr_account = Entity.get(); curr_service = curr_account.getProperty("erservice")[0]; service.set(new Service(curr_service)); curr_owner = curr_account.getProperty("owner")[0]; owner.set(new Person(curr_owner)); // Set attributes // Set erW2kPasswordForceChange to true curr_account.setProperty( "erW2kPasswordForceChange", true ); Entity.set(curr_account); true;

Complex Workflows: Example 5 Delete Person

Complex Workflows: Example 6 Add Person

Start and End Elements Always exist Can’t be deleted Can add Javascript code to them

Approval Element Requests the Approval from a Participant The Participant must be an ITIM user Applicable to People and Accounts Usable in Operation Workflows and Entitlement Workflows Has Postscript tab

Request for Information Requests Information from a Participant The attributes to be provided will be presented on the Person or Account form ACIs not needed Applicable to People and Accounts Usable in Operation Workflows and Entitlement Workflows Has Postscript tab

Work Order Sends email to a Participant For Notification To request some action outside ITIM Participant doesn’t need to be ITIM user Must be in ITIM with mail attribute filled Javascript can be used in the message Has Postscript tab

Script Element Used to run Javascript code FESI extensions can be used

Loop Element Executes one or more elements in a Loop Loop Types Do While Evaluates condition before executing Do Until Evaluates condition after each execution Not Supported: Transitions directly into and out of the Loop Nested Loops

Operation Element Calls an existing Operation Workflow from another The called Entity Type and Entity in the called workflow can be different from the calling workflow The called workflow doesn’t return data to the calling workflow

Subprocess Element Calls one Entitlement Workflow from another Must map relevant data in the calling to input parameters in the called workflow

Extension Element Used to call an application extension to the workflow engine Are Java classes Implement the Workflow API Need to be registered in workflowextensions.xml

Transition Lines Execution Flows that connect Workflow Elements Any number of Transition Lines can enter or leave a Workflow elements Javascript code can be added to Transition Lines

Transition Lines: Split Types Split Types And All paths leaving the element will be evaluated and all paths evaluated to true will be followed Or The transitions are evaluated until one is found to be “true” and that path is then followed; all other paths are not evaluated

Transition Lines: Join Types Join Types And All elements on active paths leading to this element must complete before the joined element is executed Or The first path leading to the element that is evaluated to true will cause the element to be executed Since it’s not possible to order the paths, only ONE path should evaluate to true

Appendix 2 How to Document Workflows

Tech_Implementation of Complex ITIM Workflows

More Related Content

What's hot (20)

Similar to Tech_Implementation of Complex ITIM Workflows (20)

More from 51 lecture (20)

Recently uploaded (20)

Tech_Implementation of Complex ITIM Workflows