====== New Workflow Engine ====== The IdStory IDM includes a proprietary workflow implementation for use in approval processes. The goal is to enable administrators to configure approval processes easily and flexibly, with full control over the sequence and conditions of approval steps. Auditability and robustness of the entire process are ensured. ===== New Workflow Engine Adds Agendas: ===== * Workflows * Approval Processes * Tasks (WF) ==== Workflow Agenda ==== The workflow agenda serves to create definitions for individual workflows. A workflow defines a sequence of steps in the approval process using visual programming nodes, where each node represents one step of the approval process by a specific group (or individual) of approvers. The sequence of steps is visually displayed in the workflow definition and edited directly in the IDM editor. Each node in the approval process has a specific type, and depending on the type, may have additional attributes. The result of each node’s evaluation is an output state (e.g., “approved” or “rejected”), which leads to the next node in the approval process. INSERT SCREENSHOT HERE === Node Types === === Control Nodes === Control nodes are not approval steps themselves but govern the evaluation of the approval process: * **Start** - The workflow begins here; no approval step is defined. * **End** - The workflow ends here with successful approval; no further approvable step is defined. * **Condition** - Defines a condition in the approval process that evaluates to TRUE or FALSE, allowing for branching. It contains attributes: * Condition Type * Left Operand * Right Operand * Operator INSERT SCREENSHOT HERE === Condition Types in the Process === * Role Attribute * Guarantor Type Existence - compares the existence (or non-existence) of a role guarantor of the specified type. * Role Criticality - compares the criticality value of the role with a numeric value. === Approval Nodes === Approval nodes define a specific approval step with a set of approvers (could be a single approver). If the WF engine does not find anyone in the set of approvers (e.g., because no one has an assigned role), the approval task is automatically created for the administrator (login: admin). ==== Types of Approval Nodes ==== * **Approval by Identity** - The node defines a specific identity that approves in the given step. * **Approval by Role** - The node defines a specific role representing the approvers in this step, considering role hierarchy (e.g., if the role is assigned as subordinate). Only valid/active users are considered. * **Approval by Role Guarantor** - For role change/removal/addition approval, the set of approvers corresponds to the guarantor of the specified role. * Includes an attribute to select only a guarantor of a particular type (guarantee-type). * **Approval by Script** - The set of approvers is calculated by a Groovy script, which must return a list of identities. * **Approval by Supervisor/Guarantor of Identity** - The set of approvers is the supervisor or guarantor of the identity requested for approval. ==== Approval Process Agenda ==== An approval process assigns a workflow to a specific event in IdM that requires approval. The system allows the same workflow to be used repeatedly for multiple events; however, some types of approval nodes (e.g., approval by role guarantor) can only be used with specific approval processes (e.g., those concerning role assignments). INSERT SCREENSHOT HERE ==== Approval Processes ==== Each approval process includes: * **Name** - A human-readable name identifying the approval process. * **Code** - A machine-readable and unique identifier for the approval process. * **Event** - The event to which the approval process is applicable. In the current version, IDM supports these events: * Role Definition Creation * Role Definition Deletion * Role Addition to User * Triggered on a role change request where a role is added. * If marked as “do not approve,” the workflow is not triggered. * Role Removal from User * Triggered on a role change request where a role is removed. * If marked as “do not approve,” the workflow is not triggered. * Not triggered for unassignment or departure (automated). * Role Modification for User * Triggered on a role change request where role attributes or validity change. * If marked as “do not approve,” the workflow is not triggered. * **Selected Workflow** - Specifies the predefined workflow used for an event that meets the filter condition. * **Order** - Approval processes are evaluated based on this order (from lowest to highest), always using the first approval process that matches the event (event and condition). * **Condition** - An approval process may contain a condition that restricts the events for which it applies; currently, only a condition on identity type (projection) is supported. INSERT SCREENSHOT HERE ==== Approval Process Management ==== Approval processes can be managed by an admin (controlled by IdM permissions) in the approval process agenda where: * All active approval processes are visible. * Approval processes can be deleted, created, or edited. * Current running approval processes always complete based on the workflow that was in place when they were created. INSERT SCREENSHOT HERE ==== Concurrency with Old Workflows ==== In the current IdM version, approval processes can be configured using both old workflows and the new system. In such cases, users will see two task agendas (Tasks and Tasks WF), each handling tasks from the respective approval processes. INSERT SCREENSHOT HERE Properties that enable showing both agendas are** idm.pub.core.workflows.legacy.enabled **and** idm.pub.core.workflows.wfengine.enabled** (by default true for IdM 15) ==== Request ~ Task Relationship ==== A role change request can include multiple different changes - removal, addition, modification of individual roles. Each change creates its own instance of an approval workflow = process, according to the applicable approval process rules. In the approval process, individual users approve or reject tasks. The request is executed = roles are assigned in IdM only after all approval processes are completed (approved or rejected). After the request is executed, provisioning to systems follows, and only approved changes are implemented. ==== Aggregate notifications ==== It is possible to aggregate notifications for new approval tasks, so that instead of getting one notification per new approval task, the users now get a regular notification (with configurable frequency) that lists all approval tasks on their person. The notification only comes if they recerived new approval tasks since the last notification. To configure the notification, you need to: * Disable the individual notification by disabling the topic **core:wfAssignedTaskNotificationMessage** * Plan the scheduled task **NewApprovalTaskBulkNotificationTaskExecutor** * Ensure that you have the topic **core:****wfAssignedTaskBulkNotificationMessage **active and that you have a template for it * The default template looks like so: Dobrý den,

