Topic
  • 4 replies
  • Latest Post - ‏2013-10-24T17:33:18Z by Kishore_vj
Kishore_vj
Kishore_vj
4 Posts

Pinned topic Need Help forming Account object in workflow

‏2013-10-23T20:07:03Z |

Hi,

We have a requirement where in we have two services A & B. While invoking the Add Account workflow on Service A, Based on few attribute validations, the user should also get Account B created.

Please let me know how to form the Account Object B from Add Workflow of A.

 

Thanks,

Kishore

Updated on 2013-10-23T20:08:11Z at 2013-10-23T20:08:11Z by Kishore_vj
  • franzw
    franzw
    347 Posts
    ACCEPTED ANSWER

    Re: Need Help forming Account object in workflow

    ‏2013-10-23T20:28:56Z  

    The quick answer - you don't.

    It is bad practice to manage account entities and attributes in the workflow - the method is to use provisioning policies - and if you have dependencies set this up on the services.

    So in your case (you have not told us enough to give a complete answer) I would let B depend on A - this means that if somebody needs A and B you you can ensure the creation of A before B by a service dependency.

    Now - if you do not have that dependency you should just have a set of provisioning entitlements (either in 2 policies - my preference - or on the same policy) that drives the creation o both accounts.

    Doing changes to accounts in workflow will definitely hurt you - there a good reasons to do so in special cases (e.g. pre/postexec processing), but your question shows you are not yet understanding what challenges this involves...

    So - stick to provisioning policies - that is what they are for.

    HTH

    Regards

    Franz Wolfhagen

  • franzw
    franzw
    347 Posts
    ACCEPTED ANSWER

    Re: Need Help forming Account object in workflow

    ‏2013-10-24T05:39:05Z  

    Hi Franz,

    Thanks for the quick response. Let me explain more on the issue I am facing.

    We have a custom adapter to generate user object on to a LDAP Based Target. At the time of creation of Account in LDAP under a tree OU=Locations,OU=StandardUsers, OU=users, CN=TESTUSER of type user. I also need to create another group by the name OU=Locations,OU=OU=Groups, CN=PREFIX_TESTUSER.

     

    As the group & user are two different types of objects in LDAP. I have two different adapters to achieve this.

    I tried to take a copy of existing group object & modify attributes & I was successful in creating a new account obj from the workflow. But this way of creating  new account is wrong.

    If this has to be achieved using provisioning policy, I assume that we need to use a role based entitlement to create a new account if I am right.

    Please let me know if there is any other way of achieving the solution.

     

    Thanks,

    Kishore

    You should not create 2 different account objects - there is support for what you need in the standard ldap adapter.

    Download the latest ldap adapter and study the documentation - it explains how to customize the adapter and it includes tools to clone the standard adapter so that you can have many different ldap adapters managed from the same ISIM system.

    That will get rid of all the ugly things you are trying to do... - KISS applies, but requires that you spend some time understanding what you are up against.

    HTH

    Regards

    Franz Wolfhagen

  • franzw
    franzw
    347 Posts

    Re: Need Help forming Account object in workflow

    ‏2013-10-23T20:28:56Z  

    The quick answer - you don't.

    It is bad practice to manage account entities and attributes in the workflow - the method is to use provisioning policies - and if you have dependencies set this up on the services.

    So in your case (you have not told us enough to give a complete answer) I would let B depend on A - this means that if somebody needs A and B you you can ensure the creation of A before B by a service dependency.

    Now - if you do not have that dependency you should just have a set of provisioning entitlements (either in 2 policies - my preference - or on the same policy) that drives the creation o both accounts.

    Doing changes to accounts in workflow will definitely hurt you - there a good reasons to do so in special cases (e.g. pre/postexec processing), but your question shows you are not yet understanding what challenges this involves...

    So - stick to provisioning policies - that is what they are for.

