7.11 Role Request Activity
The Role Request activity allows you to automate the granting or revoking of roles to users, groups, or containers. For example, you might write a provisioning request definition that provisions all of the resources and roles a new employee needs on their first day. Using the role request activity, you can automate the approval of that employee for specified roles.
You can also configure the activity to respond to Separation of Duty (SoD) constraint overrides by always approving, or allowing specific cases. You can use the activity to configure the effective and expiration dates for the role, or use it to extend the expiration date of a role.
The Role Request activity runs within the system service security context.
There is no limit on the number of Role Request activities allowed within a workflow.
The Role Request activity fails if the requested role DN or the target DN is invalid, or does not exist.
The result of the role request is written as a system comment to the comment history.
The Role Request activity does not support the ability to set the originator of the request. Use Simple Object Access Protocol (SOAP) calls rather than this activity when you need this information.
7.11.1 Properties
The Role Request activity has the following properties:
Table 7-22 Role Request Properties
|
Property Name |
Description |
|---|---|
|
|
Required. Provides a localizable name for the activity. |
|
|
Required. Text that describes the reason for the assignment request. This corresponds to the field of the tab. |
|
|
Specifies the action the activity should perform. Select a value from the drop-down list. The values are:
|
|
|
Required. An expression that resolves to a list of requested roles. For information on building this expression, see Specifying the Roles and Targets Properties. This is an example of the script to request a specific role: 'CN=Administer Drugs,CN=Level10,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,' + PROVISIONING_DRIVER In this script example, the value is retrieved from flowdata: flowdata.get('Start/request_form/role') |
|
|
Required. Specifies the type of object that the requested role will be assigned. Choose one of the values from the list. The values are:
|
|
|
The date when the role assignment goes into effect. If no date is specified, the assignment is effective immediately after it is requested. You can use the Expression Builder convenience methods to specify this value. 
|
|
|
Required. An expression that resolves to the DN of the object for whom the role is requested. The target can be users, groups, or containers depending on Target Type value. The targets that you specify must resolve to the Target Type specified. For information on building this expression, see Specifying the Roles and Targets Properties. The following examples show a script for targets: 'cn=ablake,ou=users,ou=medical-idmsample,o=novell' To retrieve the value from flowdata: flowdata.get('Start/request_form/group') |
|
|
The date when the role assignment expires. If not specified, the assignment remains in effect indefinitely. You can use the Expression Builder’s convenience methods to specify this value. 
|
|
|
An optional string field. If not supplied, it defaults to the process instance ID. This string must be less than or equal to 64 characters. |
|
|
Optional field. Defines how the Role Request activity should handle a request that causes an SoD constraint violation. Values are:
|
|
|
Optional field. Available when is false. Describes why an exception to the SoD constraint is necessary. If no value is specified, the is used. This example shows how to retrieve the value from flowdata. flowdata.get('Start/request_form/reason') |
|
|
Available when the SoD Override Request is false. It is a list of one or more SoD constraints to override. When an SoD constraint is encountered and the constraint is in this list, the role request activity will request the role. It the SoD is not in this list, the role request activity will stop executing and follow the error link. You can use the Expression Builder’s convenience methods to build the expression. The list contains the local list of SoDs defined for this project. For example: 
Selecting the Doctor-Nurse SoD generates an expression like this: 'cn=Doctor-Nurse,cn=SoDDefs,cn=RoleConfig, cn=AppConfig,' + PROVISIONING_DRIVER' |
Specifying the Roles and Targets Properties
Designer provides a convenient way to build the Roles and Targets expressions using the Expression Builder.
-
Click the
button in the property’s column.Designer launches this dialog box for adding or removing expressions.
-
Click + to add a new Roles or Targets expression by using the Expression Builder.
The dialog box displayed by Designer varies depending on whether you are specifying Roles or Targets. This dialog shows an example of the dialog box displayed to specify Roles because it includes the button.
You can choose one of the ECMAScript Objects to build the Roles or Targets expression, or use the button to select a specific object. Click to locate a role.
-
To choose specify a Role, click .
-
In the dialog box, specify the , , , , and on which you want to search.
For , , and , you can enter a wildcard (such as S*, *S) or regular expressions (such as [A-Z][a-z]*).
You can enter a value for all of the fields or none of the fields. If you do not supply a value in a particular field, the search returns all of the possible values for that field. If you enter a value in one or more of the fields, the values are ANDed together to create the search filter. The search occurs on the roles defined locally. Roles matching the search criteria are displayed in the selection list.
-
Select a role from the selection list, then click . The role is added to the expression area.
-
-
Click after you are satisfied with expression. Repeat Step 2 to continue to add more expressions.