® IBM Software Group 1362 - Implementation of Complex ITIM Workflows Fred Santos.

®

IBM Software Group

1362 - Implementation of 1362 - Implementation of Complex ITIM WorkflowsComplex ITIM WorkflowsFred SantosFred Santos

®

IBM Software Group

Fred SantosFred Santos

Pan EMEA Subject Matter Expert GroupPan EMEA Subject Matter Expert Group

®

IBM Software Group

IBM Software Group

3

AgendaAgendaITIM Workflow Concepts: a quick OverviewITIM Workflow Concepts: a quick Overview

Workflow TypesWorkflow Types

Workflow DataWorkflow Data

Workflow ElementsWorkflow Elements

Workflow and JavaScriptWorkflow and JavaScript

Workflow ExtensionsWorkflow Extensions

Complex ITIM Workflows by ExampleComplex ITIM Workflows by Example

IBM Software Group

4

AbstractAbstractITIM manages security policies by using workflows. The ability to develop customized workflows are essential to getting value out of an ITIM deployment and in high demand during customer engagements.

Skills Level: Advanced

IBM Software Group

5

Workflow TypesWorkflow TypesOperation WorkflowsOperation Workflows

Lifecycle ManagementLifecycle ManagementPersons and BPPersonsPersons and BPPersons

AccountsAccounts

GlobalGlobal

Entitlement WorkflowsEntitlement Workflows

Provisioning ProcessingProvisioning ProcessingAccountsAccounts

IBM Software Group

6

Operation WorkflowsOperation WorkflowsAssociated with manipulation of Entities:Associated with manipulation of Entities:

AccountAccount

PersonPerson

BPPersonBPPerson

Global workflows can be defined and Global workflows can be defined and called from other operation workflowscalled from other operation workflows

IBM Software Group

7

Operation WorkflowsOperation WorkflowsCan be defined at two levels:Can be defined at two levels:

Entity TypeEntity Type

EntityEntity

The Entity Type Workflows are inherited by all The Entity Type Workflows are inherited by all entities of that type.entities of that type.

E.g.: Operation Workflows defined at the level of Entity E.g.: Operation Workflows defined at the level of Entity Type Account, will be inherited by all Accounts, Type Account, will be inherited by all Accounts, regardless of profileregardless of profile

The Entity Workflows override those inherited The Entity Workflows override those inherited from the Entity Type levelfrom the Entity Type level

E.g.: a customized Modify NT account workflow E.g.: a customized Modify NT account workflow overrides the modify workflow inherited from the overrides the modify workflow inherited from the Account Entity TypeAccount Entity Type

IBM Software Group

8

Operation WorkflowsOperation WorkflowsPerson and BPPerson operations:Person and BPPerson operations:

AddAdd

ModifyModify

Delete Delete

SuspendSuspend

RestoreRestore

TransferTransfer

SelfRegisterSelfRegister

IBM Software Group

9

Operation WorkflowsOperation WorkflowsAccount Operations:Account Operations:

AddAdd

ModifyModify

DeleteDelete

SuspendSuspend

RestoreRestore

ChangePasswordChangePassword

IBM Software Group

10

Entitlement WorkflowsEntitlement WorkflowsSpecified in Provisioning PoliciesSpecified in Provisioning Policies

Entitlement Workflows are NOT Entitlement Workflows are NOT mandatorymandatory

Triggered by:Triggered by:Account AddAccount AddAccount ModifyAccount Modify

Executed before the relevant Operation Executed before the relevant Operation WorkflowWorkflow

The Operation Workflow do not start The Operation Workflow do not start before the Entitlement Workflow before the Entitlement Workflow completescompletes

IBM Software Group

11

Workflow DataWorkflow DataThree types of Workflow Data:Three types of Workflow Data:

Javascript variablesJavascript variables

Relevant DataRelevant Data

Workflow Context ObjectsWorkflow Context Objects

IBM Software Group

12

Javascript VariablesJavascript VariablesDefined in Javascript code:Defined in Javascript code:

