in my last post i drew the picture of a marble cake where role-based entitlements and workflow are the two differently colored doughs that make up the perfect cake when they come together. read on to get more details and even a piece of the cake to taste…
mixing the doughs
the example i gave in my last post was about handling exceptions in an automated provisioning solution where all resource provisioning activities are implemented through the role-based entitlement (rbe) framework. rbe allows exception management out-of-the-box through its static include and exclude lists on rbe policies. this way an administrator can do manual exception handling but what we are really looking for is taking the exception handling from the administrator to the end user. here is where the doughs start to merge. we will use workflows to manage the static include and exclude lists and have the person responsible for the resources approve the workflows. this way the user discovers the need for access to a certain system (which he has no access to because it has not been assigned to his role in the enterprise) and requests access through the web interface (user application). whoever is responsible for approving this rquest approves or denies and the exception is handled securely and policy compliant without administrator or help desk intervention.
baking the cake
now here come some more detailed baking instructions. technically there are two different approaches to make workflow manage the static include/exclude lists: one is creating a custom entitlement with values and the corresponding dirxml script policies to handle the static include/exclude lists and then have the workflow just grant or revoke this custom entitlement. the other way would be to have the workflow manage the lists directly through an entity activity (instead of an entitlement activity which is the default for identity manager 3.0). the second approach is much more straight forward but requires a little more knowhow about workflow, the first approach leaves the workflow part pretty much at the standard level of an out-of-the-box installation but requires some dirxml-script work. to save anyone who wants to try any of these approaches a headache, i have to mention here that Identity Manager 3 sp1 code is needed to make it all work. sp1 will be out this summer, so very soon.
as i mentioned above, you need sp1 code to make the whole scenario work as discussed. since i want to give you something now that you can taste, i put together the custom entitlement and driver anyway and you can use it to manage static include/exclude lists but you will have to manually re-evaluate membership all your users to make the rbe service pick up the change until you run the driver that comes with sp1. an alternative approach which would work even without sp1 is to set a flag on the user object and include this flag in the dynamic member query but i prefer having the exception handled on the rbe policy rather than on all the user objects.
download this zip file containing a driver export with custom entitlements and dirxml script policies to manage the static include/exclude lists.