7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * Copyright (c) 2015 ForgeRock AS. All rights reserved.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * The contents of this file are subject to the terms
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * of the Common Development and Distribution License
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * (the License). You may not use this file except in
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * compliance with the License.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * You can obtain a copy of the License at
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * See the License for the specific language governing
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * permission and limitations under the License.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * When distributing Covered Code, include this CDDL
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * Header Notice in each file and include the License file
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * If applicable, add the following below the CDDL Header,
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * with the fields enclosed by brackets [] replaced by
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * your own identifying information:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost * "Portions Copyrighted [year] [name of copyright owner]"
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost==================
7d7e57e489804077bc11a889cafce9f7503c5f86Lana FrostThe openidm/samples/usecase directory includes a number of sample workflows that demonstrate typical
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frostuse cases for OpenIDM. The use cases work together to describe a complete business story, with the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frostsame set of sample data. Each of the use cases is integrated with the Self-Service UI.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana FrostThese use cases use OrientDB as a repository by default. Alternative repository configuration files
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frostare provided in the openidm/samples/usecase/db directory. If you want to use one of these alternative
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frostrepositories, remove the repo.orientdb.json file from the conf/ directory of the use case you are
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frosttesting and copy the appropriate JDBC repository configuration files into that conf/ directory. For
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frostmore information on using an alternative repository, see the OpenIDM Installation Guide.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana FrostEach use case builds on the previous one. You must run the use cases in order, from use case 1 through
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost3, before you try the remaining use cases. Use cases 2 onwards depend on the hr_data.ldif file that you
7d7e57e489804077bc11a889cafce9f7503c5f86Lana FrostAll the samples assume an initial setup of managed users in OpenIDM. The users are organized as follows:
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold- there are 20 ordinary users: user.0 ... user.19 where
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - user.0 .. user.4 belong to Human Resources having user.0 as Manager,
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - user.5 .. user.9 belong to Production Planning having user.5 as Manager,
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - user.10 .. user.14 belong to Sales & Distribution having user.10 as Manager,
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - user.15 .. user.19 belong to Treasury & Payments having user.15 as Manager,
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold- hradmin: user representing the human interaction of the HR department
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold- systemadmin: user representing the human interaction of the populated systems (“Business” and “Project”)
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold- superadmin: user representing the manager of the managers
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost---------------------------------
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold In this step we import the users from OpenDJ to OpenIDM using reconciliation.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold To prepare to run the sample, download OpenDJ directory server from
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold http://forgerock.org/opendj.html. Install OpenDJ using QuickSetup:
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold * Use "password" as the password for cn=Directory Manager.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold * Import samples/usecase/data/hr_data.ldif during installation.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold 1. Start OpenIDM with the configuration for usecase1.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost $ curl -k -u openidm-admin:openidm-admin -H "Content-Type: application/json" \
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemHRAccounts_managedUser"
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold 3. Query the managed users created by reconciliation
4b3769ce483ece06f60f983193712492b920144fJake Feasel $ curl -k -u openidm-admin:openidm-admin "https://localhost:8443/openidm/managed/user?_queryId=query-all-ids"
e7c81bf3e1adb954c93bb6cd884ec370d3c19292omebold There should be 23 users created. The default password of the imported users is "Passw0rd".
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost-------------------------------
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold In this step we simulate an HR employee starting the onboarding process for an employee
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost To use email notification as part of the process make the following changes:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 1. Enable external email. This process is described in the Integrator's Guide at
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost http://openidm.forgerock.org/doc/bootstrap/integrators-guide/#chap-mail.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 2. Change the notification email properties in the workflow definition file.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Copy the workflow bar file (samples/usecase/usecase2/workflow/newUserCreate.bar)
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost to a temporary location.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Unzip the temporary workflow bar file and edit the extracted workflow
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost emailParams = [from : 'usecasetest@forgerock.com', to : 'notification@example.com',
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost subject : 'Use Case Test Notification', type : 'text/plain',
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost body : 'The requested user ' + userName + ' was successfully created']
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Change the from and to fields to contain valid email addresses.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - When you have completed the edit, zip up the workflow definition file,
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost along with the two xhtml templates required for the sample, using a
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost command similar to the following:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost $ zip newUserCreate.bar newUserCreate.bpmn20.xml nUCDecideApprovalForm.xhtml nUCStartForm.xhtml
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Copy the resulting bar file to the workflow directory, overwriting
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost the existing bar file:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost $ cp /tmp/newUserCreate.bar /path/to/openidm/samples/usecase/usecase2/workflow
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold 1. Start OpenIDM with the configuration for usecase2.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold $ ./startup.sh -p samples/usecase/usecase2
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 2. Log in to the Self-Service UI (https://localhost:8443) as user.1. This user belongs to HR department
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 3. Click Details next to User Onboarding Process link and complete the fields for a sample new user.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 4. Complete the fields on the form.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - Department field:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Select one of the four departments to define which department the new user will belong to.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Based on the department, the workflow will select the possible candidate assignees
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost for the manager approval user task: either superadmin (as manager of everyone) or the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost manager of the selected department (see description above).
