dfd576109cb676448a2c4574150060aa3d8626bavboxsyncIn the usecase folder there are a set of files which together tell a user story based on some common examples.

dfd576109cb676448a2c4574150060aa3d8626bavboxsyncThese files are copied and organized in an appropriate folder structure,

dfd576109cb676448a2c4574150060aa3d8626bavboxsynceach usecase folder contains the files that are needed for that certain use case sample.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsyncAll the samples assume a certain initial setup of managed users in OpenIDM.

dfd576109cb676448a2c4574150060aa3d8626bavboxsyncThe users are organized the following way:

dfd576109cb676448a2c4574150060aa3d8626bavboxsync- there are 20 ordinary users: user.0 ... user.19 where

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsync - user.0 .. user.4 belong to Human Resources having user.0 as Manager,

dfd576109cb676448a2c4574150060aa3d8626bavboxsync user.0 .. user.3 employees and user.4 contractor

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsync - user.5 .. user.9 belong to Production Planning having user.5 as Manager,

dfd576109cb676448a2c4574150060aa3d8626bavboxsync user.5 .. user.8 employees and user.9 contractor

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsync - user.10 .. user.14 belong to Sales & Distribution having user.10 as Manager,

dfd576109cb676448a2c4574150060aa3d8626bavboxsync user.10 .. user.13 employees and user.14 contractor

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsync - user.15 .. user.19 belong to Treasury & Payments having user.15 as Manager,

dfd576109cb676448a2c4574150060aa3d8626bavboxsync user.15 .. user.18 employees and user.19 contractor

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncFurthermore we have the following special users:

dfd576109cb676448a2c4574150060aa3d8626bavboxsync- hradmin: user representing the human interaction of the HR department

dfd576109cb676448a2c4574150060aa3d8626bavboxsync- systemadmin: user representing the human interaction of the populated systems (“Business” and “Project”)

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync- superadmin: user representing the manager of the managers

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsyncList of use cases

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsyncUsecase1 - Initial reconciliation

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync In this step we import the users from OpenDJ to OpenIDM using reconciliation.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync To prepare to run the sample, download OpenDJ directory server from

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync http://forgerock.org/opendj.html. Install OpenDJ using QuickSetup:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

8d8dfc00d014a62894327907a04f148b00a08529vboxsync * Use "password" as the password for cn=Directory Manager.

8d8dfc00d014a62894327907a04f148b00a08529vboxsync * Import samples/usecase/data/hr_data.ldif during installation.

8d8dfc00d014a62894327907a04f148b00a08529vboxsync

8d8dfc00d014a62894327907a04f148b00a08529vboxsync 1. Start OpenIDM with the configuration for usecase1.

8d8dfc00d014a62894327907a04f148b00a08529vboxsync

8d8dfc00d014a62894327907a04f148b00a08529vboxsync $ cd /path/to/openidm

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync $ ./startup.sh -p samples/usecase/usecase1

8d8dfc00d014a62894327907a04f148b00a08529vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 2. Run reconciliation.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync $ curl -k -u openidm-admin:openidm-admin -H "Content-Type: application/json" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemHRAccounts_managedUser"

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 3. Query the managed users created by reconciliation

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync $ curl -k -u openidm-admin:openidm-admin "https://localhost:8443/openidm/managed/user?_queryId=query-all-ids"

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync There should be 23 users created. The default password of the imported users is "Passw0rd".

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncUsecase 2 - New user onboarding

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync In this step we simulate an HR employee starting the onboarding process for an employee

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync and approval step of the manager.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync If we want to use email notifications as part of the process make the following changes:

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync - External email service of OpenIDM has to be configured using the following file:

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync samples/usecase/usecase2/conf/external.email.json

8d8dfc00d014a62894327907a04f148b00a08529vboxsync Update the smtp settings in this file before starting the workflow.

8d8dfc00d014a62894327907a04f148b00a08529vboxsync - Change the notification email properties in the workflow definition file.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync To do so:

8d8dfc00d014a62894327907a04f148b00a08529vboxsync - Copy the workflow bar file (samples/usecase/usecase2/workflow/newUserCreate.bar)

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync to a temporary location.

4d5a2d10140117cca0a93d7e1b4d71304701d6e1vboxsync - Unzip the temporary workflow bar file and edit the extracted workflow

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync definition (newUserCreate.bpmn20.xml).

