Scribd
Upload
47 views60 pages

Techimplementation of Complex Itim Workflows 3260

This complex ITIM workflow example checks the process type and parent process types to determine if the workflow is for an account operation like add, modify, delete. It uses JavaScript variables and functions to extract property values and conditionally display the appropriate service name and operation based on whether it is for a standard account or "other account". The workflow starts a request for approval by the account owner.

Uploaded by

Dmitry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views60 pages

Techimplementation of Complex Itim Workflows 3260

This complex ITIM workflow example checks the process type and parent process types to determine if the workflow is for an account operation like add, modify, delete. It uses JavaScript variables and functions to extract property values and conditionally display the appropriate service name and operation based on whether it is for a standard account or "other account". The workflow starts a request for approval by the account owner.

Uploaded by

Dmitry
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 60

®

IBM Software Group

1362 - Implementation of
Complex ITIM Workflows
Fred Santos
®

IBM Software Group

Fred Santos
Pan EMEA Subject Matter Expert Group
IBM Software Group

Agenda
ITIM Workflow Concepts: a quick Overview
Workflow Types
Workflow Data
Workflow Elements
Workflow and JavaScript
Workflow Extensions
Complex ITIM Workflows by Example

3
IBM Software Group

Abstract
ITIM manages security policies by using
workflows. The ability to develop customized
workflows are essential to getting value out of
an ITIM deployment and in high demand
during customer engagements.

Skills Level: Advanced

4
IBM Software Group

Workflow Types
Operation Workflows
Lifecycle Management
Persons and BPPersons
Accounts
Global
Entitlement Workflows
Provisioning Processing
Accounts

5
IBM Software Group

Operation Workflows
Associated with manipulation of Entities:
Account
Person
BPPerson
Global workflows can be defined and
called from other operation workflows

6
IBM Software Group

Operation Workflows
Can be defined at two levels:
Entity Type
Entity
The Entity Type Workflows are inherited by all
entities of that type.
E.g.: Operation Workflows defined at the level of Entity
Type Account, will be inherited by all Accounts,
regardless of profile
The Entity Workflows override those inherited
from the Entity Type level
E.g.: a customized Modify NT account workflow
overrides the modify workflow inherited from the
Account Entity Type 7
IBM Software Group

Operation Workflows
Person and BPPerson operations:
Add
Modify
Delete
Suspend
Restore
Transfer
SelfRegister

8
IBM Software Group

Operation Workflows
Account Operations:
Add
Modify
Delete
Suspend
Restore
ChangePassword

9
IBM Software Group

Entitlement Workflows
Specified in Provisioning Policies
Entitlement Workflows are NOT
mandatory
Triggered by:
Account Add
Account Modify
Executed before the relevant Operation
Workflow
The Operation Workflow do not start
before the Entitlement Workflow
completes 10
IBM Software Group

Workflow Data
Three types of Workflow Data:
Javascript variables
Relevant Data
Workflow Context Objects

11
IBM Software Group

Javascript Variables
Defined in Javascript code:
Javascript Nodes
Postscript tabs
“Custom” code in some other Nodes
Start and End Nodes
Can’t be Serialized or made Persistent
Exist in the context of their definition
When the node completes, all variables
will be out of scope
12
IBM Software Group

Relevant Data
Defined in the Workflow Properties page
Exists throughout the life of the workflow
Stored in the ITIM Database
Can be associated with contexts:
Subject
Requestee
Both
Not Applicable
13
IBM Software Group

Relevant Data
Types of Relevant Data:
Input/Output Parameters
Workflow Defined
User Defined

14
IBM Software Group

Input/Output Parameters in
Entitlement Workflows
Input Parameters:
Entity – Account:
In an add request, it contains the data for the new
account
In an a modify request, it contains only the modified
attributes
Service
The Service where the account exists or will be create
Owner - Person:
The Person associated with the account
Output Parameters:
Entity – Account 15
IBM Software Group