    HTH

    Regards

    Franz Wolfhagen

  • Kishore_vj
    Kishore_vj
    4 Posts

    Re: Need Help forming Account object in workflow

    ‏2013-10-23T20:51:58Z  
    • franzw
    • ‏2013-10-23T20:28:56Z

    The quick answer - you don't.

    It is bad practice to manage account entities and attributes in the workflow - the method is to use provisioning policies - and if you have dependencies set this up on the services.

    So in your case (you have not told us enough to give a complete answer) I would let B depend on A - this means that if somebody needs A and B you you can ensure the creation of A before B by a service dependency.

    Now - if you do not have that dependency you should just have a set of provisioning entitlements (either in 2 policies - my preference - or on the same policy) that drives the creation o both accounts.

    Doing changes to accounts in workflow will definitely hurt you - there a good reasons to do so in special cases (e.g. pre/postexec processing), but your question shows you are not yet understanding what challenges this involves...

    So - stick to provisioning policies - that is what they are for.

    HTH

    Regards

    Franz Wolfhagen

    Hi Franz,

    Thanks for the quick response. Let me explain more on the issue I am facing.

    We have a custom adapter to generate user object on to a LDAP Based Target. At the time of creation of Account in LDAP under a tree OU=Locations,OU=StandardUsers, OU=users, CN=TESTUSER of type user. I also need to create another group by the name OU=Locations,OU=OU=Groups, CN=PREFIX_TESTUSER.

     

    As the group & user are two different types of objects in LDAP. I have two different adapters to achieve this.

    I tried to take a copy of existing group object & modify attributes & I was successful in creating a new account obj from the workflow. But this way of creating  new account is wrong.

    If this has to be achieved using provisioning policy, I assume that we need to use a role based entitlement to create a new account if I am right.

    Please let me know if there is any other way of achieving the solution.

     

    Thanks,

    Kishore

  • franzw
    franzw
    347 Posts

    Re: Need Help forming Account object in workflow

    ‏2013-10-24T05:39:05Z  

    Hi Franz,

    Thanks for the quick response. Let me explain more on the issue I am facing.

    We have a custom adapter to generate user object on to a LDAP Based Target. At the time of creation of Account in LDAP under a tree OU=Locations,OU=StandardUsers, OU=users, CN=TESTUSER of type user. I also need to create another group by the name OU=Locations,OU=OU=Groups, CN=PREFIX_TESTUSER.

     

    As the group & user are two different types of objects in LDAP. I have two different adapters to achieve this.

    I tried to take a copy of existing group object & modify attributes & I was successful in creating a new account obj from the workflow. But this way of creating  new account is wrong.

    If this has to be achieved using provisioning policy, I assume that we need to use a role based entitlement to create a new account if I am right.

    Please let me know if there is any other way of achieving the solution.

     

    Thanks,

    Kishore

    You should not create 2 different account objects - there is support for what you need in the standard ldap adapter.

    Download the latest ldap adapter and study the documentation - it explains how to customize the adapter and it includes tools to clone the standard adapter so that you can have many different ldap adapters managed from the same ISIM system.

    That will get rid of all the ugly things you are trying to do... - KISS applies, but requires that you spend some time understanding what you are up against.

    HTH

    Regards

    Franz Wolfhagen

  • Kishore_vj
    Kishore_vj
    4 Posts

    Re: Need Help forming Account object in workflow

    ‏2013-10-24T17:33:18Z  
    • franzw
    • ‏2013-10-24T05:39:05Z

    You should not create 2 different account objects - there is support for what you need in the standard ldap adapter.

    Download the latest ldap adapter and study the documentation - it explains how to customize the adapter and it includes tools to clone the standard adapter so that you can have many different ldap adapters managed from the same ISIM system.

    That will get rid of all the ugly things you are trying to do... - KISS applies, but requires that you spend some time understanding what you are up against.

    HTH

    Regards

    Franz Wolfhagen

    Hi Franz,

     

    Yes, I will take this suggestion.

    Thanks Franz for your prompt response.

     

    Thanks,

    Kishore