ISIM/ITIM Custom Operational Workflow Guide
You can create custom workflow in IBM Security/Tivoli identity manager . I understand there is not much well guide available in Internet for newbies in ISIM area. Hence writing this up to help to you to understand how it works & how to write one .
The workflow requirement is simple :
whenever a specific type of account(Lets say LDAP/AD account) is requested for any user , for a specific Role lets say Manager , an notification email will be triggered by ISIM to HR/RMG group DL(Email Distribution List) .
Lets say here the RMG Email Group DL : rmg-org@avijitonthemove.blogspot.com
There are 2 way , it can be achieved .
1> by modifying the Operational Workflow for create account(For AD/LDAP)
2> by creating new account request Workflow & use the workflow in the AD/LDAP Provisioning Policy .
We're working here on ISIMv6.0. So the class being used might be deprecated as well , so based on your version , please Google using " ISIM JS Extension" and see the class reference by yourself from IBM before applying this scripts blindly.
Method 1:
1> Login to ISIM
2> Go to "Configure System" then Manage Operations
3> Select Entity Level.
4> Select Account & LDAP/Windows AD Account
5> Select the Add operation & click on Change
The workflow applet should run & the default workflow defined by System will look like this.
Add a mail node by dragging it from left pannel to the workflow area , give it a name "mail_send" .
Select Recipient(With Email) (Click on the [...]) & select the user whom you want to send email to. rmg-org@avijitonthemove.blogspot.com) .
In the following screenshot the user name is :Avijit Sarkar (who has email id:
Select Join Type & Split Type as AND .
Now go to the notification Tab , and click on Load from Template. You may create a template with all the required information you want to send in the email or you can use an existing one. I've here provided a basic mail template to send userid , Name , Last Name & SuperVisor name for the new manager user to be created .
Now click ok . Your mail node is ready to send email. We just now need to include the logic .
The Logic you need to write in a script element to detect a account creation request for user having Role as Manager .
So , now lets drag a script component from left pannel .
Before proceeding further . Click on the properties as shown in the image below (Round Red circle) and add a Boolean type relevant data . Lets Name it as RoleChecker . Click Ok.
Now open the script Element , name the node as check_Roles & write the script as below :
var CurPerson = new Person(process.requesteeDN);
if(!CurPerson.isInRole("Manager")){
RoleChecker.set("false");
}
else {
RoleChecker.set("true");
}
So , this script is checking if the Person for whom account is being requested are having Manager Role assigned or not . If it has Manager Role assigned it's setting the RoleChecker boolean variable as true or its setting the variable as false.
Now we need to modify the transition Line to connect all these components.
Right Click on the Transition Line between check_Roles & End node & set the condition as custom as put the script as below .
Rolechecker.get() == "false";
Right Click on the Transition Line between check_Roles & mail_send node & set the condition as custom as put the script as below .
Rolechecker.get() == "true";
Once all the transition lines updates are complete ,The final diagram should look like below.
Once this is done , Click on update (Beside properties option) , that should update the default workflow behavior of adding LDAP/Windows AD account .
Method 2:
Some time the system defined workflow can not be changed as shown in Method 1. Then an alternative way can be implemented using this method.
But prerequisite to this method is , you must have a exclusive Provisioning Policy for the Role "Manager" .
Now lets go to the Account Request Workflow option as shown :
Create a new Workflow , name it as Email_Workflow , and select proper Service Type. For LDAP use LDAP Profile , for AD use Active Directory Profile . Select proper Business Unit on which the Role is created , then go to Activity tab . Select Advance radio button . that should allow you to run the workflow applet.
Like mentioned in Method1 , create a mail node & a script node(RequestChecker) .
This time script should be like below, also like method one, before creating the script , create a new boolean type relevant data naming "createRequestCheck" .
While drawing the transition Line , between script node RequestChecker & Mail_Node the condition you should set as createRequestCheck.get() == "true"; & in between RequestChecker & RETURN_APPROVED the condition in the transition line should be createRequestCheck.get() == "false";
This will ensure the mail will only be sent when there is a new account creation request but not normal account modification request for existing users.
Finally the Workflow should look like below :
Once this workflow is created , Click update,then Apply & Ok button .
And then Open the PP for Manager Role , & select this workflow(Email_Workflow) in the Provisioning Policy .
Hopefully this should give you some idea , on how to write simple & little bit complex workflow in IBM Security/Tivoli Identity Manager.
Please subscribe to my blog as a token of appreciation if you like this .
And subscribe to my Youtube channel to encourage me to write/share more on the security related information .
https://www.youtube.com/channel/UCCic8ix-BgwAb48Fjyc7A9w
Keep Learning & Enjoy Learning.
Thank you.
With Best Regards,
Avijit
The workflow requirement is simple :
whenever a specific type of account(Lets say LDAP/AD account) is requested for any user , for a specific Role lets say Manager , an notification email will be triggered by ISIM to HR/RMG group DL(Email Distribution List) .
Lets say here the RMG Email Group DL : rmg-org@avijitonthemove.blogspot.com
There are 2 way , it can be achieved .
1> by modifying the Operational Workflow for create account(For AD/LDAP)
2> by creating new account request Workflow & use the workflow in the AD/LDAP Provisioning Policy .
We're working here on ISIMv6.0. So the class being used might be deprecated as well , so based on your version , please Google using " ISIM JS Extension" and see the class reference by yourself from IBM before applying this scripts blindly.