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost For example, if the department is HR, the manager candidates will be user.0 and superadmin.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - User Type field:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If the User Type is Employee, the user will have access to an account called "Business".
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost This is represented in the managed user entry by an "accounts" attribute:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost accounts : [ "Business"]
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If the User Type is Contractor, the new user will have no accounts associated with it in
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost its managed user entry.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - Send Email Notification field:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If you select "No" here, no email notifications are sent. Notifications are simply added
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost to the OpenIDM repository, and appear when the user logs into the Self-Service UI.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 5. Click Start to start the workflow.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 6. Log out and log in as the manager of the department that you selected in the initial form.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost For example, if you selected HR, log in as user.0.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 7. Click on the Onboarding Approval task in the group queue and assign the user task to user.0
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost (select 'Assign it to me'). The task appears now in 'My tasks'.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 8. Select Details next to the task name.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The complete new user request is displayed for the manager's approval. As the manager, you can
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost add any information that was missing from the original request. You can also specify the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Start Date. Completing this field results in the user being created, with a "startDate" added
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost to that user's managed user entry. The status of the user is inactive. This field is optional,
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost and is used by the task scanner to trigger the Sunrise workflow.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - End Date. Completing this field results in the user being created, with an "endDate" added to
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost that user's managed user entry. The field is optional, and is used by the task scanner to trigger
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Decision. Selecting Reject here terminates the workflow and sends a notification to the user who
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost initiated the workflow. Selecting Accept creates the managed user entry in OpenIDM. The password
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 9. Two notifications are created when the request is accepted - one for the user who initiated the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost workflow, and one for the newly created user. The notifications are visible in the UI after login.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If you selected email notification, one email is sent to the user that you defined when you
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost To trigger the sunrise workflow (which activates the account), enable the sunrise task scanning
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost schedule. The schedule is disabled by default. Modify the schedule configuration file
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost (/conf/schedule-taskscan_sunrise.json), setting the "enabled" property to true.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The scan runs every minute, and checks the repository for users that have a sunrise date that is
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost anything up to one day after the current date. When the scan is triggered, it locates the newly
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost created user and starts the sunrise workflow on this user. The workflow takes the following
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Changes the account status of the user to active.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Generates a notification for the new user, which is visible when the user logs into the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If a sunset date is set for the new user, you can trigger the sunset workflow to deactivate the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost user account when the end of his work period is reached. To trigger the sunset workflow, enable
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost the sunset task scanning schedule. The schedule is disabled by default. Modify the schedule
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost configuration file (schedule-taskscan_sunset.json), setting the "enabled" property to true.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The scan runs every minute, and checks the repository for users that have a sunset date that is
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost anything up to one day after the current date. When the scan is triggered, it locates users
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost whose contracts are about to end, and starts the sunset workflow on these users. When the workflow
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost is initiated, it assigns a task to the manager of the affected user. In our example, the task is
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost When the sunset schedule has been enabled, log in to the Self-Service UI as user.0 (with password
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Passw0rd). If the user's sunset date is within one day of the current date, a Contract Termination
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost task becomes available under the manager's My Group's Tasks section. Select the contract termination
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost task and click Details.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost In the Decision field, select either "Accept termination" or "Modify date", then click Complete.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost When you accept the termination, the user's account status is set to inactive and the HR
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost administrative user receives notification to that effect, next time that user logs into the UI.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The deactivated user is no longer able to log into the UI.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If you select to modify the date, the sunset date of that user is changed to the value that you
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost specify in the End Date field on that form. The management user receives a UI notification that the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Shut down OpenIDM before you proceed with the next use case..
7d7e57e489804077bc11a889cafce9f7503c5f86Lana FrostUsecase 3 - User Access Request
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost-------------------------------
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost This step simulates a user initiating an access request, with two levels of approval for the request.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If you want to use email notifications as part of the process make the following changes:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Configure outbound email as you did for the previous use cases.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - Change the notification email properties in the workflow definition file:
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold samples/usecase/usecase3/workflow/accessRequest.bpmn20.xml
35d5aee48705598166a6bdf9185894a73f172bbbLaurent Bristiel emailParams = [from : 'usecasetest@forgerock.com', to : 'notification@example.com',
35d5aee48705598166a6bdf9185894a73f172bbbLaurent Bristiel subject : 'Use Case Test Notification', type : 'text/plain', body : 'The access request was accepted']
35d5aee48705598166a6bdf9185894a73f172bbbLaurent Bristiel Change the from and to fields to contain valid email addresses.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Note that there are two occurrences of the emailParams, change both.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold 1. Start OpenIDM with the configuration for usecase3.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold $ ./startup.sh -p samples/usecase/usecase3
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 2. Log in to the UI as user.1 (this user belongs to HR department, default password is 'Passw0rd').
