Novell Doc: Identity Manager User Application: Design Guide

8.1 Configuring Activities

After you’ve added an activity to the workflow diagram, you can specify the properties, data mappings, and e-mail notification settings associated with the activity. For details on adding activities to a workflow, see Section 7.2, Adding Activities to a Workflow.

To configure a workflow activity:

Click the activity in the workflow diagram.
Set the property values for the activity on the Properties tab.

If the Properties tab is not displayed, right-click the activity in the workflow diagram and select Show Properties.

HINT:You can also display the Properties tab by selecting Show Properties from the PRD menu.
Set the data mappings on the Data Item Mappings tab.

If the Data Item Mappings tab is not displayed, right-click the activity in the workflow diagram and select Show Data Item Mapping.

HINT:You can also display the Data Item Mappings tab by selecting Show Data Item Mapping from the PRD menu.
Specify the e-mail notification settings on the Email Notification tab.

If the Email Notification tab is not displayed, right-click the activity in the workflow diagram and select Show Email Notification.

HINT:You can also display the Email Notification tab by selecting Show Email Notification from the PRD menu.

Editing an e-mail template You can edit an e-mail template in Designer. To do this, select an Identity Vault in the Modeler, then scroll to Default Notification Collection in the Outline View. Right-click a template, then select Edit Template.

8.1.1 Start Activity

The Start activity is the first activity to execute in a workflow. It begins execution when the user makes a request to provision a resource. After the user makes the request, the Start activity displays the initial request form to the user. On the initial request form, the user may be asked to specify a comment that indicates the reason for the request.

You can customize the initial request form to suit your application requirements. For details on customizing forms, see Section 6.0, Creating Forms for a Provisioning Request Definition.

Before displaying the form to the user, the Start activity performs any pre-activity data mappings specified for the activity.

After the user submits the form, the Start activity performs any post-activity data mappings specified for the activity. These mappings typically include copying data from form fields into the flowdata object.

Properties

The Start activity has the following property:

Table 8-1 Start Activity Property

Property Name	Description
Name	Provides a name for the activity.

Data Item Mapping

To bind the data items associated with the Start activity, you define pre-activity and post-activity mappings. The pre-activity mappings initialize data in the request form with constants or values retrieved from the flowdata object. The post-activity mappings move form data back into the flowdata object.

Table 8-2 Start Activity Data Item Mappings

Setting	Description
Pre-Activity	Allows you to specify one or more pre-activity mappings. When this option is selected, you can double-click a cell in the Source Expression column to specify where the initial request form gets data for a particular target form field. NOTE:When the Pre-Activity option is selected, the cells in the Target Form Field column are not editable.
Post-Activity	Allows you to specify one or more post-activity mappings. When this radio button is selected, you can double-click on a cell in the Target Expression column to specify where data from a form field should be copied after the form has been processed. NOTE:When the Post-Activity option is selected, the cells in the Source Form Field column are not editable.
Source Expression	Specifies a source expression for a pre-activity mapping. When you click a cell in the Source Expression column, the ECMA expression builder displays to help you define your expression.
Target Expression	Specifies a target expression for a post-activity mapping. When you click a cell in the Target Expression column, the ECMA expression builder displays to help you define your expression.

For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions.

Email Notification

Not supported with this activity.

8.1.2 Approval Activity

The Approval activity is a user-facing activity that displays an approval form to the user. On the approval form, the user can approve, deny, or refuse a provisioning request. The Approval activity can have multiple outgoing flow paths, but only one of the paths is executed at runtime.

You can customize the approval form to suit your application requirements. For details on customizing forms, see Section 6.0, Creating Forms for a Provisioning Request Definition.

Before displaying the form to the user, the Approval activity performs any pre-activity data mappings specified for the activity.

After the user submits the form, the Approval activity performs any post-activity mappings specified for the activity. These mappings typically include copying data from form fields into the flowdata object.