Javascript NodesJavascript Nodes

Postscript tabsPostscript tabs

““Custom” code in some other NodesCustom” code in some other Nodes

Start and End NodesStart and End Nodes

Can’t be Serialized or made PersistentCan’t be Serialized or made Persistent

Exist in the context of their definitionExist in the context of their definition

When the node completes, all variables When the node completes, all variables will be out of scopewill be out of scope

IBM Software Group

13

Relevant DataRelevant DataDefined in the Workflow Properties pageDefined in the Workflow Properties page

Exists throughout the life of the workflowExists throughout the life of the workflow

Stored in the ITIM DatabaseStored in the ITIM Database

Can be associated with contexts:Can be associated with contexts:

SubjectSubject

RequesteeRequestee

BothBoth

Not ApplicableNot Applicable

IBM Software Group

14

Relevant DataRelevant DataTypes of Relevant Data:Types of Relevant Data:

Input/Output ParametersInput/Output Parameters

Workflow DefinedWorkflow Defined

User DefinedUser Defined

IBM Software Group

15

Input/Output Parameters in Input/Output Parameters in Entitlement WorkflowsEntitlement Workflows

Input Parameters:Input Parameters:

Entity – Account:Entity – Account:In an add request, it contains the data for the new In an add request, it contains the data for the new accountaccount

In an a modify request, it contains only the modified In an a modify request, it contains only the modified attributesattributes

ServiceServiceThe Service where the account exists or will be createThe Service where the account exists or will be create

Owner - Person:Owner - Person:The Person associated with the accountThe Person associated with the account

Output Parameters:Output Parameters:

Entity – AccountEntity – Account

IBM Software Group

16

Input Parameters in Operation Input Parameters in Operation WorkflowsWorkflows

Static Operations:Static Operations:

Add: Person or AccountAdd: Person or Account

(Account) Modify: Account(Account) Modify: Account

SelfRegister: PersonSelfRegister: Person

Non-Static Operations:Non-Static Operations:

Delete: Person or AccountDelete: Person or Account

(Person) Modify: Person(Person) Modify: Person

Suspend: Person or AccountSuspend: Person or Account

Restore: Person or AccountRestore: Person or Account

Transfer: PersonTransfer: Person

ChangePassword: AccountChangePassword: Account

IBM Software Group

17

System Defined and User System Defined and User Defined DataDefined Data

System Defined Data:System Defined Data:Defined only in some workflowsDefined only in some workflows

User Defined Data:User Defined Data:Defined in the Workflow Properties PageDefined in the Workflow Properties PageMade persistent in the ITIM DatabaseMade persistent in the ITIM DatabaseAccessed in Javascript withAccessed in Javascript with

userObject = ItemName.get();userObject = ItemName.get();

Changed in Javascript withChanged in Javascript withItemName.set(userObject);ItemName.set(userObject);

IBM Software Group

18

Workflow Context ObjectsWorkflow Context ObjectsContain information about the object in Contain information about the object in questionquestion

ActivityActivity

ProcessProcess

Accessible in Javascript codeAccessible in Javascript code

IBM Software Group

19

Workflow ElementsWorkflow ElementsStart and EndStart and End

ApprovalApproval

Request for InformationRequest for Information

Work OrderWork Order

ScriptScript

LoopLoop

Operation and SubprocessOperation and Subprocess

ExtensionExtension

Transition LinesTransition Lines

IBM Software Group

20

Workflow and JavaScriptWorkflow and JavaScriptMost Elements Allow Javascript code to be Most Elements Allow Javascript code to be executed:executed:

Start and End NodesStart and End Nodes

Script NodesScript Nodes

Postscript Tabs (Approval, Extension, …)Postscript Tabs (Approval, Extension, …)

Transition LinesTransition Lines

Allows:Allows:

Manipulation of Relevant DataManipulation of Relevant Data

Conditional logic in Transition LinesConditional logic in Transition Lines

IBM Software Group

21

Workflow and JavascriptWorkflow and JavascriptFESI Extensions can be used in Javascript FESI Extensions can be used in Javascript codecode

Created as Java classes implementing the Created as Java classes implementing the Javascript APIJavascript APIInstalled in the ITIM classpathInstalled in the ITIM classpathRegistered in enRole.propertiesRegistered in enRole.properties

