Table of Contents

Systems - Groups synchronization workflow

Current stable version of this workflow can be found in extras module. Please is highly recommended use version from extras instead of core version.

This tutorial is intended as a guide to modify workflow for synchronization groups from Active Directory. After modifying this workflow, synchronization of groups can:

For management of membership there is currently a few special chars, which are unsupported. In name of roles, there cannot be: " ' \

Before you start

In this tutorial we will be using Eclipse and Activiti framework.

Workflow

For synchronization groups from AD, we have prepared workflow "syncRoleLdap.bpmn20.xml"

The workflow has modified these actions:

Workflow is divided into 9 activities, but only the first four activities are mainly to be modified.

Data Objects

First of all is crucial to set data objects in Data Objects tab.

Set aplication properties

Workflow was updated and now you can just add properties to application and you do not have to anyhow change workflow file. Application property are specified in Settings agenda in Configuration tab (like you can see on picture bellow).

With button Add you can add any property described below and configure workflow.

Following properties are used, when the workflow is used for creating roles that manage group membership of accounts in a connected system:

Managing group membership of account - more special options for the roles:

The workflow enables loading group membership from the system. That means, if the group in AD have some members and you want to assign roles to identities IdM based on that, you can use this workflow to do it. Typically, you would do it only as an initial loading. Necessary properties:

Settings of the created role - properties connected to the requesting of roles and the role approval:

The workflow can create the folders in the role catalogue. It can be either one folder, or the tree structure of folders based on the DNs of the roles:

Since Extras version 1.8.0 you can use two new options which will help with following use case: I have more then 1 AD system connected as group source. Now the workflow has "global" configuration via application properties so I am not able to run scheduled synchronization and put group from one AD to catalog "one" and from second AD to catalog "two" and similar issue is with mapped systems. This changes are backward compatible because if you don't set these new properties the WF behavior is same as in previous version. If you set this property then the new behavior will be turned on.

Set attributes activity

This activity is to get some attributes from icAttributes as name and distinguished name. You can get another if they will be needed in the following activities. And also there is setted attribute:

execution.setVariable("TRANSFORMATION_SCRIPT", "\""+distinguishedName+"\"");

value of this attribute will be used as transformation script. (It will be used for provisioning of member attribute of identities).

Set automatic role by org structure

In this script, it is crucial to determine for a role to find tree node (organization) to create an automatic role by organization structure and set it to a variable like:

execution.setVariable("organizationTreeNode", pomList.get(0)); 

This script can be just slightly changed to work perfectly fine. In the default state, it is searching for a tree node, which has a name of the role in eav. In a previous activity, we can get even another attribute and with substring, it should be enough.

Set automatic role by attributes

This part is to create attributes for an automatic role. There can be more attributes, but only for identity/contract attributes or identity/contract eavs. You should create attributes (by default algorithm) put them into the field and lastly into "automaticAttributes" variable.

Resolve catalogue

This part is about Roles catalog. There are two methods. The first method creates catalog based on the Distinguished name of the role. The rightmost value of OU is a root of the catalog and then other OUs from the right are represented as folders and roles are assigned in the leftmost OU/catalog.

The other method is for removing folders of a catalog, if a role is transferred to another catalog, find the old one and set it in "catalogue" variable, and it will be erased.

This should be all, but if you made bigger changes in methods you should probably test your new workflow. After modifying the workflow, don't forget to update this workflow in IdM.