Properties

The Approval activity has the following properties:

Table 8-3 Approval Activity Properties

Property Name	Description
Name	Provides a name for the activity.
Addressee	Specifies a dynamic expression that identifies the addressee for the activity. The addressee is determined at runtime, based on how the expression is evaluated. HINT:To simplify the process of testing a new workflow, you can set the addressee to be the recipient. This removes the need to log out of the user application and log in again as a manager each time you want to test your forms. This technique is particularly useful when the workflow involves multiple levels of approval. Once the testing phase is complete, you can change the addressee to the correct value. For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions. For descriptions of the system variables available in a workflow, see Section 4.3.3, Understanding Workflow Data.
Alternate	Specifies a dynamic expression that identifies the user who should get this task if the timeout limit has been reached. The alternate addressee is determined at runtime, based on how the expression is evaulated. For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions. For descriptions of the system variables available in a workflow, see Section 4.3.3, Understanding Workflow Data.
Final Timeout Action	Determines the final state of the request in the event that the workflow times out. The choices are: approved denied refused timedout error
Timeout Interval	Specifies a dynamic expression that defines the period of time allotted for the addressee to complete the task. The timeout interval applies each time the activity is executed by the addressee. For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions. For descriptions of the system variables available in a workflow, see Section 4.3.3, Understanding Workflow Data.
Time Units	Determines the unit of measure used for the timeout interval. The choices are: Days Hours Minutes Seconds
Retries	Specifies the number of times to retry the activity in the event of a timeout. When an activity times out, the workflow process can try to complete the activity again, depending on the retry count specified for the activity. With each retry, the workflow process can escalate the activity to another user. In this case, the activity is reassigned to another user (the user’s manager, for example) to give this user an opportunity to finish the work of the activity. If the last retry times out, the activity can be marked as approved, denied, refused, timedout, or in error, depending on the final timeout action specified for the activity.
Form	Specifies the name of the approval form to display to the user. An Approval activity must have a form associated with it. If no form is specified, an error message is displayed at runtime.

Data Item Mapping

To bind the data items associated with the Approval activity, you define pre-activity and post-activity mappings. The pre-activity mappings initialize data in the approval form with constants, values retrieved from the flowdata object, system process variables, system activity variables, and/or data retrieved via expression calls to the directory abstraction layer. The post-activity mappings move form data back into the flowdata object.

Table 8-4 Approval Activity Data Item Mappings

Setting	Description
Pre-Activity	Allows you to specify one or more pre-activity mappings. When this option is selected, you can double-click on a cell in the Source Expression column to specify where the approval form gets data for a particular target form field. NOTE:When the Pre-Activity choice is selected, the cells in the Target Form Field column are not editable.
Post-Activity	Allows you to specify one or more post-activity mappings. When this option is selected, you can double-click on a cell in the Target Expression column to specify where data from a form field should be copied after the form has been processed. The form for an Approval activity includes a special internal control called apwaComment. This control causes user comments to be written to the workflow database. It should not have a post-activity mapping. For more information on this control, see Section 6.5.6, DNMaker. NOTE:When the Post-Activity option is selected, the cells in the Source Form Field column are not editable.
Source Expression	Specifies a source expression for a pre-activity mapping. When you click a cell in the Source Expression column, the ECMA expression builder displays to help you define your expression.
Target Expression	Specifies a target expression for a post-activity mapping. When you click a cell in the Target Expression column, the ECMA expression builder displays to help you define your expression.

For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions.

E-mail Notification

To enable e-mail notification for the Approval activity, you need to specify the e-mail template to use, as well as source expressions for target tokens in the e-mail body.

Table 8-5 E-mail Notification Settings for the Approval Activity

Setting	Description
Email Template	Specifies the name of the e-mail template to use. By default, the Approval activity uses the Provisioning Notification template. You can edit an e-mail template in Designer. For more information, see Editing an e-mail template.
Source/Target	Specifies the source expressions for target tokens in the e-mail body. The list of target tokens is determined by the selected e-mail template. You cannot add new tokens, but you can assign values to the predefined tokens by building your own source expressions. At runtime, the source expressions are evaluated to determine the value of each token. The available target tokens for the Provisioning Notification e-mail template are listed below: CC BCC recipientFullName initiatorFullName requestTitle userFirstName If you use a provisioning request definition template to create your workflow, each token has a default source expression. The default expressions retrieve values from the workflow process (the process object) or from the data expression layer (IDVault object). You can modify these expressions to suit your application requirements. For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions.

Setting

Description

Email Template

Specifies the name of the e-mail template to use. By default, the Approval activity uses the Provisioning Notification template.

You can edit an e-mail template in Designer. For more information, see Editing an e-mail template.

Source/Target

Specifies the source expressions for target tokens in the e-mail body.