Used asUsed asObjectsObjects

var userObj = new extObject();var userObj = new extObject();

FunctionsFunctionsvar userVar = extFunction(val1, val2);var userVar = extFunction(val1, val2);

IBM Software Group

22

Workflow ExtensionsWorkflow ExtensionsJava classes implementing the Workflow Java classes implementing the Workflow APIAPI

Installed in the ITIM classpathInstalled in the ITIM classpathRegistered in workflowextensions.xmlRegistered in workflowextensions.xml

Used by adding an Extension node in the Used by adding an Extension node in the WorkflowWorkflow

Select the class name in Extension NameSelect the class name in Extension NameMap the Input and Output Parameters to Map the Input and Output Parameters to Relevant DataRelevant Data

The Input and Output Parameters are defined The Input and Output Parameters are defined in the Java classin the Java class

IBM Software Group

23

Workflow ExtensionsWorkflow ExtensionsCan be used toCan be used to

Hide sensitive processing logicHide sensitive processing logic

Access external data storesAccess external data storesFilesFiles

DatabasesDatabases

LDAP ServersLDAP Servers

Implement logic difficult to code or Implement logic difficult to code or inefficient in Javascriptinefficient in Javascript

Number crunchingNumber crunching

Encapsulate processing in a single nodeEncapsulate processing in a single node

IBM Software Group

24

Complex Workflows:Complex Workflows:Example 1Example 1

Global Operation (Account Entity Type)Global Operation (Account Entity Type)

Approval_ProcessApproval_Process

IBM Software Group

25

Complex Workflows:Complex Workflows:Example 1Example 1

// Initialise loop instance counter to zero and exitloop switch to false. // Initialise loop instance counter to zero and exitloop switch to false. loopinstance.set(0);loopinstance.set(0);exitloop.set("false");exitloop.set("false");// Check current process type. If not Account Process Type, Loop back through Parent Processes // Check current process type. If not Account Process Type, Loop back through Parent Processes // until Account Process type is found or until the root Parent reached. Default value is et to unknown. // until Account Process type is found or until the root Parent reached. Default value is et to unknown. current = process;current = process;exitwhile = false;exitwhile = false;parentType = "";parentType = "";parentTypeDesc.set("Unknown");parentTypeDesc.set("Unknown");while (!exitwhile) {while (!exitwhile) { if ((current.type.substring(0,1)=="A" || current.type.substring(0,1)=="L") && current.type.length == 2){if ((current.type.substring(0,1)=="A" || current.type.substring(0,1)=="L") && current.type.length == 2){ parentType=current.type;parentType=current.type; exitwhile = true;exitwhile = true; } else if (current.parentId == 0 || current.parentId == "0"){} else if (current.parentId == 0 || current.parentId == "0"){ exitwhile = true;exitwhile = true; } else {current=current.getParent();}} else {current=current.getParent();}}}if (parentType=="AA") {parentTypeDesc.set("Account Add");} elseif (parentType=="AA") {parentTypeDesc.set("Account Add");} elseif (parentType=="AC") {parentTypeDesc.set("Account Change");} elseif (parentType=="AC") {parentTypeDesc.set("Account Change");} elseif (parentType=="AP") {parentTypeDesc.set("Account Password Change");} elseif (parentType=="AP") {parentTypeDesc.set("Account Password Change");} elseif (parentType=="LS") {parentTypeDesc.set("Suspend Multiple Accounts");} elseif (parentType=="LS") {parentTypeDesc.set("Suspend Multiple Accounts");} elseif (parentType=="LR") {parentTypeDesc.set("Restore Multiple Accounts");} elseif (parentType=="LR") {parentTypeDesc.set("Restore Multiple Accounts");} elseif (parentType=="LD") {parentTypeDesc.set("Delete Multiple Accounts");} elseif (parentType=="LD") {parentTypeDesc.set("Delete Multiple Accounts");} elseif (parentType=="LP") {parentTypeDesc.set("Change Password for Multiple Accounts");} elseif (parentType=="LP") {parentTypeDesc.set("Change Password for Multiple Accounts");} elseif (parentType=="AS") {parentTypeDesc.set("Suspend Account");} elseif (parentType=="AS") {parentTypeDesc.set("Suspend Account");} elseif (parentType=="AR") {parentTypeDesc.set("Restore Account");} elseif (parentType=="AR") {parentTypeDesc.set("Restore Account");} elseif (parentType=="AD") {parentTypeDesc.set("Delete Account");}if (parentType=="AD") {parentTypeDesc.set("Delete Account");}// otherAccount Check// otherAccount Checkif (service.get().getProperty("erservicename")[0] == "otherAccount") {if (service.get().getProperty("erservicename")[0] == "otherAccount") { otherAccountCheck.set("true")otherAccountCheck.set("true")}}parentTypeDesc.get(); parentTypeDesc.get();