Input Parameters in Operation


Workflows
Static Operations:
Add: Person or Account
(Account) Modify: Account
SelfRegister: Person
Non-Static Operations:
Delete: Person or Account
(Person) Modify: Person
Suspend: Person or Account
Restore: Person or Account
Transfer: Person
ChangePassword: Account 16
IBM Software Group

System Defined and User


Defined Data
System Defined Data:
Defined only in some workflows

User Defined Data:


Defined in the Workflow Properties Page
Made persistent in the ITIM Database
Accessed in Javascript with
userObject = ItemName.get();
Changed in Javascript with
ItemName.set(userObject); 17
IBM Software Group

Workflow Context Objects


Contain information about the object in
question
Activity
Process

Accessible in Javascript code

18
IBM Software Group

Workflow Elements
Start and End
Approval
Request for Information
Work Order
Script
Loop
Operation and Subprocess
Extension
Transition Lines 19
IBM Software Group

Workflow and JavaScript


Most Elements Allow Javascript code to be
executed:
Start and End Nodes
Script Nodes
Postscript Tabs (Approval, Extension, …)
Transition Lines
Allows:
Manipulation of Relevant Data
Conditional logic in Transition Lines
20
IBM Software Group

Workflow and Javascript


FESI Extensions can be used in Javascript
code
Created as Java classes implementing the
Javascript API
Installed in the ITIM classpath
Registered in enRole.properties
Used as
Objects
var userObj = new extObject();
Functions
var userVar = extFunction(val1, val2); 21
IBM Software Group

Workflow Extensions
Java classes implementing the Workflow
API
Installed in the ITIM classpath
Registered in workflowextensions.xml
Used by adding an Extension node in the
Workflow
Select the class name in Extension Name
Map the Input and Output Parameters to
Relevant Data
The Input and Output Parameters are defined in
the Java class
22
IBM Software Group

Workflow Extensions
Can be used to
Hide sensitive processing logic
Access external data stores
Files
Databases
LDAP Servers
Implement logic difficult to code or
inefficient in Javascript
Number crunching
Encapsulate processing in a single node 23
IBM Software Group

Complex Workflows:
Example 1
Global Operation (Account Entity Type)
Approval_Process

24
IBM Software Group

Complex Workflows:
Example 1
// Initialise loop instance counter to zero and exitloop switch to false.
loopinstance.set(0);
exitloop.set("false");
// Check current process type. If not Account Process Type, Loop back through Parent Processes
// until Account Process type is found or until the root Parent reached. Default value is et to unknown.
current = process;
exitwhile = false;
parentType = "";
parentTypeDesc.set("Unknown");
while (!exitwhile) {
if ((current.type.substring(0,1)=="A" || current.type.substring(0,1)=="L") && current.type.length == 2){
parentType=current.type;
exitwhile = true;
} else if (current.parentId == 0 || current.parentId == "0"){
exitwhile = true;
} else {current=current.getParent();}
}
if (parentType=="AA") {parentTypeDesc.set("Account Add");} else
if (parentType=="AC") {parentTypeDesc.set("Account Change");} else
if (parentType=="AP") {parentTypeDesc.set("Account Password Change");} else
if (parentType=="LS") {parentTypeDesc.set("Suspend Multiple Accounts");} else
if (parentType=="LR") {parentTypeDesc.set("Restore Multiple Accounts");} else
if (parentType=="LD") {parentTypeDesc.set("Delete Multiple Accounts");} else
if (parentType=="LP") {parentTypeDesc.set("Change Password for Multiple Accounts");} else
if (parentType=="AS") {parentTypeDesc.set("Suspend Account");} else
if (parentType=="AR") {parentTypeDesc.set("Restore Account");} else
if (parentType=="AD") {parentTypeDesc.set("Delete Account");}
// otherAccount Check
if (service.get().getProperty("erservicename")[0] == "otherAccount") {
otherAccountCheck.set("true")
} 25
parentTypeDesc.get();
IBM Software Group