The list of target tokens is determined by the selected e-mail template. You cannot add new tokens, but you can assign values to the predefined tokens by building your own source expressions. At runtime, the source expressions are evaluated to determine the value of each token.

The available target tokens for the Provisioning Notification e-mail template are listed below:

CC
BCC
recipientFullName
initiatorFullName
requestTitle
userFirstName

If you use a provisioning request definition template to create your workflow, each token has a default source expression. The default expressions retrieve values from the workflow process (the process object) or from the data expression layer (IDVault object). You can modify these expressions to suit your application requirements.

For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions.

NOTE:E-mail notification is only supported when the Notify participants by email check box is selected on the Overview tab.

8.1.3 Log Activity

The Log activity is a system activity that writes messages to a log.

To log information about the state of a workflow process, the Workflow System interacts with Novell® Audit. During the course of its processing, a workflow can log information about various events that have occurred. Users can then use the Novell Audit reporting tools to look at logged data.

NOTE:During the course of workflow execution, many system events are logged that are not controlled by the Log Activity. For example, the Workflow System writes a message to the log whenever a workflow is started or stopped, or when it is approved, denied, or refused. For a complete list of the system events logged during workflow execution, see the chapter on setting up logging in the Identity Manager User Application: Administration Guide.

Properties

The Log activity has the following properties:

Table 8-6 Log Activity Properties

Property Name	Description
Name	Provides a name for the activity.
Audit	Specifies whether log messages should be sent. When this property is set to true, messages are sent to all log4j channels, including Novell Audit. When this property is set to false, no log messages are sent. For details on logging setup and configuration, see the Identity Manager User Application: Administration Guide.
Author	Defines the author for the message. By default, the author is the initiator of the provisioning request.
Message	Specifies an ECMA expression that defines text for the log message. Typically, this text indicates where this Log activity is being executed within the process and provides other information that makes the log easy to understand. For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions. For descriptions of the system variables available in a workflow, see Section 4.3.3, Understanding Workflow Data.

Data Item Mapping

Not supported with this activity.

E-mail Notification

Not supported with this activity.

8.1.4 Branch Activity

In a workflow that supports parallel processing, the Branch activity allows multiple users to act on different areas of the work item in parallel. After the users have completed their work, the Merge activity synchronizes the incoming branches in the flow.

A workflow can have multiple Branch activities, but each Branch activity must have an associated Merge activity. All flow paths leading out of a Branch activity will execute.

Properties

The Branch activity has the following property:

Table 8-7 Branch Activity Properties

Property Name	Description
Name	Provides a name for the activity.

Data Item Mapping

Not supported with this activity.

E-mail Notification

Not supported with this activity.

8.1.5 Merge Activity

In a workflow that supports parallel processing, the Merge activity synchronizes the incoming branches in the flow. The Merge activity is used in conjunction with the Branch activity, which allows two users to act on different areas of the work item in parallel. After the users have completed their work, the Merge activity synchronizes the incoming branches.

A workflow can have multiple Branch activities, but each Branch activity must have an associated Merge activity.

Properties

The Merge activity has the following property:

Table 8-8 Merge Activity Properties

Property Name	Description
Name	Provides a name for the activity.

Data item mapping

Not supported with this activity.

Email notification

Not supported with this activity.

8.1.6 Condition Activity

The Condition activity lets you add conditional logic to a workflow. This logic can be used to control what happens when the workflow executes. In the Condition activity, you define logic as an ECMA expression that evaluates to a boolean value.

Each Condition activity must have two outgoing flow paths, one that handles conditions that evaluate to true and another that handles conditions that evaluate to false. Optionally, a third flow path can be added to handle error conditions that occur if the ECMA expression evaluation fails.

Properties

The Condition activity has the following properties:

Table 8-9 Condition Activity Properties

Property Name

Description

Name

Provides a name for the activity.

Condition Expression

Specifies an ECMA expression that returns true or false. The value returned determines which flow path is followed after the activity has finished executing.

HINT:If you need to test whether two objects are equal in a conditional expression, you should normally use the == operator, rather than the equals() method, unless you are certain that the objects being compared are Java objects of the same type. For instance, use this expression:

(approval_A.getAction() == "DENIED")

instead of this one:

(approval_A.getAction()).equals("DENIED")

For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions. For descriptions of the system variables available in a workflow, see Section 4.3.3, Understanding Workflow Data.