IBM Software Group

26

Complex Workflows:Complex Workflows:Example 1Example 1

SubjectSubject<JS>function getprop(ob, prop){x=ob.getProperty(prop);if (x.length != 0){return <JS>function getprop(ob, prop){x=ob.getProperty(prop);if (x.length != 0){return

x[0];}else{return "";}}"";</JS>ARMS <JS>if (otherAccountCheck.get() == "false") x[0];}else{return "";}}"";</JS>ARMS <JS>if (otherAccountCheck.get() == "false") {return (service.get().getProperty("erservicename")[0]);} else {return {return (service.get().getProperty("erservicename")[0]);} else {return (getprop(entity.get(), "erOtherAccountService"));}</JS> <JS>if (getprop(entity.get(), "erOtherAccountService"));}</JS> <JS>if (otherAccountCheck.get() == "false") {return (parentTypeDesc.get());} else {return (otherAccountCheck.get() == "false") {return (parentTypeDesc.get());} else {return (getprop(entity.get(), "erOtherAccountOperation"));}</JS> Request For (getprop(entity.get(), "erOtherAccountOperation"));}</JS> Request For <JS>o=owner.get();getprop(o,"cn");</JS> Waiting for Your approval<JS>o=owner.get();getprop(o,"cn");</JS> Waiting for Your approval

MessageMessage<JS>function getprop(ob, prop){ x=ob.getProperty(prop); if (x.length != 0) { return <JS>function getprop(ob, prop){ x=ob.getProperty(prop); if (x.length != 0) { return

x[0]; } else { return ""; }}"";</JS>There is a <JS>if (otherAccountCheck.get() == x[0]; } else { return ""; }}"";</JS>There is a <JS>if (otherAccountCheck.get() == "false") {return (service.get().getProperty("erservicename")[0]);} else {return "false") {return (service.get().getProperty("erservicename")[0]);} else {return (getprop(entity.get(), "erOtherAccountService"));}</JS> account <JS>if (getprop(entity.get(), "erOtherAccountService"));}</JS> account <JS>if (otherAccountCheck.get() == "false") {return (parentTypeDesc.get());} else {return (otherAccountCheck.get() == "false") {return (parentTypeDesc.get());} else {return (getprop(entity.get(), "erOtherAccountOperation"));}</JS> request for (getprop(entity.get(), "erOtherAccountOperation"));}</JS> request for <JS>o=owner.get();getprop(o,"cn");</JS> waiting for your approval.<JS>if <JS>o=owner.get();getprop(o,"cn");</JS> waiting for your approval.<JS>if (otherAccountCheck.get() != "false") {return ("\nAccount Information: " + (otherAccountCheck.get() != "false") {return ("\nAccount Information: " + getprop(entity.get(), "erotheraccountcontent") +"\n");} else {return ("");}</JS>Please getprop(entity.get(), "erotheraccountcontent") +"\n");} else {return ("");}</JS>Please see the service charging information for <JS>if (otherAccountCheck.get() == "false") see the service charging information for <JS>if (otherAccountCheck.get() == "false") {return (service.get().getProperty("erservicename")[0]);} else {return {return (service.get().getProperty("erservicename")[0]);} else {return (getprop(entity.get(), "erOtherAccountService"));}</JS> account from (getprop(entity.get(), "erOtherAccountService"));}</JS> account from http://www.ibm.com To approve/reject the request, go to MyTodo List >> Pending http://www.ibm.com To approve/reject the request, go to MyTodo List >> Pending Requests. Login to ITIM:http://www..ibm.com/ITIM Thank you for using ITIM. If you Requests. Login to ITIM:http://www..ibm.com/ITIM Thank you for using ITIM. If you have any questions please see the ITIM service pages or contact your local Service have any questions please see the ITIM service pages or contact your local Service Desk. Please, do not reply to this message. ITIM is a central webtool for requesting, Desk. Please, do not reply to this message. ITIM is a central webtool for requesting, generating, maintainingand managing System and Application accounts in IBM . generating, maintainingand managing System and Application accounts in IBM . http://www.itim.ibm.com/ITIMhttp://www.itim.ibm.com/ITIM