Complex Workflows:
Example 1
Subject
<JS>function getprop(ob, prop){x=ob.getProperty(prop);if (x.length != 0){return
x[0];}else{return "";}}"";</JS>ARMS <JS>if (otherAccountCheck.get() == "false")
{return (service.get().getProperty("erservicename")[0]);} else {return
(getprop(entity.get(), "erOtherAccountService"));}</JS> <JS>if
(otherAccountCheck.get() == "false") {return (parentTypeDesc.get());} else {return
(getprop(entity.get(), "erOtherAccountOperation"));}</JS> Request For
<JS>o=owner.get();getprop(o,"cn");</JS> Waiting for Your approval

Message
<JS>function getprop(ob, prop){ x=ob.getProperty(prop); if (x.length != 0) { return x[0]; }
else { return ""; }}"";</JS>There is a <JS>if (otherAccountCheck.get() == "false")
{return (service.get().getProperty("erservicename")[0]);} else {return
(getprop(entity.get(), "erOtherAccountService"));}</JS> account <JS>if
(otherAccountCheck.get() == "false") {return (parentTypeDesc.get());} else {return
(getprop(entity.get(), "erOtherAccountOperation"));}</JS> request for
<JS>o=owner.get();getprop(o,"cn");</JS> waiting for your approval.<JS>if
(otherAccountCheck.get() != "false") {return ("\nAccount Information: " +
getprop(entity.get(), "erotheraccountcontent") +"\n");} else {return ("");}</JS>Please
see the service charging information for <JS>if (otherAccountCheck.get() == "false")
{return (service.get().getProperty("erservicename")[0]);} else {return
(getprop(entity.get(), "erOtherAccountService"));}</JS> account from
http://www.ibm.com To approve/reject the request, go to MyTodo List >> Pending
Requests. Login to ITIM:http://www..ibm.com/ITIM Thank you for using ITIM. If you
have any questions please see the ITIM service pages or contact your local Service
Desk. Please, do not reply to this message. ITIM is a central webtool for requesting,
generating, maintainingand managing System and Application accounts in IBM .
http://www.itim.ibm.com/ITIM 26
IBM Software Group

Complex Workflows:
Example 1
Attribute Name Attribute Value
Node Type Approval node
ActivityID OneDayApprovalTimeout
Activity Name Approval with a 1 Day Timeout
Description Approval Rrequest

Attribute Name Attribute Value


Participant Custom participant = new
Participant(ParticipantType.SUPERVISOR);
Attribute Name Attribute Value
Escalation Participant Custom participant = new
Participant(ParticipantType.SUPERVISOR);
Escalation Limit 1 Days 0 Hours 0 Minutes 0 Seconds
Join Type AND
Split Type AND
Entity Type Account
ID Type Relevant Data ID
entity Account entity
Relevant Data
service Service service
owner Person owner
27
IBM Software Group

Complex Workflows:
Example 1
Attribute Name Attribute Value
Node Type Script node
ActivityID LOOP_START
Join Type AND
Split Type AND
Script true;
Attribute Name Attribute Value
Node Type Script node
ActivityID EXIT_LOOP
Join Type AND
Split Type AND
exitloop.set("true");
Script
true;
Attribute Name Attribute Value
Node Type Script node
ActivityID LOOP_END
Join Type AND
Split Type AND
loopinstance.set(loopinstance.get()+1);
Script
true;
28
IBM Software Group