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold 3. Select the Access Request Process by clicking on it and start the workflow.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold 4. A new task appears in 'My tasks', click on it and select 'Details'.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Access to Business system field: the value reflects the current value in the managed user repository.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Access to Project system field: the value reflects the current value in the managed user repository.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - Send Email Notification field:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If you select 'No' here, no email notifications will be sent.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Instead, notifications are added to the OpenIDM repository and appear when you log in to the UI.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold - Request field: Cancel terminates the process and does not change anything.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold Accept starts a user task assigned to the manager of the user (user.0 in this sample).
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Click Complete after selecting the values.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 5. Log out and log in as the manager of the start user (user.0 in this sample).
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 6. Next to the User Access Request Approval task in the group queue, select 'Assign to me').
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 7. Click on Details, next to the task.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The two fields showing the required access rights can be modified by the manager.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Complete the task by clicking Complete button after selecting the Decision.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The decision can be one of the following:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Reject: The user who initiated the request (in our sample user.1) receives a notification about the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost rejection. A notification about this event is generated and is displayed in the UI when
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost user.1 logs in.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If you configured email notification, an email is sent to the address you configured at the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost beginning of the sample.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Accept: A user task is initiated and assigned to the systemadmin user.
c45eda9efe7eb59595c39710b8446429f6e6e2d7omebold 8. If the manager accepted log out and log in as systemadmin (default password is "Passw0rd").
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 9. Click Details next to the User Access Request Approval task under My Tasks.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The two fields showing the required access rights can be modified by the systemadmin.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Complete the task by clicking Complete after selecting the Decision.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The decision can be:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Reject: The user who initiated the task (in our sample user.1) receives a notification about the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost rejection. A notification about this event is generated and is displayed in the UI when
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost user.1 logs in.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If you configured email notification, an email is sent to the address you configured at the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost beginning of the sample.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Accept: user.1 is updated in the managed user repository, with the requested changes.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost A notification about this event is generated and is displayed in the UI when user.1 logs in.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost If you configured email notification, an email is sent to the address you configured at the
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost beginning of the sample.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost In this sample there is an escalation step attached to the manager approval task. If the manager does not
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost complete the user task within 10 minutes, a new user task is created and assigned to superadmin. This task
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost has the same interface as the one assigned to the manager of the user and has the same functionality. If
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost the superadmin completes this task, the execution is passed to the administrator for approval (systemadmin).
7d7e57e489804077bc11a889cafce9f7503c5f86Lana FrostUsecase 4 - Orphan Account Detection and Manual Linking Started From Reconciliation
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost-----------------------------------------------------------------------------------
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost This use case demonstrates two asynchronous tasks started from reconciliation:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - detecting orphan accounts on the target object set
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - handling ambiguous results of the correlation phase
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 1. Before you start this use case, rename the following file:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost samples/usecase/usecase4/conf/syncManagedBusiness.json to samples/usecase/usecase4/conf/sync.json
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost This file defines a mapping, recon_managedUser_systemBusiness, that has managed users as source and a
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost CSV file as the target object set. The target object set is defined in samples/usecase/usecase4/data/business.csv.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The CSV file includes all the users from the initial reconciliation (usecase1), who are employees and
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost therefore have "Business" in their 'accounts' attribute (see usecase2 User Type).
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Because this mapping has a 'validSource' field defined, only the managed users who are employees are
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost taken into account during the reconciliation.
416aee3ab18445ae17092345e5925b07b6c3f16eomebold There are some extra users in that csv file:
416aee3ab18445ae17092345e5925b07b6c3f16eomebold - user.50 is defined only in the csv file so when running the reconciliation this user will be
e7c81bf3e1adb954c93bb6cd884ec370d3c19292omebold detected as an orphan account (orphan account workflow is triggered when the situation is
e7c81bf3e1adb954c93bb6cd884ec370d3c19292omebold "UNQUALIFIED" or "UNASSIGNED").
416aee3ab18445ae17092345e5925b07b6c3f16eomebold - user.33: the 'userName' attribute of this user is 'user.3', same as for user.3.