IBM Software Group

27

Complex Workflows:Complex Workflows:Example 1Example 1

Attribute Name Attribute Value

Node Type Approval node

ActivityID OneDayApprovalTimeout

Activity Name Approval with a 1 Day Timeout

Description Approval Rrequest

Participant

Escalation Participant

Escalation Limit 1 Days 0 Hours 0 Minutes 0 Seconds

Join Type AND

Split Type AND

Entity Type Account

Relevant Data

Attribute Name Attribute Value

Custom participant = new Participant(ParticipantType.SUPERVISOR);

Attribute Name Attribute Value

Custom participant = new Participant(ParticipantType.SUPERVISOR);

ID Type Relevant Data ID

entity Account entity

service Service service

owner Person owner

IBM Software Group

28

Complex Workflows:Complex Workflows:Example 1Example 1

Attribute Name Attribute Value

Node Type Script node

ActivityID LOOP_START

Join Type AND

Split Type AND

Script true;

Attribute Name Attribute Value

Node Type Script node

ActivityID EXIT_LOOP

Join Type AND

Split Type AND

Scriptexitloop.set("true");true;

Attribute Name Attribute Value

Node Type Script node

ActivityID LOOP_END

Join Type AND

Split Type AND

Scriptloopinstance.set(loopinstance.get()+1);true;

IBM Software Group

29

Complex Workflows:Complex Workflows:Example 1Example 1

getApproverDNgetApproverDNprocess.auditEvent("Attempting to get approver details");process.auditEvent("Attempting to get approver details");if (supervisorApproval.get() == "true" ) {if (supervisorApproval.get() == "true" ) { process.auditEvent("Getting normal approver");process.auditEvent("Getting normal approver"); person = owner.get();person = owner.get(); manager = person.getProperty("erSupervisor"); //managers erglobalIdmanager = person.getProperty("erSupervisor"); //managers erglobalId approver.set(manager[0]);approver.set(manager[0]); approver2.set(manager[0]);approver2.set(manager[0]); approver3.set(manager[0]);approver3.set(manager[0]); process.auditEvent("Normal approver resolved");process.auditEvent("Normal approver resolved");} else { //Special Approver} else { //Special Approver process.auditEvent("Getting special approver");process.auditEvent("Getting special approver"); personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in

fesiextension.properties file to use PersonSearch fesiextension.properties file to use PersonSearch searchFilter = "(employeeNumber=" + approverEmpNum.get() +")"; searchFilter = "(employeeNumber=" + approverEmpNum.get() +")"; searchResult = personSearch.searchByFilter("ibmPerson", searchFilter, 2); //2 means search scope searchResult = personSearch.searchByFilter("ibmPerson", searchFilter, 2); //2 means search scope

is subtree is subtree approverEntity = searchResult[0]; //The search result is an array of the directory objects approverEntity = searchResult[0]; //The search result is an array of the directory objects approver.set(approverEntity.dn);approver.set(approverEntity.dn); if (approverEmpNumDeputy1.get() != null) {if (approverEmpNumDeputy1.get() != null) { personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in

fesiextension.properties file to use PersonSearch fesiextension.properties file to use PersonSearch searchFilter = "(employeeNumber=" + approverEmpNumDeputy1.get() +")"; searchFilter = "(employeeNumber=" + approverEmpNumDeputy1.get() +")"; searchResult = personSearch.searchByFilter("ibmPerson", searchFilter, 2); //2 means search scope searchResult = personSearch.searchByFilter("ibmPerson", searchFilter, 2); //2 means search scope

is subtree is subtree approverEntity1 = searchResult[0]; //The search result is an array of the directory objects approverEntity1 = searchResult[0]; //The search result is an array of the directory objects

