Sample workflow: packaged approval combined with simple approval node

This scenario shows an organization with a policy that requires user recertification. User recertification validates user resources (accounts, groups, or roles).

IBM Verify Identity Governance does the request based on the following decisions:
  • The request for recertification approval of user roles is sent to the respective role owners.
  • The request for recertification approval of user accounts and groups is sent to the manager of the user to be recertified.

The following workflow graphic demonstrates this business case:

Figure 1. Sample workflow: simple approval with packaged approval node
Table 1 identifies the workflow node properties and values for User_Recertification_Simple_Approval_Example.
Table 1. Sample workflow node properties: Simple approval for user recertification with packaged approval node
Node Feature Value
Start Activity ID Start
Activity Name Start Activity
Join Type AND
Split Type AND
JavaScript RejectionAction.set('SUSPEND');
Extension Activity ID CONSTRUCT_APPROVAL_DOCUMENT
Activity Name CONSTRUCT_APPROVAL_DOCUMENT
Description Get all account and access recertification targets for person extension for recertification
Join Type OR
Split Type AND
Extension Name constructApprovalDocument(Person person, RecertificationPolicy policy)
Script Activity ID FILTER_ROLES
Activity Name FILTER_ROLES
Description Extracts roles from the approval document and creates a temporary approval document with the roles
Join Type AND
Split Type AND
JavaScript
var updatedDoc=ApprovalDocument.get();
var tempDoc=new PackagedApprovalDocument();
TemporaryDocument.set(tempDoc);
var tempRoles=new Array();
var roleItems=updatedDoc.getItemsByType
(ApprovalDocument.get().TYPE_ROLE);
for(var i=0;i<roleItems.length;i++)
{
  updatedDoc.removeItem(roleItems[i]);
  var roledn= roleItems[i].getValue().dn;
  var role=new Role(roledn);
  tempRoles.push(role);
  RolesThere.set("true");
}
Roles.set(tempRoles);
ApprovalDocument.set(updatedDoc);
var accountsCount=updatedDoc.getItemsByType
(ApprovalDocument.get().TYPE_ACCOUNT);
var groupCount=updatedDoc.getItemsByType
(ApprovalDocument.get().TYPE_GROUP);
if((!accountsCount.length==0||!groupCount.length==0))
{
 OnlyRoles.set("false");
}
else
{
  OnlyRoles.set("true");
}
Packaged Approval Activity ID RECERTAPPROVAL
Activity Name ITIM_RECERTIFY
Participant Manager
Escalation Participant Participant Type
Escalation Limit 10 days
Skip Escalation Checked
No Timeout Action Unchecked
Join Type AND
Split Type AND
Loop Activity ID ROLE_LOOP
Activity Name ROLE_LOOP
Description This loop is required to iterate through the roles.
Join Type AND
Split Type AND
Loop Type Until
Loop Condition return loopcount<=Roles.get().length;
Script Activity ID UPDATE_APPROVAL_DOC
Activity Name UPDATE_APPROVAL_DOC
Description Gets the role information from the temporary approval document and updates in into the approval document
Join Type AND
Split Type AND
JavaScript
var approvalDoc=ApprovalDocument.get();
var tempDoc=TemporaryDocument.get();
var roleItems=tempDoc.getItemsByType
(TemporaryDocument.get().TYPE_ROLE);
for(var i=0;i<roleItems.length;i++)
{
 approvalDoc.addItem(roleItems[i]);
}
ApprovalDocument.set(approvalDoc);
Script Activity ID SET_ROLE
Activity Name SET_ROLE
Description Sets the role in relevant data
Join Type AND
Split Type AND
JavaScript
var roles=Roles.get();
var role=roles[loopcount-1];
RoleHolder.set(role);
Work Order Activity ID RECERTWORKORDER
Activity Name RECERTWORKORDER
Escalation Limit 9 days
Join Type AND
Split Type AND
Approval Activity ID ROLE_APPROVER
Activity Name ROLE_APPROVER
Participant Custom var owner=RoleHolder.get().getProperty("owner")[0]; return new Participant(ParticipantType.USER,owner);
Escalation Participant Participant Type
Escalation Limit 1 day
Join Type AND
Split Type AND
Entity Type Organizational Role
Mail Activity ID RECERTMAIL
Activity Name RECERTMAIL
Recipient Person (With Email Account)
Join Type AND
Split Type AND
Extension Activity ID REMEDIATE_ACCTS_GROUPS
Activity Name REMEDIATE_ACCTS_GROUPS
Description Does account, group, and access remediation
Join Type AND
Split Type AND
Extension Name remediateAccountsAndGroups(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy, String rejectionAction)
Script Activity ID SET_APPROVAL_DECISION
Activity Name SET_APPROVAL_DECISION
Description Updates the temporary approval document with the role and its decision
Join Type AND
Split Type AND
JavaScript
var updatedDoc=TemporaryDocument.get();
var res=result.get();
var roleItems=Roles.get();
var roleItem=new PackagedApprovalItem
(ApprovalDocument.get().TYPE_ROLE,roleItems[loopcount-1],res);
var dec=roleItem.getDecisionCode()
updatedDoc.addItem(roleItem);
TemporaryDocument.set(updatedDoc);
Extension Activity ID REMEDIATE_PERSON_ROLES
Activity Name REMEDIATE_PERSON_ROLES
Description Does role remediation, including policy enforcement for the person
Join Type AND
Split Type AND
Extension Name remediateRoleMemberships(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy, String rejectionAction)
Extension Activity ID UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED
Activity Name UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED
Description Updates recertification status with all approved user resources
Join Type OR
Split Type AND
Extension Name updateRecertificationStatusAllApproved(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy)
Extension Activity ID UPDATE_RECERTIFICATION_STATUS_EMPTY
Activity Name UPDATE_RECERTIFICATION_STATUS_EMPTY
Description Updates recertification status with no user resources
Join Type AND
Split Type AND
Extension Name updateRecertificationStatusEmptyDocument(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy)
End Activity ID End
Activity Name End Activity
Join Type OR
Split Type AND
JavaScript  
Table 2 identifies the link properties and values for the simple approval node.
Table 2. Link properties: Simple approval for user recertification
From To Feature Value
Start Extension

