Sample workflow: packaged approval combined with simple approval node
This scenario shows an organization with a policy that requires user recertification. User recertification validates user resources (accounts, groups, or roles).
- The request for recertification approval of user roles is sent to the respective role owners.
- The request for recertification approval of user accounts and groups is sent to the manager of the user to be recertified.
The following workflow graphic demonstrates this business case:
Node | Feature | Value | |
---|---|---|---|
Start | Activity ID | Start | |
Activity Name | Start Activity | ||
Join Type | AND | ||
Split Type | AND | ||
JavaScript | RejectionAction.set('SUSPEND'); |
||
Extension | Activity ID | CONSTRUCT_APPROVAL_DOCUMENT | |
Activity Name | CONSTRUCT_APPROVAL_DOCUMENT | ||
Description | Get all account and access recertification targets for person extension for recertification | ||
Join Type | OR | ||
Split Type | AND | ||
Extension Name | constructApprovalDocument(Person
person, RecertificationPolicy policy) |
||
Script | Activity ID | FILTER_ROLES | |
Activity Name | FILTER_ROLES | ||
Description | Extracts roles from the approval document and creates a temporary approval document with the roles | ||
Join Type | AND | ||
Split Type | AND | ||
JavaScript |
|
||
Packaged Approval | Activity ID | RECERTAPPROVAL | |
Activity Name | ITIM_RECERTIFY | ||
Participant | Manager | ||
Escalation Participant | Participant Type | ||
Escalation Limit | 10 days | ||
Skip Escalation | Checked | ||
No Timeout Action | Unchecked | ||
Join Type | AND | ||
Split Type | AND | ||
Loop | Activity ID | ROLE_LOOP | |
Activity Name | ROLE_LOOP | ||
Description | This loop is required to iterate through the roles. | ||
Join Type | AND | ||
Split Type | AND | ||
Loop Type | Until | ||
Loop Condition | return
loopcount<=Roles.get().length; |
||
Script | Activity ID | UPDATE_APPROVAL_DOC | |
Activity Name | UPDATE_APPROVAL_DOC | ||
Description | Gets the role information from the temporary approval document and updates in into the approval document | ||
Join Type | AND | ||
Split Type | AND | ||
JavaScript |
|
||
Script | Activity ID | SET_ROLE | |
Activity Name | SET_ROLE | ||
Description | Sets the role in relevant data | ||
Join Type | AND | ||
Split Type | AND | ||
JavaScript |
|
||
Work Order | Activity ID | RECERTWORKORDER | |
Activity Name | RECERTWORKORDER | ||
Escalation Limit | 9 days | ||
Join Type | AND | ||
Split Type | AND | ||
Approval | Activity ID | ROLE_APPROVER | |
Activity Name | ROLE_APPROVER | ||
Participant | Custom | var owner=RoleHolder.get().getProperty("owner")[0]; return new Participant(ParticipantType.USER,owner); | |
Escalation Participant | Participant Type | ||
Escalation Limit | 1 day | ||
Join Type | AND | ||
Split Type | AND | ||
Entity Type | Organizational Role | ||
Activity ID | RECERTMAIL | ||
Activity Name | RECERTMAIL | ||
Recipient | Person (With Email Account) | ||
Join Type | AND | ||
Split Type | AND | ||
Extension | Activity ID | REMEDIATE_ACCTS_GROUPS | |
Activity Name | REMEDIATE_ACCTS_GROUPS | ||
Description | Does account, group, and access remediation | ||
Join Type | AND | ||
Split Type | AND | ||
Extension Name | remediateAccountsAndGroups(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy, String rejectionAction) | ||
Script | Activity ID | SET_APPROVAL_DECISION | |
Activity Name | SET_APPROVAL_DECISION | ||
Description | Updates the temporary approval document with the role and its decision | ||
Join Type | AND | ||
Split Type | AND | ||
JavaScript |
|
||
Extension | Activity ID | REMEDIATE_PERSON_ROLES | |
Activity Name | REMEDIATE_PERSON_ROLES | ||
Description | Does role remediation, including policy enforcement for the person | ||
Join Type | AND | ||
Split Type | AND | ||
Extension Name | remediateRoleMemberships(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy, String rejectionAction) | ||
Extension | Activity ID | UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED | |
Activity Name | UPDATE_RECERTIFICATION_STATUS_ALL_APPROVED | ||
Description | Updates recertification status with all approved user resources | ||