IBM Software Group

30

Complex Workflows:Complex Workflows:Example 1Example 1

getApproverDNgetApproverDN approver2.set(approverEntity1.dn);approver2.set(approverEntity1.dn);} else {} else { approver2.set(approverEntity.dn); // Same approver as the firstapprover2.set(approverEntity.dn); // Same approver as the first }}if (approverEmpNumDeputy2.get() != null) {if (approverEmpNumDeputy2.get() != null) { personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in personSearch = new PersonSearch(); //ModelExtension needs to be registered for workflow in

fesiextension.properties file to use PersonSearch fesiextension.properties file to use PersonSearch searchFilter = "(employeeNumber=" + approverEmpNumDeputy2.get() +")"; searchFilter = "(employeeNumber=" + approverEmpNumDeputy2.get() +")"; searchResult = personSearch.searchByFilter(“ibmPerson", searchFilter, 2); //2 means search scope searchResult = personSearch.searchByFilter(“ibmPerson", searchFilter, 2); //2 means search scope

is subtree is subtree approverEntity2 = searchResult[0]; //The search result is an array of the directory objects approverEntity2 = searchResult[0]; //The search result is an array of the directory objects approver3.set(approverEntity2.dn);approver3.set(approverEntity2.dn); } else {} else { approver3.set(approverEntity.dn); // Same approver as the firstapprover3.set(approverEntity.dn); // Same approver as the first }} process.auditEvent("Special approver resolved");process.auditEvent("Special approver resolved");}}/* //For debugging if needed/* //For debugging if neededprocess.auditEvent("approverEmpNum " + approverEmpNum.get() );process.auditEvent("approverEmpNum " + approverEmpNum.get() );process.auditEvent("approver " + approver.get() );process.auditEvent("approver " + approver.get() );process.auditEvent("approver2 " + approver2.get() );process.auditEvent("approver2 " + approver2.get() );process.auditEvent("approver3 " + approver3.get() );process.auditEvent("approver3 " + approver3.get() );process.auditEvent("approverEmpNumDeputy1 " + approverEmpNumDeputy1.get() );process.auditEvent("approverEmpNumDeputy1 " + approverEmpNumDeputy1.get() );process.auditEvent("approverEmpNumDeputy2 " + approverEmpNumDeputy2.get() );process.auditEvent("approverEmpNumDeputy2 " + approverEmpNumDeputy2.get() );*/ */

IBM Software Group

31

Complex Workflows:Complex Workflows:Example 1 (continued)Example 1 (continued)

Account RestoreAccount Restore

uses Approval_Processuses Approval_Process

IBM Software Group

32

Complex Workflows:Complex Workflows:Example 2Example 2

Add AccountAdd Account

IBM Software Group

33

Complex Workflows:Complex Workflows:Example 3Example 3

IBM Software Group

Restore AccountRestore Account

IBM Software Group

34

Complex Workflows:Complex Workflows:Example 3Example 3

current = process;current = process;exitwhile = false;exitwhile = false;parentType = "";parentType = "";parentTypeDesc.set("Unknown");parentTypeDesc.set("Unknown");while (!exitwhile) {while (!exitwhile) { if (current.parentId == 0 || current.parentId == "0"){if (current.parentId == 0 || current.parentId == "0"){ parentType=current.type;parentType=current.type; exitwhile = true;exitwhile = true; } else {} else { current=current.getParent();current=current.getParent(); }}}}process.auditEvent("Parent Type: " + parentType);process.auditEvent("Parent Type: " + parentType);if (parentType=="AR") {if (parentType=="AR") { sendEmail.set("false");sendEmail.set("false");} else {} else { sendEmail.set("true");sendEmail.set("true");}}process.auditEvent("sendEmail set to : " + sendEmail.get());process.auditEvent("sendEmail set to : " + sendEmail.get());parentTypeDesc.get(); parentTypeDesc.get();

