Systems - Groups synchronization workflow

This tutorial is intended as a guide to modify workflow for synchronization groups from Active Directory. After modifying this workflow, synchronization of groups can:

  • create automatic roles by:
    • organization structure
    • attributes
  • create role catalog
  • roles assigned to catalog
  • provisioning of membership of identities to another system
  • resolve membership - users already have assigned groups in another system

In this tutorial we will be using Eclipse and Activiti framework.

For synchronization groups from AD, we have prepared workflow "syncRoleLdap.bpmn20.xml"

The workflow has modified these actions:

  • Linked/update entity
  • Missing entity/create entity
  • Unlinked/create link and update entity.

Workflow is divided into 9 activities, but only the first four activities are mainly to be modified.

First of all is crucial to set data objects in Data Objects tab.

  • STRUCTURE_FORM_ATTRIBUTE - code of eav of organization tree node. It is used to add an automatic role by organization structure. And every organization structure should have an eav with some value to determine, which role will have an automatic role on which tree node.
  • CODE_OF_TYPE_STRUCTURE - code of structure, this define which organization tree will be used for searching/creating automatic roles for organization structure. Default value means default organization tree.
  • AUTO_ROLE_ORG_STRUCTURE_ENABLED - if false, automatic roles by attribute methods are skipped.
  • AUTO_ROLE_ATTRIBUTES_ENABLED - if false, automatic roles by organization structure methods are skipped.

Workflow was updated and now you can just add properties to aplication and you do not have to anyhow change workflow file. Aplication property are specified in Settings agenda in Configuration tab (like you can see on picture bellow).

With button Add you can add any property described bellow and configure workflow.

  • idm.pub.acc.syncRole.role.canBeRequested - (true/false) - sets to all roles, if the role can be requested by identity
  • idm.pub.acc.syncRole.system.mapping.objectClassName - this is important to provisioning member attribute of identity. It is an object class name of identity schema. It supposedly can stay as "__ACCOUNT__"
  • idm.pub.acc.syncRole.system.mapping.attributeMemberOf - it is the name of an attribute in a mapping of identity provisioning. It is usually memberOf or ldapGroup. This attribute will be added to role's mapping with tramsformation script (which will be set later). -
  • idm.pub.acc.syncRole.system.mapping.attributeRoleIdentificator - the name of an attribute in the connector, which holds the distinguished name of a role.
  • idm.pub.acc.syncRole.provisioningOfIdentities.system.code - it is code (name) of the system, where identities have provisioning.
  • idm.pub.acc.syncRole.identity.eav.externalIdentifier.code - code of eav of a distinguished name of identities. it is used in creating entity in the situation of a Missing entity. It is important when groups in AD already have members and some of the identities DNs cannot be calculated again.
  • idm.pub.acc.syncRole.roleCatalog.ResolveCatalog - (true/false) - This property will disable creating of catalogue.
  • idm.pub.acc.syncRole.resolveMembership - (true/false) - With this property you can turn on resolving memberships of roles even in other situation than creating role. This is usually used, when connecting system for synchronization of roles, when you forgot configure 'externalIdentifier'.
  • idm.pub.acc.syncRole.roles.allToOneCatalog - Add name of catalog. all roles will be added to this 'folder'
  • idm.pub.acc.syncRole.roles.attributeNameOfMembership - Default value 'member', it is name of attribute of role in source system, which holds identificators of identities

This activity is to get some attributes from icAttributes as name and distinguished name. You can get another if they will be needed in the following activities. And also there is setted attribute:

execution.setVariable("TRANSFORMATION_SCRIPT", "\""+distinguishedName+"\"");

value of this attribute will be used as transformation script. (It will be used for provisioning of member attribute of identities).

In this script, it is crucial to determine for a role to find tree node (organization) to create an automatic role by organization structure and set it to a variable like:

execution.setVariable("organizationTreeNode", pomList.get(0)); 

This script can be just slightly changed to work perfectly fine. In the default state, it is searching for a tree node, which has a name of the role in eav. In a previous activity, we can get even another attribute and with substring, it should be enough.

This part is to create attributes for an automatic role. There can be more attributes, but only for identity/contract attributes or identity/contract eavs. You should create attributes (by default algorithm) put them into the field and lastly into "automaticAttributes" variable.

This part is about Roles catalog. There are two methods. The first method creates catalog based on the Distinguished name of the role. The rightmost value of OU is a root of the catalog and then other OUs from the right are represented as folders and roles are assigned in the leftmost OU/catalog.

The other method is for removing folders of a catalog, if a role is transferred to another catalog, find the old one and set it in "catalogue" variable, and it will be erased.

This should be all, but if you made bigger changes in methods you should probably test your new workflow. After modifying the workflow, don't forget to update this workflow in IdM.