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Original:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync emailParams = [from : 'usecasetest@forgerock.com', to : 'notification@example.com',

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync subject : 'Use Case Test Notification', type : 'text/plain',

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync body : 'The requested user ' + userName + ' was successfully created']

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Change the from and to fields to contain valid email addresses.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - When you have completed the edit, zip up the workflow definition file,

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync along with the two xhtml templates required for the sample, using a

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync command similar to the following:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync $ zip newUserCreate.bar newUserCreate.bpmn20.xml nUCDecideApprovalForm.xhtml nUCStartForm.xhtml

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync - Copy the resulting bar file to the workflow directory, overwriting

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync the existing bar file:

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync $ cp /tmp/newUserCreate.bar /path/to/openidm/samples/usecase/usecase2/workflow

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync 1. Start OpenIDM with the configuration for usecase2.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync $ cd /path/to/openidm

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync $ ./startup.sh -p samples/usecase/usecase2

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 2. Log in to the UI as user.1 (this user belongs to HR department, default password is 'Passw0rd')

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync 3. Select the User Onboarding Process by clicking on it.

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync

1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync 4. Fill the fields of the form presented by the UI. The fields marked with x are mandatory.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Department field:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync By selecting one of the four departments we define which department the new user

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync will belong to. Based on this the workflow will select the possible candidate assignees

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync for the manager approval user task: it will be either superadmin (as manager of everyone)

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync or the manager of the selected department (see description above).

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync example: if HR is selected the manager candidates will be user.0 and superadmin.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - User Type field:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync if the User Type field is Employee then the user will have access to an account called "Business".

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync This is represented on the managed user in OpenIDM repository by having the following attribute on

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync the managed user:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync accounts : [ "Business"]

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync if the User Type is Contractor then the new user won't have any accounts associated to it in

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync managed user representation in OpenIDM.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Send Email Notification field:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync If 'No' is selected for this field then no email notifications will be sent.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Notifications will be added to the OpenIDM repository which will appear on UI.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 5. Start the workflow by clicking on Start button.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 6. Log out and log in as the manager of the department selected in the initial start form

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync example: if HR was selected then log in as user.0

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 7. Click on the Onboarding approval task appearing on UI as task in the group queue

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync and assign the user task to user.0 (select 'Assign it to me'). The task appears now in 'My tasks'.

4d5a2d10140117cca0a93d7e1b4d71304701d6e1vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 8. Click on the Task and then on the 'Details' button.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Start Date field:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync filling this field results in the user being created and adding the startDate property

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync to the user. Furthermore, the user status will be 'inactive'.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync The field is optional, it will be used by TaskScanner to trigger sunrise workflow.

8d8dfc00d014a62894327907a04f148b00a08529vboxsync - End Date field:

dfd576109cb676448a2c4574150060aa3d8626bavboxsync filling this field results in the user being created and adding the startDate property

dfd576109cb676448a2c4574150060aa3d8626bavboxsync to the user.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync The field is optional, it will be used by TaskScanner to trigger sunset workflow.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Manager field:

dfd576109cb676448a2c4574150060aa3d8626bavboxsync Selecting yes will add 'title' field to the new managed user with the value 'manager'.

8d8dfc00d014a62894327907a04f148b00a08529vboxsync - Decision field:

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync Selecting 'Reject' terminates the workflow and sends a notification to the start user

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync of the workflow.

8d8dfc00d014a62894327907a04f148b00a08529vboxsync Complete the task by clicking on 'Complete' button.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync 9. If 'Accept' was selected then the user is created as a managed user in OpenIDM.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync The password of the new user is "Passw0rd".

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync Two OpenIDM notifications are created about this event: one for the start user and one for the

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync new user. Those are visible on the UI after login with the appropriate user.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync If email notification was selected then one email is sent to the user configured at the

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync beginning of the use case sample.

8d8dfc00d014a62894327907a04f148b00a08529vboxsync

4d5a2d10140117cca0a93d7e1b4d71304701d6e1vboxsync 10. Sunrise workflow

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync If the sunrise date of the new user was set then the user was created with inactive account status.

8d8dfc00d014a62894327907a04f148b00a08529vboxsync To trigger sunrise activate the sunrise task scanner (it's inactive by default):

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync samples/usecase/usecase2/conf/schedule-taskscan_sunrise.json

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync Change: "enabled" : false

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync to "enabled" : true

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync The scan will run every minute and checks for users having sunrise date before

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync current date plus one day.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync Once the scan is triggered it picks the new user, starts the sunrise workflow on it:

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync - changes the account status to active

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync - adds an OpenIDM notification to the new user (visible when logging in to OpenIDM UI).