Method 1:
1> Login to ISIM
4> Select Account & LDAP/Windows AD Account
5> Select the Add operation & click on Change
The workflow applet should run & the default workflow defined by System will look like this.
Select Recipient(With Email) (Click on the [...]) & select the user whom you want to send email to. rmg-org@avijitonthemove.blogspot.com) .
Select Join Type & Split Type as AND .
Now go to the notification Tab , and click on Load from Template. You may create a template with all the required information you want to send in the email or you can use an existing one. I've here provided a basic mail template to send userid , Name , Last Name & SuperVisor name for the new manager user to be created .
Now click ok . Your mail node is ready to send email. We just now need to include the logic .
The Logic you need to write in a script element to detect a account creation request for user having Role as Manager .
So , now lets drag a script component from left pannel .
Before proceeding further . Click on the properties as shown in the image below (Round Red circle) and add a Boolean type relevant data . Lets Name it as RoleChecker . Click Ok.
Now open the script Element , name the node as check_Roles & write the script as below :
var CurPerson = new Person(process.requesteeDN);
if(!CurPerson.isInRole("Manager")){
RoleChecker.set("false");
}
else {
RoleChecker.set("true");
}
So , this script is checking if the Person for whom account is being requested are having Manager Role assigned or not . If it has Manager Role assigned it's setting the RoleChecker boolean variable as true or its setting the variable as false.
Now we need to modify the transition Line to connect all these components.
Right Click on the Transition Line between check_Roles & End node & set the condition as custom as put the script as below .
Rolechecker.get() == "false";
Right Click on the Transition Line between check_Roles & mail_send node & set the condition as custom as put the script as below .
Rolechecker.get() == "true";
Once all the transition lines updates are complete ,The final diagram should look like below.
Some time the system defined workflow can not be changed as shown in Method 1. Then an alternative way can be implemented using this method.
But prerequisite to this method is , you must have a exclusive Provisioning Policy for the Role "Manager" .
Now lets go to the Account Request Workflow option as shown :
Create a new Workflow , name it as Email_Workflow , and select proper Service Type. For LDAP use LDAP Profile , for AD use Active Directory Profile . Select proper Business Unit on which the Role is created , then go to Activity tab . Select Advance radio button . that should allow you to run the workflow applet.
Like mentioned in Method1 , create a mail node & a script node(RequestChecker) .
This time script should be like below, also like method one, before creating the script , create a new boolean type relevant data naming "createRequestCheck" .
While drawing the transition Line , between script node RequestChecker & Mail_Node the condition you should set as createRequestCheck.get() == "true"; & in between RequestChecker & RETURN_APPROVED the condition in the transition line should be createRequestCheck.get() == "false";
This will ensure the mail will only be sent when there is a new account creation request but not normal account modification request for existing users.
Finally the Workflow should look like below :
Once this workflow is created , Click update,then Apply & Ok button .
And then Open the PP for Manager Role , & select this workflow(Email_Workflow) in the Provisioning Policy .
Hopefully this should give you some idea , on how to write simple & little bit complex workflow in IBM Security/Tivoli Identity Manager.
Please subscribe to my blog as a token of appreciation if you like this .
And subscribe to my Youtube channel to encourage me to write/share more on the security related information .
https://www.youtube.com/channel/UCCic8ix-BgwAb48Fjyc7A9w
Keep Learning & Enjoy Learning.
Thank you.
With Best Regards,
Avijit
Hello!! im new with ISIM and I have a doubt, hope you can help me. I have created a Role in ISIM and i publish this so a User could request it. Everytime a user request this Role and email notification is send to the person in charge of that role. Do you have a simple example like this? I Still don´t get the idea of how to create this workflow. Help is apreciated it
ReplyDeleteAttention Please!!!
ReplyDeleteThis is SOF-Standard Online Finance Ltd. A well known and reputable financial lending company giving opportunities to genuine and eligible individuals, companies, corporate organization that is in quest for a loan for personal purpose, business start-ups, business expansion, construction projects, etc. If you are in need of a loan for a legitimate purpose, we urge you all to seize this limited opportunity to join our chains of increasing customers that are giving testimonies of our reliable and efficient lending services. Reach us today via email: standardonlineinvestment@gmail.com for more details and procedures.
Regards,
Mr. Hameed Youssef
Marketing Manager
Standard Online Finance Ltd.
https://bayanlarsitesi.com/
ReplyDeleteAltınşehir
Karaköy
Alemdağ
Gürpınar
Q18İ4H
elazığ
ReplyDeletebilecik
kilis
sakarya
yozgat
3OV
ankara parça eşya taşıma
ReplyDeletetakipçi satın al
antalya rent a car
antalya rent a car
ankara parça eşya taşıma
R14NHQ
2ED2F
ReplyDeleteÇankırı Evden Eve Nakliyat
Karabük Parça Eşya Taşıma
Adana Evden Eve Nakliyat
Kırşehir Şehirler Arası Nakliyat
Kayseri Şehirler Arası Nakliyat
Artvin Şehir İçi Nakliyat
Çerkezköy Oto Elektrik
Yenimahalle Fayans Ustası
Sinop Evden Eve Nakliyat
8B501
ReplyDeletequickswap
DefiLlama
pancakeswap
sushiswap
pancakeswap
dao maker
pudgy penguins
eigenlayer
zkswap