Data Item Mapping

Not supported with this activity.

Email Notification

Not supported with this activity.

8.1.7 Finish Activity

The Finish activity marks the completion of a workflow. When the Finish activity executes, an e-mail message is sent to notify participants that the workflow has finished.

Properties

The Finish activity has the following property:

Table 8-10 Finish activity properties

Property	Description
Name	Provides a name for the activity.

Data Item Mapping

Not supported with this activity.

E-mail Notification

To enable e-mail notification for the Finish activity, you need to specify the e-mail template to use, as well as source expressions for target tokens in the e-mail body.

Table 8-11 Email notification settings for the Finish activity

Setting	Description
Email Template	Specifies the name of the e-mail template to use. By default, the Finish activity uses the Provisioning Approval Completed Notification template. You can edit an e-mail template in Designer. For more information, see Editing an e-mail template.
Source/Target	Specifies the source expressions for target tokens in the e-mail body. The list of target tokens is determined by the selected e-mail template. You cannot add new tokens, but you can assign values to the predefined tokens by building your own source expressions. At runtime, the source expressions are evaluated to determine the value of each token. The available target tokens for the Provisioning Approval Completed Notification e-mail template are listed below: CC BCC requestStatus requestSubmissionTime requestID recipientFullName initiatorFullName requestTitle If you use a provisioning request definition template to create your workflow, each token has a default source expression. The default expressions retrieve values from the workflow process (the process object) or from the data expression layer (IDVault object). You can modify these expressions to suit your application requirements. For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions.

Setting

Description

Email Template

Specifies the name of the e-mail template to use. By default, the Finish activity uses the Provisioning Approval Completed Notification template.

You can edit an e-mail template in Designer. For more information, see Editing an e-mail template.

Source/Target

Specifies the source expressions for target tokens in the e-mail body.

The available target tokens for the Provisioning Approval Completed Notification e-mail template are listed below:

CC
BCC
requestStatus
requestSubmissionTime
requestID
recipientFullName
initiatorFullName
requestTitle

For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions.

NOTE:E-mail notification is only supported when the Notify participants by email check box is selected on the Overview tab.

8.1.8 Entitlement Activity

The Entitlement activity grants or revokes an entitlement for a user or other entity type.

A workflow must have at least one Entitlement or Entity activity.

Properties

The Entitlement activity has the following properties:

Table 8-12 Entitlement Activity Properties

Property Name	Description
Name	Provides a name for the activity.
Entity Type	Specifies the target entity type for the entitlement.

Data Item Mapping

To bind the data items associated with the Entitlement activity, you define mappings for several DirXML® attributes.

Table 8-13 Entitlement Activity Data Item Mappings

Setting	Description
Source Expression	Specifies a source expression for a DirXML mapping. When you click a cell in the Source Expression column, the ECMA expression builder displays to help you define your expression. The DirXML mappings for the Entitlement are described below: dn is the distinguished name for the recipient of the entitlement. DirXML-Entitlement-DN is the distinguished name of the entitlement to execute. For example, the entitlement might be identified as follows: 'CN=Groups,CN=GroupEntitlementLoopback,CN=TestDrivers,O=novell' You can use the ECMA expression builder’s ECMAScript Variable panel to see a list of all the entitlements in the driver. To select an entitlement, double-click the full distinguished name of the entitlement. DirXML-Entitlement-Action indicates whether the entitlement is granted or revoked. If the operation grants the entitlement, the value must be 1; if it revokes the entitlement, the value must be 0. DirXML-Entitlement-Parameter specifies a parameter required by the entitlement driver. For example, if the entitlement operation grants access to the Sales group, the parameter might specify the group as follows: '\\MYTREE\\novell\\idmsample-doc\\groups\\Sales' DirXML-Entitlement-MultiValueAllowed indicates whether the entitlement supports multiple values. If it supports multiple values, the value must be true; otherwise, it must be false.

Setting

Description

Source Expression

Specifies a source expression for a DirXML mapping. When you click a cell in the Source Expression column, the ECMA expression builder displays to help you define your expression.