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync 11. Sunset workflow

8d8dfc00d014a62894327907a04f148b00a08529vboxsync If the sunset date of the new user was set then sunset workflow can be triggered

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync To trigger sunset activate the sunset task scanner (it's inactive by default):

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync samples/usecase/usecase2/conf/schedule-taskscan_sunset.json

8d8dfc00d014a62894327907a04f148b00a08529vboxsync Change: "enabled" : false

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync to "enabled" : true

8d8dfc00d014a62894327907a04f148b00a08529vboxsync The scan will run every minute and checks for users having sunset date before

dfd576109cb676448a2c4574150060aa3d8626bavboxsync current date plus one day.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync Once the scan is triggered it picks the new user, starts the sunset workflow on it:

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync - a user task is assigned to the manager of the user (e.g. in our sample the assignee is user.0)

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Log in to OpenIDM UI with user.0 and select the task in 'My tasks'

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Decision field:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Accept termination: the user's account status will be set to inactive and hradmin

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync receives an OpenIDM notification about it.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync - Modify date: the sunset date of the user will be changed and the manager

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync of the user receives an OpenIDM notification about it (user.0 in our sample).

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

8d8dfc00d014a62894327907a04f148b00a08529vboxsyncUsecase 3 - User access request

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync In this step we simulate a user starting an access request and having 2-level approval for it.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync If we want to use email notifications as part of the process make the following changes:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - External email service of OpenIDM has to be configured using the following file:

dfd576109cb676448a2c4574150060aa3d8626bavboxsync samples/usecase/usecase3/conf/external.email.json

dfd576109cb676448a2c4574150060aa3d8626bavboxsync Update the smtp settings in this file before starting the workflow.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Change the notification email properties in the workflow definition file:

dfd576109cb676448a2c4574150060aa3d8626bavboxsync samples/usecase/usecase3/workflow/accessRequest.bpmn20.xml

8d8dfc00d014a62894327907a04f148b00a08529vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Original:

8d8dfc00d014a62894327907a04f148b00a08529vboxsync emailParams = [from : 'usecasetest@forgerock.com', to : 'notification@example.com',

8d8dfc00d014a62894327907a04f148b00a08529vboxsync subject : 'Use Case Test Notification', type : 'text/plain', body : 'The access request was accepted']

8d8dfc00d014a62894327907a04f148b00a08529vboxsync Change the from and to fields to contain valid email addresses.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync Note that there are 2 occurences of the emailParams, change both.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 1. Start OpenIDM with the configuration for usecase3.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

8d8dfc00d014a62894327907a04f148b00a08529vboxsync $ cd /path/to/openidm

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync $ ./startup.sh -p samples/usecase/usecase3

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsync 2. Log in to the UI as user.1 (this user belongs to HR department, default password is 'Passw0rd')

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsync 3. Select the Access Request Process by clicking on it and start the workflow.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 4. A new task appears in 'My tasks', click on it and select 'Details'.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync - Access to Business system field: the value is reflecting the current value in OpenIDM database

dfd576109cb676448a2c4574150060aa3d8626bavboxsync - Access to Project system field: the value is reflecting the current value in OpenIDM database

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Send Email Notification field:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync If 'No' is selected for this field then no email notifications will be sent.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync Notifications will be added to the OpenIDM repository which will appear on UI.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync - Request field: Cancel terminates the process and does not change anything.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync Accept starts a user task assigned to the manager of the user (user.0 in this sample).

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync Click on Complete after selecting the values.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync 5. Log out and log in as the manager of the start user (user.0 in this sample)

a3d33059b39a600e1e4595dc37b58104840f0910vboxsync

a3d33059b39a600e1e4595dc37b58104840f0910vboxsync 6. Click on the User Access Request Approval task appearing on UI as task in the group queue

a3d33059b39a600e1e4595dc37b58104840f0910vboxsync and assign the user task to user.0 (select 'Assign it to me'). The task appears now in 'My tasks'.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsync 7. Click on the task and then on the 'Details' button.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync The two fields showing the required access rights are modifiable by the manager.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync Complete the task by clicking on 'Complete' button after selecting the Decision.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync The decision can be

dfd576109cb676448a2c4574150060aa3d8626bavboxsync - Reject: the start user (in our sample user.1) receives a notification about the denial. An OpenIDM

dfd576109cb676448a2c4574150060aa3d8626bavboxsync notification is created about this event which is visible on the UI after log in with the appropriate user.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync If email notification was selected then one email will be sent to the user configured at the

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync beginning of the use case sample.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Accept:

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync Accept starts a user task assigned to systemadmin.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 8. If the manager accepted log out and log in as systemadmin (default password is "Passw0rd").