Join Type | OR | ||
Split Type | AND | ||
Extension Name | updateRecertificationStatusAllApproved(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy) | ||
Extension | Activity ID | UPDATE_RECERTIFICATION_STATUS_EMPTY | |
Activity Name | UPDATE_RECERTIFICATION_STATUS_EMPTY | ||
Description | Updates recertification status with no user resources | ||
Join Type | AND | ||
Split Type | AND | ||
Extension Name | updateRecertificationStatusEmptyDocument(PackagedApprovalDocument approvalDocument, Person person, RecertificationPolicy policy) | ||
End | Activity ID | End | |
Activity Name | End Activity | ||
Join Type | OR | ||
Split Type | AND | ||
JavaScript |
From | To | Feature | Value |
---|---|---|---|
Start | Extension
|
Name | startToConstructApprovalDocumentExtension |
Description | Start node to construct approval document extension | ||
Custom Condition | true |
||
Extension
|
Script
|
Name | ConstructApprovalDocumentExtensionToFilterRolesScript |
Description | Construct approval document extension to filter roles script | ||
Custom Condition | activity.resultSummary == activity.SUCCESS |
||
Extension
|
End | Name | ConstructApprovalDocumentExtensionToEnd |
Description | Construct approval document extension to end node | ||
Custom Condition | activity.resultSummary != activity.SUCCESS
&& activity.resultSummary != activity.WARNING |
||
Extension
|
Extension
|
Name | ConstructApprovalDocumentExtensionToUpdateStatusEmpty |
Description | Construct approval document extension to update status for empty document | ||
Custom Condition | activity.resultSummary == activity.WARNING |
||
Script
|
Packaged Approval
|
Name | FilterRolesScriptToRecertApproval |
Description | Filter roles script to recert approval | ||
Custom Condition | OnlyRoles.get()=="false" |
||
Script
|
Loop
|
Name | FilterRolesScriptToRoleLoop |
Description | Filter roles script to role loop | ||
Custom Condition | RolesThere.get()=="true" |
||
Loop
|
Script
|
Name | RoleLoopToCombineApprovalDocScript |
Description | Role loop to combine approval document script | ||
Custom Condition | true |
||
Script
|
Packaged Approval
|
Name | CombineApprovalDocScriptToRecertApproval |
Description | Combine approval document script to recert approval | ||
Custom Condition | true |
||
Script
|
Mail
|
Name | CombineApprovalDocScriptToMail |
Description | Combine approval document script to mail node | ||
Custom Condition | (activity.resultSummary != activity.FAILED)
&& (ApprovalDocument.get().containsDecisionCode(activity.REJECTED)) |
||
Script
|
Extension
|
Name | CombineApprovalDocScriptTo |
Description | Combine approval document script to | ||
Custom Condition | (activity.resultSummary != activity.FAILED)
&& (!ApprovalDocument.get().containsDecisionCode(activity.REJECTED)) |
||
Script
|
Approval
|
Name | SetRoleScriptToRoleApproverApproval |
Description | Set role script to role approver approval | ||
Custom Condition | true |
||
Approval
|
Script
|
Name | RoleApproverApprovalToSetApprovalDecisionScript |
Description | Role approver approval to set approval decision script | ||
Custom Condition | true |
||
Mail
|
Extension
|
Name | mailToRemediateAccts |
Description | Mail node to remediate accounts, groups, and accesses | ||
Custom Condition | true |
||
Extension
|
Extension
|
Name | remediateAcctsToRemediateRoles |
Description | Remediate accounts, groups, and accesses to remediate roles | ||
Custom Condition | true |
||
Extension
|
End | Name | remediateRolesToEnd |
Description | Remediate roles to end node | ||
Custom Condition | true |
||
Extension
|
End | Name | updateStatusToEnd |
Description | Update recertification status to end node | ||
Custom Condition | true |
||
Extension
|
End | Name | updateStatusEmptyToEnd |
Description | Update status for empty document to end node | ||
Custom Condition | true |
Table 3 identifies the relevant data used in the simple approval node.
ID | Type |
---|---|
ApprovalDocument | PackagedApprovalDocument |
Roles | List |
RoleHolder | OrgRole |
TemporaryDocument | PackagedApprovalDocument |
RejectionAction | String |
result | String |
OnlyRoles | String |
RolesThere | String |