IBM Software Group

35

Complex Workflows:Complex Workflows:Example 4Example 4

ChangePasswordChangePassword

IBM Software Group

36

Complex Workflows:Complex Workflows:Example 4Example 4

CHECK_REQUESTOR CHECK_REQUESTOR // Check to see if Requestee is also requestor// Check to see if Requestee is also requestorrequestorCheck.set("false");requestorCheck.set("false");sysUserDN = CurrentProcess.getRequestorDN();sysUserDN = CurrentProcess.getRequestorDN();if (sysUserDN=="null" || sysUserDN=="-1" || sysUserDN==null) {if (sysUserDN=="null" || sysUserDN=="-1" || sysUserDN==null) { // Not a human requestor// Not a human requestor requestorCheck.set("false");requestorCheck.set("false");} else {} else { sysUserAccount = SystemUser.getByDN(sysUserDN);sysUserAccount = SystemUser.getByDN(sysUserDN); curr_parent = sysUserAccount.parent.toString();curr_parent = sysUserAccount.parent.toString(); requestorPersonDN=curr_parent.substring(curr_parent.indexOf(':') + 2, curr_parent.length);requestorPersonDN=curr_parent.substring(curr_parent.indexOf(':') + 2, curr_parent.length); requesteeDN = process.requesteeDN;requesteeDN = process.requesteeDN;test = "-" + requesteeDN + "- compared with -" + requestorPersonDN + "- ";test = "-" + requesteeDN + "- compared with -" + requestorPersonDN + "- "; if (requesteeDN == requestorPersonDN) {if (requesteeDN == requestorPersonDN) { requestorCheck.set("true");requestorCheck.set("true"); } else {} else { requestorCheck.set("false");requestorCheck.set("false"); }}}}test += "with result " + requestorCheck.get();test += "with result " + requestorCheck.get();process.auditEvent(test);process.auditEvent(test);test; test;

IBM Software Group

37

Complex Workflows:Complex Workflows:Example 4Example 4

Set_Pwd_change_attrsSet_Pwd_change_attrs// Set Service// Set Service

curr_account = Entity.get();curr_account = Entity.get();

curr_service = curr_account.getProperty("erservice")[0];curr_service = curr_account.getProperty("erservice")[0];

service.set(new Service(curr_service));service.set(new Service(curr_service));

curr_owner = curr_account.getProperty("owner")[0];curr_owner = curr_account.getProperty("owner")[0];

owner.set(new Person(curr_owner));owner.set(new Person(curr_owner));

// Set attributes// Set attributes

// Set erW2kPasswordForceChange to true// Set erW2kPasswordForceChange to true

curr_account.setProperty( "erW2kPasswordForceChange", true );curr_account.setProperty( "erW2kPasswordForceChange", true );

Entity.set(curr_account);Entity.set(curr_account);

true; true;

IBM Software Group

38

Complex Workflows:Complex Workflows:Example 5Example 5

Delete PersonDelete Person

IBM Software Group

39

Complex Workflows:Complex Workflows:Example 6Example 6

Add PersonAdd Person

IBM Software Group

40

Appendix 1Appendix 1

Workflow ElementsWorkflow Elements

IBM Software Group

41

Workflow ElementsWorkflow ElementsStart and EndStart and End

ApprovalApproval

Request for InformationRequest for Information

Work OrderWork Order

ScriptScript

LoopLoop

Operation and SubprocessOperation and Subprocess

ExtensionExtension

Transition LinesTransition Lines

IBM Software Group

42

Start and End ElementsStart and End ElementsAlways existAlways exist

Can’t be deletedCan’t be deleted

Can add Javascript Can add Javascript code to themcode to them

IBM Software Group

43

Approval ElementApproval ElementRequests the Requests the Approval from a Approval from a ParticipantParticipant

The Participant The Participant must be an ITIM must be an ITIM useruserApplicable to People Applicable to People and Accountsand AccountsUsable in Operation Usable in Operation Workflows and Workflows and Entitlement Entitlement WorkflowsWorkflows

Has Postscript tabHas Postscript tab

IBM Software Group

44

Request for InformationRequest for InformationRequests Information Requests Information from a Participantfrom a Participant

The attributes to be The attributes to be provided will be provided will be presented on the Person presented on the Person or Account formor Account form