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 9. Click on the User Access Request Approval task appearing on UI in 'My tasks' and then on the 'Details' button.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync The two fields showing the required access rights are modifiable by the systemadmin.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Complete the task by clicking on 'Complete' button after selecting the Decision.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync The request can be

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - Reject: the start user (in our sample user.1) receives a notification about the denial. An OpenIDM

dfd576109cb676448a2c4574150060aa3d8626bavboxsync notification is created about this event which is visible on the UI after log in with the appropriate user.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync If email notification was selected then one email will be sent to the user configured at the

dfd576109cb676448a2c4574150060aa3d8626bavboxsync beginning of the use case sample.

dfd576109cb676448a2c4574150060aa3d8626bavboxsync - Accept: user.1 is updated in managed users table of OpenIDM reflecting the requested changes.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync An OpenIDM notification is created about this event which is visible on the UI after login with the appropriate user.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync If email notification was selected then one email will be sent to the user configured at the

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync beginning of the use case sample.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync In this sample there is an escalation step attached to the manager approval task. If the manager does not complete

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync the user task within 10 minutes then a new user task is created and assigned to superadmin. It has the same user interface

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync as the one assigned to the manager of the user and has the same functionalities. If the superadmin

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync completes this task then the execution is passed to the administrator approval (systemadmin).

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncUsecase 4 - Orphan account detection and manual linking task started from reconciliation

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync In this use case we show two different asynchronous tasks started from reconciliation:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync detecting orphan accounts on the target objects set and handling ambiguous results of correlation phase.

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 1. Before starting the test we need to rename the following file:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync rename samples/usecase/usecase4/conf/syncManagedBusiness.json to samples/usecase/usecase4/conf/sync.json

5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync In that file we have a mapping defined: recon_managedUser_systemBusiness.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync This mapping has managed users as source and a csv file as target object set. The target object set

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync is defined in samples/usecase/usecase4/data/business.csv file.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync In that file we have all the users of the initial reconciliation (usecase1) which are employees

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync and therefore have "Business" in the 'accounts' attribute (see usecase2 User Type).

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync Since this mapping has a 'validSource' field defined only those managed users will be taken into

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync account which are employees.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync There are some extra users in that csv file:

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - user.50 is defined only in the csv file so when running the reconciliation this user will be

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync detected as an orphan account (orphan account workflow is triggered when the situation is

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync "UNQUALIFIED" or "UNASSIGNED").

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync - user.33: the 'userName' attribute of this user is 'user.3', same as for user.3.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync When running the correlation query during reconciliation there will be two candidate users

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync to be linked with user.3 from managed users (correlation query is based on userName attribute).

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 2. Start OpenIDM with the configuration for usecase4.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync $ cd /path/to/openidm

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync $ ./startup.sh -p samples/usecase/usecase4

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync 3. Run reconciliation.

b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync

dfd576109cb676448a2c4574150060aa3d8626bavboxsync $ curl -k -u openidm-admin:openidm-admin -H "Content-Type: application/json" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=recon_managedUser_systemBusiness"

dfd576109cb676448a2c4574150060aa3d8626bavboxsync

Two asynchronous workflows are started: an orphanAccountReport for user.50 and a

manualMatch for user.3 of managed users.

4. Log in to the UI as systemadmin (default password is 'Passw0rd').

5. Click on the 'Details' button of the 'Manual Linking' task.

The 'Possible targets' field is modifiable by systemadmin and it is required.

The decision can be

- Ignore: no action will be taken (no link will be created) and the workflow terminates.

- user.3 (user.3 - Atrc, Aaron) or user.3 (user.33 - Atrc, Aaron): these are the two candidate

users found in the target object set by executing the correlation query. These values

are queried in the workflow and the possible values of that field are determined

at runtime. Here we can choose the user we need.

After choosing one of the users the workflow will link user.3 of managed user to the selected user

of the target object set.

