Workflows

All changes on entity objects are a possible subject of a defined workflow.

Consider the following subtle difference between authorization and execution : somebody can assign a entitlement to somebody, but if it is going to be effective can be determined by a workflow.

If you go to the vault and select the tab >governance>workflowconfigurations, you will see an example of some defined workflows.

A workflow configuration is a combination of a action, possible concept type, a type of workflow and some configuration.

By default a workflow with approval of a organisation administrator is configured, amongst others. The workflow engine finds back the organisation for the related concept/entity and creates a workflow task for the organisation administrators of that organisation. You can check the configuration of this workflow as an example.

Possible actions are :

CREATE
UPDATE
DELETE

Possible concept types are:

IdentityType
OrganisationType
Identity
Organisation
Entitlement
Transformer
ProvisioningUnit
OrganisationTypeAssignment
OrganisationAssignment
EntitlementAssignment
EntitlementRequest
Device
EntitlementConflict
Application
Scope

Possible workflows are:

APPROVAL_ROLE
APPROVAL_ORG_ADMIN
APPROVAL_ATTRIBUTE_MATCHER

Organisation administrator approval

This workflow is try to find back the organisation linked to the entity. Then it is creating a task for each identity linked to that organisation having the role organisation administrator. If no approvers found, it throws an exception and the concepts remain locked.

Following configuration can be changed

Name	Description
roles	configuration defining the roles/entitlements of the identities that have to approve within the organisation, separated by a comma if multiple roles are allowed (OR), defaulting to ADMIN_ORG
linkApprove	the link used to approve the entity ( in the email )
linkReject	the link used to reject the entity
mailTemplate	the name of the template to use while sending the notification
autoApproveIfSelfRequest	automatically approve the task if the requestor is the same as the approver, defaults to true
createNotification	create a notification for the approver, defaults to true
maximumNrOfTasksToCreate	maximum number of tasks to create, defaults to 10

Name

Description

roles

configuration defining the roles/entitlements of the identities that have to approve within the organisation, separated by a comma if multiple roles are allowed (OR), defaulting to ADMIN_ORG

linkApprove

the link used to approve the entity ( in the email )

linkReject

the link used to reject the entity

mailTemplate

the name of the template to use while sending the notification

autoApproveIfSelfRequest

automatically approve the task if the requestor is the same as the approver, defaults to true

createNotification

create a notification for the approver, defaults to true

maximumNrOfTasksToCreate

maximum number of tasks to create, defaults to 10

Role/Entitlement approval

This workflow is going to create a task for all identities having the roles that are defined in the configuration

Duplicate identities are filtered and auto approve is supported when the requestor is matching the approver.

Following configuration can be changed

Name	Description
roles	required configuration defining the roles or entitlements ( cross organisation ) of the identities that have to approve, separated by a comma if multiple roles are allowed (OR)
autoApproveIfSelfRequest	automatically approves the task when the requestor is also assigned as an approver. no notification is sent ( default true )
createNotification	creates a email notification containing a link to immediately approve or reject ( default true )
maximumNrOfTasksToCreate	the maximum number of tasks ( for different identities ) to create, if the treshhold is reached, no more tasks are created ( default 10 )
linkApprove	the link used to approve the entity ( in the email )
linkReject	the link used to reject the entity
mailTemplate	the name of the template to use while sending the notification

Name

Description

roles

required configuration defining the roles or entitlements ( cross organisation ) of the identities that have to approve, separated by a comma if multiple roles are allowed (OR)

autoApproveIfSelfRequest

automatically approves the task when the requestor is also assigned as an approver. no notification is sent ( default true )

createNotification

creates a email notification containing a link to immediately approve or reject ( default true )

maximumNrOfTasksToCreate

the maximum number of tasks ( for different identities ) to create, if the treshhold is reached, no more tasks are created ( default 10 )

linkApprove

the link used to approve the entity ( in the email )

linkReject

the link used to reject the entity

mailTemplate

the name of the template to use while sending the notification

Attribute matcher workflow

This workflow is going to create a task for identities that contain a matching attribute with the related concept.

Identity A has a attribute manager that contains value BB. Identity B has a attribute managerid that contains the value BB.

It can now be configured that a update of identity A has to be approved by identity B by setting the conceptAttribute to manager and the approverAttribute to managerId.

Name	Description
approverAttribute	the attribute of the approver
conceptAttribute	the attribute of the concept
autoApproveIfSelfRequest
createNotification
maximumNrOfTasksToCreate
mailTemplate

Name

Description

approverAttribute

the attribute of the approver

conceptAttribute

the attribute of the concept

autoApproveIfSelfRequest

createNotification

maximumNrOfTasksToCreate

mailTemplate

PreviousCustom entitlements NextJoiner - Mover - Leaver

Last updated 1 year ago