24.2 Setting Up Workflows to Start Automatically

Workflows are automatically started when a user starts a provisioning request by requesting a resource. In addition, the User Application driver listens for events in the Identity Vault and, when configured to do so, responds to events by starting the appropriate provisioning workflows. For example, you can configure the User Application driver to automatically start a provisioning workflow if a new user is added to the Identity Vault. You configure the User Application driver to automatically start workflows using Identity Manager policies and rules.

24.2.1 About Policies

You can use filters and policies with the User Application driver in the same way that you can with other Identity Manager drivers. When an event occurs in the Identity Vault, Identity Manager creates an XML document that describes the event. The XML document is passed along the channel to the connected system (in this case, the connected system is the identity applications). Filters and policies associated with a driver allow you to define how to respond to the event, and in the process transform that XML document to the format that is expected by the connected system. Identity Manager provides several categories of policies (for example, Event Transformation, Command Transformation, Schema Mapping, Output Transformation) that you can apply, in a prescribed order, to transform the XML document.

This section provides an example of starting a workflow based on events in the Identity Vault. Although any of the policies can be used to trigger a workflow, the example presented in this section demonstrates the easiest and most useful method.

When you create a User Application driver, an Event Transformation Policy is created for use by the driver. The Event Transformation Policy is responsible for creating the XML document that is processed by the remaining Subscriber channel policies.

NOTE:Do not change the Event Transformation policy that was created when the User Application driver was created. The DN of this policy begins with Manage.Modify.Subscriber. Changing this policy might cause the workflow process to fail.

An empty Schema Mapping Policy is also created. You can use this policy as a starting point for triggering a workflow, based on events in the Identity Vault.

24.2.2 Using the Policy Builder

The Policy Builder provides a Start Workflow action that simplifies the process of setting up a workflow to start automatically.

  1. In iManager, expand the Identity Manager Role, then click Identity Manager Overview.

  2. Specify a driver set.

  3. Click the driver for which you want to manage policies. The Identity Manager Driver Overview opens.

  4. Click the policy that you want to edit.

  5. Click Insert to open the Policy Builder.

  6. Click Create a new policy.

  7. Type a name for the policy.

  8. Click Policy Builder.

  9. Click OK.

    iManager displays a screen that lists defined policy rules.

  10. Click Append New Rule.

    iManager displays the Rule Builder.

  11. Type a Description for the rule.

  12. Select operation attribute for the If condition in Condition Group 1.

  13. Use the Browse attributes button for the Enter name field to specify the Identity Vault attribute that you want to use to start the workflow.

    For example, to start a workflow when a telephone number changes, select the Telephone Number attribute.

  14. Use the Select Operator list to select the operator to use to test the specified attribute.

    For example, to start a workflow when a telephone number changes, select changing.

  15. Select start workflow from the Action list.

  16. Use the Object Selector in the Enter provisioning request DN field to select the provisioning request definition that you want to be executed when the if condition is true.

    The Enter user application URL and Enter authorized user DN fields are filled in automatically.

  17. Type the password for the identity applications administrator in the Enter authorized user password field.

    We recommend using a named password, because typing a password in clear text is a security risk.

  18. In the Enter recipient DN field, specify the DN of the recipient of the workflow in LDAP format.

    The expression for the recipient DN must evaluate to a DN that conforms to RFC 2253 format (in other words, cn=user,ou=organizational unit,o=organization). For example, you can click the Argument Builder button in the Enter recipient DN field to create the following expression to pass the recipient’s DN to the workflow:

    Parse DN("qualified-slash","ldap",XPath("@qualified-src-dn"))
  19. Specify the arguments for the workflow in the Enter additional arguments field.

    You must use this field to specify the reason attribute, which is required by the workflow. You can click the String Builder button in the Enter additional arguments field to specify the reason attribute and create a value for the attribute (for example, “the recipient’s telephone number has changed”).

  20. Click OK to close the Rule Builder.

  21. Click OK to close the Policy Builder.

  22. Click OK to close the Policies screen.

  23. Make sure that you add any attributes needed by the workflow to the filter.

    In the example described in this procedure, you would need to add Telephone Number and CN to the filter.