Complex Workflows:
Example 1
getApproverDN
process.auditEvent("Attempting to get approver details");
if (supervisorApproval.get() == "true" ) {
process.auditEvent("Getting normal approver");
person = owner.get();
manager = person.getProperty("erSupervisor"); //managers erglobalId
approver.set(manager[0]);
approver2.set(manager[0]);
approver3.set(manager[0]);
process.auditEvent("Normal approver resolved");
} else { //Special Approver
process.auditEvent("Getting special approver");
personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in
fesiextension.properties file to use PersonSearch
searchFilter = "(employeeNumber=" + approverEmpNum.get() +")";
searchResult = personSearch.searchByFilter("ibmPerson", searchFilter, 2); //2 means search scope is
subtree
approverEntity = searchResult[0]; //The search result is an array of the directory objects
approver.set(approverEntity.dn);
if (approverEmpNumDeputy1.get() != null) {
personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in
fesiextension.properties file to use PersonSearch
searchFilter = "(employeeNumber=" + approverEmpNumDeputy1.get() +")";
searchResult = personSearch.searchByFilter("ibmPerson", searchFilter, 2); //2 means search scope
is subtree
approverEntity1 = searchResult[0]; //The search result is an array of the directory objects
29
IBM Software Group

Complex Workflows:
Example 1
getApproverDN
approver2.set(approverEntity1.dn);
} else {
approver2.set(approverEntity.dn); // Same approver as the first
}
if (approverEmpNumDeputy2.get() != null) {
personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in
fesiextension.properties file to use PersonSearch
searchFilter = "(employeeNumber=" + approverEmpNumDeputy2.get() +")";
searchResult = personSearch.searchByFilter(“ibmPerson", searchFilter, 2); //2 means search scope
is subtree
approverEntity2 = searchResult[0]; //The search result is an array of the directory objects
approver3.set(approverEntity2.dn);
} else {
approver3.set(approverEntity.dn); // Same approver as the first
}
process.auditEvent("Special approver resolved");
}
/* //For debugging if needed
process.auditEvent("approverEmpNum " + approverEmpNum.get() );
process.auditEvent("approver " + approver.get() );
process.auditEvent("approver2 " + approver2.get() );
process.auditEvent("approver3 " + approver3.get() );
process.auditEvent("approverEmpNumDeputy1 " + approverEmpNumDeputy1.get() );
process.auditEvent("approverEmpNumDeputy2 " + approverEmpNumDeputy2.get() ); 30
*/
IBM Software Group

Complex Workflows:
Example 1 (continued)
Account Restore
uses Approval_Process

31
IBM Software Group

Complex Workflows:
Example 2
Add Account

32
IBM Software Group

Complex Workflows:
Example 3
Restore Account

33
IBM Software Group

Complex Workflows:
Example 3
current = process;
exitwhile = false;
parentType = "";
parentTypeDesc.set("Unknown");
while (!exitwhile) {
if (current.parentId == 0 || current.parentId == "0"){
parentType=current.type;
exitwhile = true;
} else {
current=current.getParent();
}
}
process.auditEvent("Parent Type: " + parentType);
if (parentType=="AR") {
sendEmail.set("false");
} else {
sendEmail.set("true");
}
process.auditEvent("sendEmail set to : " + sendEmail.get());
parentTypeDesc.get();

34
IBM Software Group

Complex Workflows:
Example 4
ChangePassword

35
IBM Software Group

Complex Workflows:
Example 4
CHECK_REQUESTOR
// Check to see if Requestee is also requestor
requestorCheck.set("false");
sysUserDN = CurrentProcess.getRequestorDN();
if (sysUserDN=="null" || sysUserDN=="-1" || sysUserDN==null) {
// Not a human requestor
requestorCheck.set("false");
} else {
sysUserAccount = SystemUser.getByDN(sysUserDN);
curr_parent = sysUserAccount.parent.toString();
requestorPersonDN=curr_parent.substring(curr_parent.indexOf(':') + 2, curr_parent.length);
requesteeDN = process.requesteeDN;
test = "-" + requesteeDN + "- compared with -" + requestorPersonDN + "- ";
if (requesteeDN == requestorPersonDN) {
requestorCheck.set("true");
} else {
requestorCheck.set("false");
}
}
test += "with result " + requestorCheck.get();
process.auditEvent(test);
test;