ACIs not neededACIs not needed

Applicable to People Applicable to People and Accountsand Accounts

Usable in Operation Usable in Operation Workflows and Workflows and Entitlement WorkflowsEntitlement Workflows

Has Postscript tabHas Postscript tab

IBM Software Group

45

Work OrderWork OrderSends email to a Sends email to a ParticipantParticipant

For NotificationFor NotificationTo request some To request some action outside ITIMaction outside ITIM

Participant doesn’t Participant doesn’t need to be ITIM userneed to be ITIM user

Must be in ITIM with Must be in ITIM with mail attribute filledmail attribute filled

Javascript can be Javascript can be used in the messageused in the messageHas Postscript tabHas Postscript tab

IBM Software Group

46

Script ElementScript ElementUsed to run Used to run Javascript codeJavascript code

FESI extensions can FESI extensions can be usedbe used

IBM Software Group

47

Loop ElementLoop ElementExecutes one or more Executes one or more elements in a Loopelements in a Loop

Loop TypesLoop Types Do WhileDo While

Evaluates condition Evaluates condition before executingbefore executing

Do UntilDo Until Evaluates condition Evaluates condition

after each executionafter each execution

Not Supported:Not Supported: Transitions directly into Transitions directly into

and out of the Loop and out of the Loop Nested LoopsNested Loops

IBM Software Group

48

Operation ElementOperation ElementCalls an existing Calls an existing Operation Workflow Operation Workflow from anotherfrom anotherThe called Entity The called Entity Type and Entity in Type and Entity in the called workflow the called workflow can be different can be different from the calling from the calling workflowworkflowThe called workflow The called workflow doesn’t return data doesn’t return data to the calling to the calling workflowworkflow

IBM Software Group

49

Subprocess ElementSubprocess ElementCalls one Calls one Entitlement Entitlement Workflow from Workflow from anotheranother

Must map relevant Must map relevant data in the calling to data in the calling to input parameters in input parameters in the called workflowthe called workflow

IBM Software Group

50

Extension ElementExtension ElementUsed to call an Used to call an application application extension to the extension to the workflow engineworkflow engine

Are Java classesAre Java classesImplement the Implement the Workflow APIWorkflow API

Need to be Need to be registered in registered in workflowextensions.workflowextensions.xmlxml

IBM Software Group

51

Transition LinesTransition LinesExecution Flows Execution Flows that connect that connect Workflow ElementsWorkflow Elements

Any number of Any number of Transition Lines can Transition Lines can enter or leave a enter or leave a Workflow elementsWorkflow elements

Javascript code can Javascript code can be added to be added to Transition LinesTransition Lines

IBM Software Group

52

Transition Lines: Split TypesTransition Lines: Split TypesSplit TypesSplit Types

AndAndAll paths leaving the element will be evaluated All paths leaving the element will be evaluated and all paths evaluated to true will be followed and all paths evaluated to true will be followed

OrOrThe transitions are evaluated until one is The transitions are evaluated until one is found to be “true” and that path is then found to be “true” and that path is then followed; all other paths are not evaluatedfollowed; all other paths are not evaluated

IBM Software Group

53

Transition Lines: Join TypesTransition Lines: Join TypesJoin TypesJoin Types

AndAndAll elements on active paths leading to this All elements on active paths leading to this element must complete before the joined element must complete before the joined element is executedelement is executed

OrOrThe first path leading to the element that is The first path leading to the element that is evaluated to true will cause the element to be evaluated to true will cause the element to be executedexecuted

Since it’s not possible to order the Since it’s not possible to order the paths, only ONE path should paths, only ONE path should evaluate to trueevaluate to true

IBM Software Group

54

Appendix 2Appendix 2

How to Document WorkflowsHow to Document Workflows

IBM Software Group

55

How to Document WorkflowsHow to Document Workflows

IBM Software Group

56

How to Document WorkflowsHow to Document Workflows

IBM Software Group

57

How to Document WorkflowsHow to Document Workflows

IBM Software Group

58

How to Document WorkflowsHow to Document Workflows

IBM Software Group

59

How to Document WorkflowsHow to Document Workflows

IBM Software Group

60

Thank you!Thank you!