Topic
  • 4 replies
  • Latest Post - ‏2014-08-13T06:09:29Z by SAgrahari
SAgrahari
SAgrahari
8 Posts

Pinned topic Need to update a role from Workflow

‏2014-08-12T03:38:04Z |

Hi All,

I need to udpate a role in LDAP from Delete Person Workflow. As we don't have an out of box extension available to update Role ( As we have for modifyPerson, modifyAccount) , what would be the best approach to implement this solution. 

I think I can a create a IBMJS extension and utilize ITIM APIs. Is there an out of box solution without IBMJS extension ?

Please provide your comments.

 

  • franzw
    franzw
    385 Posts
    ACCEPTED ANSWER

    Re: Need to update a role from Workflow

    ‏2014-08-13T06:01:06Z  
    • SAgrahari
    • ‏2014-08-13T05:31:51Z

    The person's userid is stored in role as an attribute of role. I need to replace that Id with another user's id since user is getting deleted from the system.

    The person is not a member of the role.

    I think I understand the use case as you are deleting a person that is referenced as e.g. a Role Owner on 1 or more roles and want to remedy that situation.

    This is a well known challenge for most implementations using the concept of role owners - the real issue here is that when the last role owner is removed eventual role owner approval will basically be skipped for that role....

    Now - IMHO you should never have persons directly linked to the role - this is bad security practice - always use roles instead. If you use roles you would be able to have e.g. the security administration  as a last resort - not that it fixes the problem - but at least you will avoid unapproved roles.

    Now - a real solution to this would be to have operational workflows for the role entity (and same applies for org units, services) so that this could be built easily in the workflow designer - but this requires an accepted RFE.

    So - currently you will have to stick with either a JavaScript extension to do the work or use the Java API directly in the workflow  - see scriptFramework.properties (not recommended as you may open up security holes).

    I cannot provide you guidelines on the actual coding - but study the API samples in your ITIM_HOME/extensions directory and the actual Java API to find which searches and role APIs are necessary to do the job....

    HTH

    Regards

    Franz Wolfhagen

  • Sanjay Sutar
    Sanjay Sutar
    152 Posts

    Re: Need to update a role from Workflow

    ‏2014-08-13T05:24:08Z  

    Please elaborate your business case i.e. what exactly you want to achieve here?

    Is there any relationship between the role (that you want to modify) and person being deleted? If the person is member , he wont be member of the role after successful deletion.

    Beside role modification is ultimately person modification as you add/remove role from person.

  • SAgrahari
    SAgrahari
    8 Posts

    Re: Need to update a role from Workflow

    ‏2014-08-13T05:31:51Z  

    Please elaborate your business case i.e. what exactly you want to achieve here?

    Is there any relationship between the role (that you want to modify) and person being deleted? If the person is member , he wont be member of the role after successful deletion.

    Beside role modification is ultimately person modification as you add/remove role from person.

    The person's userid is stored in role as an attribute of role. I need to replace that Id with another user's id since user is getting deleted from the system.

    The person is not a member of the role.

  • franzw
    franzw
    385 Posts

    Re: Need to update a role from Workflow

    ‏2014-08-13T06:01:06Z  
    • SAgrahari
    • ‏2014-08-13T05:31:51Z

    The person's userid is stored in role as an attribute of role. I need to replace that Id with another user's id since user is getting deleted from the system.

    The person is not a member of the role.

    I think I understand the use case as you are deleting a person that is referenced as e.g. a Role Owner on 1 or more roles and want to remedy that situation.

    This is a well known challenge for most implementations using the concept of role owners - the real issue here is that when the last role owner is removed eventual role owner approval will basically be skipped for that role....

    Now - IMHO you should never have persons directly linked to the role - this is bad security practice - always use roles instead. If you use roles you would be able to have e.g. the security administration  as a last resort - not that it fixes the problem - but at least you will avoid unapproved roles.

    Now - a real solution to this would be to have operational workflows for the role entity (and same applies for org units, services) so that this could be built easily in the workflow designer - but this requires an accepted RFE.

    So - currently you will have to stick with either a JavaScript extension to do the work or use the Java API directly in the workflow  - see scriptFramework.properties (not recommended as you may open up security holes).

    I cannot provide you guidelines on the actual coding - but study the API samples in your ITIM_HOME/extensions directory and the actual Java API to find which searches and role APIs are necessary to do the job....

    HTH

    Regards

    Franz Wolfhagen

  • SAgrahari
    SAgrahari
    8 Posts

    Re: Need to update a role from Workflow

    ‏2014-08-13T06:09:29Z  
    • franzw
    • ‏2014-08-13T06:01:06Z

    I think I understand the use case as you are deleting a person that is referenced as e.g. a Role Owner on 1 or more roles and want to remedy that situation.

    This is a well known challenge for most implementations using the concept of role owners - the real issue here is that when the last role owner is removed eventual role owner approval will basically be skipped for that role....

    Now - IMHO you should never have persons directly linked to the role - this is bad security practice - always use roles instead. If you use roles you would be able to have e.g. the security administration  as a last resort - not that it fixes the problem - but at least you will avoid unapproved roles.

    Now - a real solution to this would be to have operational workflows for the role entity (and same applies for org units, services) so that this could be built easily in the workflow designer - but this requires an accepted RFE.

    So - currently you will have to stick with either a JavaScript extension to do the work or use the Java API directly in the workflow  - see scriptFramework.properties (not recommended as you may open up security holes).

    I cannot provide you guidelines on the actual coding - but study the API samples in your ITIM_HOME/extensions directory and the actual Java API to find which searches and role APIs are necessary to do the job....

    HTH

    Regards

    Franz Wolfhagen

    Thanks Franz. I also had the same solution in mind as I mentioned in my first post. I understand IBM do not provide any thing out of the box for this functioonality and best way to solve this issue is to go with Role APIs.

    Thanks for your help.