36
IBM Software Group

Complex Workflows:
Example 4
Set_Pwd_change_attrs
// Set Service
curr_account = Entity.get();
curr_service = curr_account.getProperty("erservice")[0];
service.set(new Service(curr_service));
curr_owner = curr_account.getProperty("owner")[0];
owner.set(new Person(curr_owner));
// Set attributes
// Set erW2kPasswordForceChange to true
curr_account.setProperty( "erW2kPasswordForceChange", true );
Entity.set(curr_account);
true;

37
IBM Software Group

Complex Workflows:
Example 5
Delete Person

38
IBM Software Group

Complex Workflows:
Example 6
Add Person

39
IBM Software Group

Appendix 1

Workflow Elements

40
IBM Software Group

Workflow Elements
Start and End
Approval
Request for Information
Work Order
Script
Loop
Operation and Subprocess
Extension
Transition Lines 41
IBM Software Group

Start and End Elements


Always exist
Can’t be deleted
Can add Javascript
code to them

42
IBM Software Group

Approval Element
Requests the
Approval from a
Participant
The Participant must
be an ITIM user
Applicable to People
and Accounts
Usable in Operation
Workflows and
Entitlement
Workflows
Has Postscript tab
43
IBM Software Group

Request for Information


Requests Information
from a Participant
The attributes to be
provided will be
presented on the Person
or Account form
ACIs not needed
Applicable to People
and Accounts
Usable in Operation
Workflows and
Entitlement Workflows
Has Postscript tab
44
IBM Software Group

Work Order
Sends email to a
Participant
For Notification
To request some
action outside ITIM
Participant doesn’t
need to be ITIM user
Must be in ITIM with
mail attribute filled
Javascript can be
used in the message
Has Postscript tab 45
IBM Software Group

Script Element
Used to run
Javascript code
FESI extensions can
be used

46
IBM Software Group

Loop Element
Executes one or more
elements in a Loop
Loop Types
 Do While
 Evaluates condition
before executing
 Do Until
 Evaluates condition
after each execution
 Not Supported:
 Transitions directly into
and out of the Loop
 Nested Loops 47
IBM Software Group

Operation Element
Calls an existing
Operation Workflow
from another
The called Entity
Type and Entity in
the called workflow
can be different from
the calling workflow
The called workflow
doesn’t return data
to the calling
workflow
48
IBM Software Group

Subprocess Element
Calls one
Entitlement
Workflow from
another
Must map relevant
data in the calling to
input parameters in
the called workflow

49
IBM Software Group

Extension Element
Used to call an
application
extension to the
workflow engine
Are Java classes
Implement the
Workflow API
Need to be
registered in
workflowextensions.
xml
50
IBM Software Group

Transition Lines
Execution Flows that
connect Workflow
Elements
Any number of
Transition Lines can
enter or leave a
Workflow elements
Javascript code can
be added to
Transition Lines

51
IBM Software Group

Transition Lines: Split Types


Split Types
And
All paths leaving the element will be evaluated
and all paths evaluated to true will be followed
Or
The transitions are evaluated until one is found
to be “true” and that path is then followed; all
other paths are not evaluated

52
IBM Software Group

Transition Lines: Join Types


Join Types
And
All elements on active paths leading to this
element must complete before the joined
element is executed
Or
The first path leading to the element that is
evaluated to true will cause the element to be
executed
Since it’s not possible to order the paths,
only ONE path should evaluate to true
53
IBM Software Group

Appendix 2

How to Document Workflows

54
IBM Software Group

How to Document Workflows

55
IBM Software Group

How to Document Workflows

56
IBM Software Group

How to Document Workflows

57
IBM Software Group

How to Document Workflows

58
IBM Software Group

How to Document Workflows

59
IBM Software Group

Thank you!

60

You might also like