416aee3ab18445ae17092345e5925b07b6c3f16eomebold When running the correlation query during reconciliation there will be two candidate users
416aee3ab18445ae17092345e5925b07b6c3f16eomebold to be linked with user.3 from managed users (correlation query is based on userName attribute).
416aee3ab18445ae17092345e5925b07b6c3f16eomebold 2. Start OpenIDM with the configuration for usecase4.
416aee3ab18445ae17092345e5925b07b6c3f16eomebold $ ./startup.sh -p samples/usecase/usecase4
416aee3ab18445ae17092345e5925b07b6c3f16eomebold 3. Run reconciliation.
416aee3ab18445ae17092345e5925b07b6c3f16eomebold $ curl -k -u openidm-admin:openidm-admin -H "Content-Type: application/json" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=recon_managedUser_systemBusiness"
416aee3ab18445ae17092345e5925b07b6c3f16eomebold Two asynchronous workflows are started: an orphanAccountReport for user.50 and a
416aee3ab18445ae17092345e5925b07b6c3f16eomebold manualMatch for user.3 of managed users.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 4. Log in to the Self-Service UI as systemadmin (with password 'Passw0rd').
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 5. Next to the Manual Linking Task in the My Tasks list, click Details.
416aee3ab18445ae17092345e5925b07b6c3f16eomebold The 'Possible targets' field is modifiable by systemadmin and it is required.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The decision can be one of the following:
416aee3ab18445ae17092345e5925b07b6c3f16eomebold - Ignore: no action will be taken (no link will be created) and the workflow terminates.
416aee3ab18445ae17092345e5925b07b6c3f16eomebold - user.3 (user.3 - Atrc, Aaron) or user.3 (user.33 - Atrc, Aaron): these are the two candidate
416aee3ab18445ae17092345e5925b07b6c3f16eomebold users found in the target object set by executing the correlation query. These values
416aee3ab18445ae17092345e5925b07b6c3f16eomebold are queried in the workflow and the possible values of that field are determined
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost at runtime. Select one user from this list.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost After choosing one of the users the workflow links the managed user user.3 to the selected
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost user in the target object set.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 6. Next to the Orphan Account Task in the My Tasks list, click Details.
416aee3ab18445ae17092345e5925b07b6c3f16eomebold 'Link to' and 'Decision' fields are modifiable by systemadmin.
416aee3ab18445ae17092345e5925b07b6c3f16eomebold Complete the task by clicking on 'Complete' button after selecting the Decision.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The decision can be one of the following:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Link: To select this option, enter a valid managed user ID to link the orphan account to.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost You can use any managed user ID that has not yet been linked to a users in the csv file,
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost for example, user.5.
416aee3ab18445ae17092345e5925b07b6c3f16eomebold - Delete: the user will be deleted from the target object set and the workflow terminates.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost **Use case 5 has been removed from the sample use cases.**
7d7e57e489804077bc11a889cafce9f7503c5f86Lana FrostUsecase6 - Password Change Reminder
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost-----------------------------------
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost This use case uses the TaskScanner to trigger a password change reminder workflow.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost Managed users have a dedicated attribute to store the date of the last password change event (lastPasswordSet).
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The value of this attribute is updated by an onStore script defined in managed.json, which sets the date of
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost the attribute if a new password is stored for the user. The TaskScanner scans that attribute and starts a
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost workflow if the password was changed more than an hour ago.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost The workflow is started by the usecase6/script/passwordchange.js script.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost By default, the workflow sends notifications to the user entry, visible when the user logs into the UI. If you want
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost notifications sent by email, configure the external email service, as follows:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Set up external email as described for usecase 2.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Change the following parameter in the passwordchange.js script:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost "emailEnabled" : "false",
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost "emailEnabled" : "true",
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Make sure that all managed users have a valid email address in their "mail" attribute.
38bff5ed1db0351d438473a25ee9b674282dbc10omebold The workflow does the following:
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Sends a notification to the user.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Five minutes later sends another notification to the user (if the password was not changed yet).
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost - Two minutes later changes the user's 'accountStatus' to 'inactive' and sends notification to the user (if the
1ffe4d4351009d316898d7e79e3114b6d88a469aomebold 1. Start OpenIDM with the configuration for usecase6.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 2. Activate the password change task scanner schedule (the schedule is inactive by default):
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost In samples/usecase/usecase6/conf/schedule-taskscan_passwordchange.json
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 3. Log in to the Self-Service UI as one of the sample users, e.g. user.0 (default password is 'Passw0rd').
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost When the task scanner is triggered, a notification is sent to the user in the UI.
7d7e57e489804077bc11a889cafce9f7503c5f86Lana Frost 4. To test the workflow, change the user's password by selecting Change Password from the top right dropdown list.