#if($tasks.size() == 1) byl Vám přiřazen nový schvalovací úkol: #else byly Vám přiřazeny nové schvalovací úkoly: #end
#foreach( $task in $tasks ) #end #if($restCount> 0) #if($restCount <5) #else #end #end
Schvalovací úkol
$esc.xml($task.getTaskNameCs())
a $restCount další
a $restCount dalších
Celkově máte $totalCount #if($totalCount == 1) úkol #elseif($totalCount <5) úkoly #else úkolů #end ke schválení, dokončete #if($tasks.size() == 1) ho, #else je, #end prosím, v systému CzechIdM. Zobrazit #if($tasks.size() == 1) ho #else je #end můžete zde.

S pozdravem BCV Solutions s.r.o.

-------------------------------------------------------------------------------------
Hello,

You have been assigned new #if($tasks.size() == 1) task #else tasks #end for approval:
#foreach( $task in $tasks ) #end #if($restCount> 0) #end
Task for approval
$esc.xml($task.getTaskNameEn())
and $restCount more
You have a total of $totalCount #if($totalCount == 1) task #else tasks #end for approval. Please complete #if($totalCount == 1) it #else them #end in the CzechIdM system. You can access #if($totalCount == 1) it #else them #end here.

Regards BCV Solutions Ltd.

==== Approval task reminder notification ==== It is possible to create a regularly scheduled long running task to remind people about their assigned and still running approval tasks.\\ {{.:pasted:20260309-155415.png}} The long running task can send the notifications either to the approvers themselves or to their managers - the topics for those two notifications can be set independently. The long running task sends one (or two - if configured to send it both to approvers and their managers) notifications for every user that has at least one running approval task with age between the minimum number of days and maximum number of days (both boundaries are inclusive). Inside this notification, at most [tasksToSend] of those tasks are listed. === \\ Parameters of the long running task: === - minimum days open: how long at least an approval task has to be open to be included in the notification. - maximum days open: how long at most can an approval task be open to be included in the notification. - tasks to send: how many tasks are listed in the notification itself (the rest are only mentioned as "and X more") - notify approvers: whether or not the notification should be sent to the approvers - notify managers: whether or not the notification should be sent to the managers of the approvers - topic for approvers: topic for the approver notification, the task will expect a notification configuration with this topic and level INFO - topic for managers: topic for the manager notification, the task will expect a notification configuration with this topic and level INFO === Parameters passed to the notification template: === - tasks: list of running tasks with age within minimum days and maximum days - contains at most [tasksToSend] items - url - url to the list of the user's tasks - in approver notification only - restCount - count of running tasks within the specified timespan not included in 'tasks' - totalCount - count of all running tasks (regardless of age) assigned to the user - approver - the approver assigned to the tasks in this notification === Use case for escalating notifications: === If you want to configure a way to notify the approvers with increasing level of urgency, it is possible to set up multiple non-overlapping reminder tasks such as: - First long running reminder task with minimum days open 7, maximum days open 13 and a custom topic for low urgency reminder that only notifies the approver. {{.:pasted:20260310-094907.png}} - Second long running task with minimum days open 14, maximum days open 20 and a custom topic for medium urgency reminder that only notifies the approver but the notification mentions that next week the manager will be notified. {{.:pasted:20260310-094907.png}} - Third long running task with minimum days open 21, no maximum days open and two custom topics for high urgency reminders - one for the approver and one for their manager. {{.:pasted:20260310-094907.png}} Note that for this to work there have to be notifications configurations for all of the topics with the NotificationLevel INFO. There doesn't have to be any notification configuration for the 'none' topic - any value in the topic field for which the checkbox is left unchecked will be ignored as no notification is sent with that topic.