IBM Security Identity Manager Workflows How To
How to disable manual workflow notifications
Set the service to be a “local” service. Find the service profile in question and add the following erproperty attribute:
com.ibm.itim.remoteservices.ResourceProperties.IS_LOCAL=true
This will stop ITIM from automatically executing manual workflows and will use custom workflows.
How to add a no email notification class to ITIM mailing
Compile the NoNotify.java
- Setup the classpath c:\websphere\appserver\bin;
- Create NoNotify.java
package com.ibm.itim.mail;
import java.util.Collection;
import java.util.Collections;
import com.access360.enrole.mail.NotificationFactory;
public class NoNotify implements NotificationFactory {
public Collection getNotification(Object ctxt) {
return Collections.EMPTY_LIST;
}
}
- Look for a class C:\websphere\appserver\java\bin\com\ibm\email\NoNotify.class
- C:\websphere\appserver\java\bin\jar -cvf email.jar com
- Copy email.jar to c:\websphere\appserver\enroll.ear[\enrole.war]
- Edit MANIFEST.MF file c:\websphere\appserver\installedApps\enrole.ear\enrole.war\META-INF\MAINFEST.MF email.jar under xecrces.jar
- Edit the enrole.properties "and c:\websphere\appserver\java\bin\com\ibm\itim\mail"
enrole.workflow.notification.activitytimeout=com.ibm.itim.mail.NoNotify enrole.workflow.notification.processtimeout=com.ibm.itim.mail.NoNotify enrole.workflow.notification.processcomplete=com.ibm.itim.mail.NoNotify enrole.workflow.notification.pendingwork=com.ibm.itim.mail.NoNotify enrole.workflow.notification.newaccount=com.ibm.itim.mail.NoNotify enrole.workflow.notification.newpassword=com.ibm.itim.mail.NoNotify enrole.workflow.notification.deprovision=com.ibm.itim.mail.NoNotify
Here's an example of a no-mail notification class (the example can also be found in the <ITIM_HOME>/extensions/examples directory): package com.ibm.itim.mail;
import java.util.Collection;
import java.util.Collections;
import com.access360.enrole.mail.NotificationFactory;
public class NoNotify implements NotificationFactory {
public Collection getNotification(Object ctxt) {
return Collections.EMPTY_LIST;
}
}
That needs to be saved as a file called NoNotify.java. It then needs to be compiled, added to a jar file, and loaded into the ITIM appserver (this is different depending on if it's WebLogic or WebSphere). Once the class is loaded, you then need to edit enrole_home/data/enRole.properties to set all the email notification lines to use the new class e.g.:
enrole.workflow.notification.activitytimeout=com.ibm.itim.mail.NoNotify
The enrole server will need to be restarted once both of these changes have been made. 1
How to add a recertification workflow for identities (not accounts)
Lets' assume you'll need approval from 1-35 people for each record being recertified.
Two main options:
- Use a Loop approach.
- This would send out the approvals in sequence, so each subsequent approval would not be sent out until the current approver made a decision. The benefit is that you can set the loop to repeat the correct number of times, and the workflow itself will look rather simple:
start -> loop -> approval -> end
- Use a parallel approach
- In this scenario, you will need to add approval nodes for the maximum number of potential approvers. The benefit is that each approver will be notified immediately, but the process won't finish until the last approver has made a decision. The workflow would look something like:
start -> approval (x35) -> end
It's hard to draw in an email, but there would be 35 transition lines from start to the various approval nodes, and 35 lines from the nodes back to end. The join condition should be set to "AND" so that they must all be complete before the workflow will move on.
Option 2 is the best approach because of the parallel timing. However, you would need to make sure the unneeded approvals were automatically approved or skipped altogether. This can be done on the transition lines by comparing the size of the "approver" array to a given number, with that number increasing at each transition line. Then in the approval, you would use a custom participant set to the correct position in the array.
For each approval, the approver can add comments that will be stored in the Result Detail section of the Activity. When you view the Audit Log of the Completed Request, you can see who performed the approval and what their comments were, if any.
@HowTo @ITIM