Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
10 replies Latest Post - ‏2013-01-14T21:24:20Z by SystemAdmin
Romy01
Romy01
86 Posts
ACCEPTED ANSWER

Pinned topic Validate Task Assignment For Invalid Users

‏2013-01-09T19:16:14Z |
Tasks can be assigned to a particular user maintained in LDAP. We want to build a solution to make sure the task assignment never fails. Assuming a user A is supposed to receive a task. But before task assignment the user becomes invalid for any reason in LDAP.

My question is - Is there a way to validate the task assignment will always succeed because if the user is not found for some reason a runtime exception would be thrown and the process instance would be in failed state. Can we put some kind of check to validate a user before assigning a task ?

Thanks in advance,
Ramesh
Updated on 2013-01-14T21:24:20Z at 2013-01-14T21:24:20Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    7615 Posts
    ACCEPTED ANSWER

    Re: Validate Task Assignment For Invalid Users

    ‏2013-01-09T19:26:36Z  in response to Romy01
    Ramesh,

    Seems like you are doing a user based assignment of tasks. You can build a call to LDAP using LDAP connector to query if the user is disabled. If user is disabled then you can throw an error.

    You can take hints about how to query LDAP through this - http://bpmwiki.blueworkslive.com/display/samples/Retrieving+user+attributes+from+LDAP+%28VMM++LDAP+Toolkit%29?focusedCommentId=27297905#comment-27297905

    Btw, I am sure you understand that even if that task gets somehow assigned to a disabled LDAP user then also that user wont be able to log into the Portal to work on that task because LDAP based authentication will prevent that user for logging into the Portal.

    Ashish Aggarwal
    BPM Architect
    • Romy01
      Romy01
      86 Posts
      ACCEPTED ANSWER

      Re: Validate Task Assignment For Invalid Users

      ‏2013-01-09T19:32:55Z  in response to SystemAdmin
      Thanks Asish for your response.

      That is the route we are going for at present - validating against ldap before the assignment. The other part about assigning a task to a user who is not valid , the process instance will fail and that is the case we are trying to avoid.
      • SystemAdmin
        SystemAdmin
        7615 Posts
        ACCEPTED ANSWER

        Re: Validate Task Assignment For Invalid Users

        ‏2013-01-09T19:37:17Z  in response to Romy01
        Sorry. Maybe I am not understanding the problem statement. If you are already validating against LDAP before assignment then why would task get assigned to invalid user. You can put LDAP validation right before task assignment. Dont put anything between these two steps.

        Ashish Aggarwal
        BPM Architect
        • Romy01
          Romy01
          86 Posts
          ACCEPTED ANSWER

          Re: Validate Task Assignment For Invalid Users

          ‏2013-01-09T19:43:42Z  in response to SystemAdmin
          Sorry , should have been more clearer. There is minor probability that the custom LDAP calls may fail(in our case it does happen sometimes due to network,load issues) and we are trying to build zero instance fail scenario.
  • SystemAdmin
    SystemAdmin
    7615 Posts
    ACCEPTED ANSWER

    Re: Validate Task Assignment For Invalid Users

    ‏2013-01-09T20:29:35Z  in response to Romy01
    An alternative to an LDAP Query is to query BPM for the user and check the result.

    
    var user = tw.system.org.findUserByName(
    "aUserName");   
    // If the user exists, 
    
    if(!!user)
    { 
    // Assign the task to the user tw.local.taskAssignment = 
    "USER:"+user.name; 
    } 
    // If the user does not exist 
    
    else
    { 
    // Assign the task to a safe default user or role 
    //    tw.local.taskAssignment = "USER:SomeExistingUserName"; tw.local.taskAssignment = 
    "ROLE:SomeExistingRoleName"; 
    }
    


    I included this in a script before the task that used "Custom" assign to with "tw.local.taskAssignment" as its variable.

    Sam
    • Romy01
      Romy01
      86 Posts
      ACCEPTED ANSWER

      Re: Validate Task Assignment For Invalid Users

      ‏2013-01-09T20:51:11Z  in response to SystemAdmin
      Thanks Sam for the script.
      We had considered this option as well. This would work for everything but a case when the user is not being synched into BPM yet(a new user for BPM application).The js api call as per the script won't recognize the user as it is not in the internal repository yet. But if we try to assign task to him , BPM would sync the details into its repository and assign the task.

      This is the reason we had to take the LDAP route.
      • SystemAdmin
        SystemAdmin
        7615 Posts
        ACCEPTED ANSWER

        Re: Validate Task Assignment For Invalid Users

        ‏2013-01-09T21:31:19Z  in response to Romy01
        FYI, I just checked (since I'm playing with some LDAP stuff). I created a user in LDAP and then made the call above. It found the user, which is what the API is supposed to do. There was no full synch called, and no login by the user (since I just created them and no one but me knew they existed).

        To be safe I also called the call with a bad user name and it followed the user not found path.

        So you don't need to add in the complexity of an LDAP query to confirm if a user is valid, the server will do the right thing for you.

        This was on 7.5.1.0

        Andrew Paier | Director of Special Operations | BP3 Global, Inc. www.bp-3.com
        • Romy01
          Romy01
          86 Posts
          ACCEPTED ANSWER

          Re: Validate Task Assignment For Invalid Users

          ‏2013-01-11T22:33:58Z  in response to SystemAdmin
          Agreed , but allowing system to determine would result in Process Failure stating the problem with User and that is the exceptional scenario we are trying to handle.
          • SystemAdmin
            SystemAdmin
            7615 Posts
            ACCEPTED ANSWER

            Re: Validate Task Assignment For Invalid Users

            ‏2013-01-14T21:24:20Z  in response to Romy01
            I wasn't saying allow the system to decide. I was telling you that the JS calls to check if the user is a legitimate user work, even if that user has never logged into BPM. So you can just do the calls that Sam suggested and this will tell you if the user is valid or not. No synchronization is required, nor is an LDAP call from the BPM code.

            Andrew Paier | Director of Special Operations | BP3 Global, Inc. www.bp-3.com
  • SystemAdmin
    SystemAdmin
    7615 Posts
    ACCEPTED ANSWER

    Re: Validate Task Assignment For Invalid Users

    ‏2013-01-11T13:03:34Z  in response to Romy01
    We had done something similar but it was with 6.x version. The use case was not the user being in LDAP but him going on leave (which is more likely than not being in LDAP). We wrote custom service that will take in user id, validate if he is on vacation, and give back alternate user id / same user id based on leave plans in system. It was done for tasks of type "Last User in Lane".

    Since we had do this in all steps, adding additional script step before the activity appeared to be lot of rework.
    In Custom routing, we would write a function call like: checkDelegation(tw.system.userId); where checkDelegation is a sever side function calling this reusable service internally.

    Thanks,
    Vignesh