CONSTRUCT_APPROVAL_DOCUMENT

Name startToConstructApprovalDocumentExtension
Description Start node to construct approval document extension
Custom Condition true
Extension

CONSTRUCT_APPROVAL_DOCUMENT

Script

FILTER_ROLES

Name ConstructApprovalDocumentExtensionToFilterRolesScript
Description Construct approval document extension to filter roles script
Custom Condition activity.resultSummary == activity.SUCCESS
Extension

CONSTRUCT_APPROVAL_DOCUMENT

End Name ConstructApprovalDocumentExtensionToEnd
Description Construct approval document extension to end node
Custom Condition activity.resultSummary != activity.SUCCESS && activity.resultSummary != activity.WARNING
Extension

CONSTRUCT_APPROVAL_DOCUMENT

Extension

UPDATE_RECERTIFICATION_STATUS_EMPTY

Name ConstructApprovalDocumentExtensionToUpdateStatusEmpty
Description Construct approval document extension to update status for empty document
Custom Condition activity.resultSummary == activity.WARNING
Script

FILTER_ROLES

Packaged Approval

RECERTAPPROVAL

Name FilterRolesScriptToRecertApproval
Description Filter roles script to recert approval
Custom Condition OnlyRoles.get()=="false"
Script

FILTER_ROLES

Loop

ROLE_LOOP

Name FilterRolesScriptToRoleLoop
Description Filter roles script to role loop
Custom Condition RolesThere.get()=="true"
Loop

ROLE_LOOP

Script

COMBINE_APPROVAL_DOC

Name RoleLoopToCombineApprovalDocScript
Description Role loop to combine approval document script
Custom Condition true
Script

COMBINE_APPROVAL_DOC

Packaged Approval

RECERTAPPROVAL

Name CombineApprovalDocScriptToRecertApproval
Description Combine approval document script to recert approval
Custom Condition true
Script

COMBINE_APPROVAL_DOC

Mail

RECERTMAIL

Name CombineApprovalDocScriptToMail
Description Combine approval document script to mail node
Custom Condition (activity.resultSummary != activity.FAILED) && (ApprovalDocument.get().containsDecisionCode(activity.REJECTED))
Script

COMBINE_APPROVAL_DOC

Extension

UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED

Name CombineApprovalDocScriptTo
Description Combine approval document script to
Custom Condition (activity.resultSummary != activity.FAILED) && (!ApprovalDocument.get().containsDecisionCode(activity.REJECTED))
Script

SET_ROLE

Approval

ROLE_APPROVER

Name SetRoleScriptToRoleApproverApproval
Description Set role script to role approver approval
Custom Condition true
Approval

ROLE_APPROVER

Script

SET_APPROVAL_DECISION

Name RoleApproverApprovalToSetApprovalDecisionScript
Description Role approver approval to set approval decision script
Custom Condition true
Mail

RECERTMAIL

Extension

REMEDIATE_ACCTS_GROUPS

Name mailToRemediateAccts
Description Mail node to remediate accounts, groups, and accesses
Custom Condition true
Extension

REMEDIATE_ACCTS_GROUPS

Extension

REMEDIATE_PERSON_ROLES

Name remediateAcctsToRemediateRoles
Description Remediate accounts, groups, and accesses to remediate roles
Custom Condition true
Extension

REMEDIATE_PERSON_ROLES

End Name remediateRolesToEnd
Description Remediate roles to end node
Custom Condition true
Extension

UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED

End Name updateStatusToEnd
Description Update recertification status to end node
Custom Condition true
Extension

UPDATE_RECERTIFICATION_STATUS_EMPTY

End Name updateStatusEmptyToEnd
Description Update status for empty document to end node
Custom Condition true

Table 3 identifies the relevant data used in the simple approval node.

Table 3. Relevant Data
ID Type
ApprovalDocument PackagedApprovalDocument
Roles List
RoleHolder OrgRole
TemporaryDocument PackagedApprovalDocument
RejectionAction String
result String
OnlyRoles String
RolesThere String