The DirXML mappings for the Entitlement are described below:

dn is the distinguished name for the recipient of the entitlement.
DirXML-Entitlement-DN is the distinguished name of the entitlement to execute. For example, the entitlement might be identified as follows:
```
'CN=Groups,CN=GroupEntitlementLoopback,CN=TestDrivers,O=novell'
```
You can use the ECMA expression builder’s ECMAScript Variable panel to see a list of all the entitlements in the driver. To select an entitlement, double-click the full distinguished name of the entitlement.
DirXML-Entitlement-Action indicates whether the entitlement is granted or revoked. If the operation grants the entitlement, the value must be 1; if it revokes the entitlement, the value must be 0.
DirXML-Entitlement-Parameter specifies a parameter required by the entitlement driver. For example, if the entitlement operation grants access to the Sales group, the parameter might specify the group as follows:
```
'\\MYTREE\\novell\\idmsample-doc\\groups\\Sales'
```
DirXML-Entitlement-MultiValueAllowed indicates whether the entitlement supports multiple values. If it supports multiple values, the value must be true; otherwise, it must be false.

For details on building ECMA expressions, see Section 9.0, Working with ECMA Expressions.

E-mail Notification

Not supported with this activity.

8.1.9 Entity Activity

The Entity activity updates an entity in the Identity Vault. You can use this activity to create, modify, or delete attributes on an entity. You can also use this activity to create or delete an entity.

A workflow must have at least one Entitlement or Entity activity.

Properties

The Entity activity has the following properties:

Table 8-14 Entity Activity Properties

Property Name

Description

Name

Provides a name for the activity.

Entity Type

Specifies the target entity type.

Operation

Indicates what kind of operation will be performed on the target entity:

Create/Modify
Delete attributes/values
Delete entity

To create or modify attributes of an entity or to create a new entity, select create/modify. To delete attributes of an entity, select delete.

To delete an entity, select delete object.

Data Item Mapping

To bind the data items associated with the Entity activity, you define mappings for the attributes associated with the target entity type.

Table 8-15 Entity Activity Data Item Mappings

Setting	Description
Entity dn	Identifies the entity that is the target of the operation. The default value is recipient. To create a new object, specify a distinguished name that does not yet exist. HINT:The output of the DNMaker control can be used as input for the Entity dn value. The DNMaker control constructs the DN by allowing the user to enter the naming attribute in a text field and presenting an interface for picking a container. Once this data has been captured in a request form, the output can be mapped to a variable in the flowdata object. In the definition for the Entity activity, this flowdata variable can be accessed in the Entity dn setting with an expression such as: flowdata.get(‘groupdn’); For details on using the DNMaker control, see Section 6.5.6, DNMaker.
Modify Type	Indicates how the mapping should be performed for an attribute. The choices are: Append Value Replace Value Replace All Values For many attributes, Replace Value is the only option that makes sense; therefore, this option is selected automatically and cannot be changed. You must specify the Modify Type setting before specifying the Modify Value Expression setting.
Modify Value Expression	Specifies a source expression for an attribute. When you click a cell in the Modify Value Expression column, the ECMA expression builder displays to help you define your expression. The list of attributes available varies depending on which entity type was selected on the Properties tab. NOTE:The cells in the Target Attribute column are not editable.

Setting

Description

Entity dn

Identifies the entity that is the target of the operation. The default value is recipient.

To create a new object, specify a distinguished name that does not yet exist.

HINT:The output of the DNMaker control can be used as input for the Entity dn value. The DNMaker control constructs the DN by allowing the user to enter the naming attribute in a text field and presenting an interface for picking a container. Once this data has been captured in a request form, the output can be mapped to a variable in the flowdata object. In the definition for the Entity activity, this flowdata variable can be accessed in the Entity dn setting with an expression such as:

flowdata.get(‘groupdn’);

For details on using the DNMaker control, see Section 6.5.6, DNMaker.

Modify Type

Indicates how the mapping should be performed for an attribute. The choices are:

Append Value
Replace Value
Replace All Values

For many attributes, Replace Value is the only option that makes sense; therefore, this option is selected automatically and cannot be changed.

You must specify the Modify Type setting before specifying the Modify Value Expression setting.

Modify Value Expression

Specifies a source expression for an attribute. When you click a cell in the Modify Value Expression column, the ECMA expression builder displays to help you define your expression. The list of attributes available varies depending on which entity type was selected on the Properties tab.

NOTE:The cells in the Target Attribute column are not editable.

Email notification

Not supported with this activity.