6. Click on the 'Details' button of the 'Orphan Account' task.

'Link to' and 'Decision' fields are modifiable by systemadmin.

Complete the task by clicking on 'Complete' button after selecting the Decision.

The decision can be

- Delete: the user will be deleted from the target object set and the workflow terminates.

- Link: when choosing this option valid managed user id needs to be entered to link the orphan account to.

Pick any user id from managed users where the managed user is not linked to any users in the csv file yet:

if this use case is started after the initial reconciliation then pick e.g. user.5.

If users are created e.g. by using sample2 that user can be used here as well.

Usecase5 - Certification workflows

In this use case we have two scheduled tasks starting certification workflows.

One of them fetches all the managed users and starts a certification workflow

for every user. This workflow shows the roles assigned to the managed users.

The other scheduled task fetches all the managed roles and starts a certification

workflow for every role. This workflow shows the assignments of the managed

roles.

There are four roles defined for this sample based on the departments.

Each user has a dynamic role by default: the role corresponding to the

department to which the user belongs.

1. Start OpenIDM with the configuration for usecase5.

$ cd /path/to/openidm

$ ./startup.sh -p samples/usecase/usecase5

2. Add the following four roles to OpenIDM by running these curl commands:

$ curl \

--header "X-OpenIDM-Username: openidm-admin" \

--header "X-OpenIDM-Password: openidm-admin" \

--header "Content-Type: application/json" \

--header "If-None-Match: *" \

--request PUT \

--data '{"properties":{"description":"Role for Human Resources department"},

"assignments":{"ad1":{"attributes":[{"value":

["CN=cisco_vpn,DC=example,DC=com"],

"assignmentOperation": "mergeWithTarget","unassignmentOperation": "removeFromTarget","name": "memberOf"}]}},"name": "Human Resources"}' \

"http://localhost:8080/openidm/managed/role/human-resources"

$ curl \

--header "X-OpenIDM-Username: openidm-admin" \

--header "X-OpenIDM-Password: openidm-admin" \

--header "Content-Type: application/json" \

--header "If-None-Match: *" \

--request PUT \

--data '{"properties":{"description":"Role for Production Planning department"},

"assignments":{"ad1":{"attributes":[{"value":

["CN=intranet,DC=example,DC=com","CN=email,DC=example,DC=com","CN=radius_dialin,DC=example,DC=com"],

"assignmentOperation": "mergeWithTarget","unassignmentOperation": "removeFromTarget","name": "memberOf"}]}},"name": "Production Planning"}' \

"http://localhost:8080/openidm/managed/role/production-planning"

$ curl \

--header "X-OpenIDM-Username: openidm-admin" \

--header "X-OpenIDM-Password: openidm-admin" \

--header "Content-Type: application/json" \

--header "If-None-Match: *" \

--request PUT \

--data '{"properties":{"description":"Role for Sales and Distribution department"},

"assignments":{"ad1":{"attributes":[{"value":

["CN=intranet,DC=example,DC=com","CN=email,DC=example,DC=com"],

"assignmentOperation": "mergeWithTarget","unassignmentOperation": "removeFromTarget","name": "memberOf"}]}},"name": "Sales and Distribution"}' \

"http://localhost:8080/openidm/managed/role/sales-distribution"

$ curl \

--header "X-OpenIDM-Username: openidm-admin" \

--header "X-OpenIDM-Password: openidm-admin" \

--header "Content-Type: application/json" \

--header "If-None-Match: *" \

--request PUT \

--data '{"properties":{"description":"Role for Treasury and Payments department"},

"assignments":{"ad1":{"attributes":[{"value":

["CN=intranet,DC=example,DC=com"],

"assignmentOperation": "mergeWithTarget","unassignmentOperation": "removeFromTarget","name": "memberOf"}]}},"name": "Treasury and Payments"}' \

"http://localhost:8080/openidm/managed/role/treasury-payments"

3. The scheduled user certification can be triggered by enabling the scheduled task in the

samples/usecase/usecase5/conf/schedule-certification.json file.

4. Log in to the UI as user.0 (default password is 'Passw0rd').

5. Click on the Role Status Check process task under 'Tasks that are in my

group's queue'. A scheduled task has been started for each managed user.

With the default schedule, a new task will be started for each managed

user every minute. Choose one of the users, for example, user.1, and

select 'Assign to me' under the Actions column. The task now appears

under 'My tasks'.

6. Click on the 'Details' button of the 'Role Status Check' task.

On the UI a list of available roles defined in OpenIDM is visible:

- The values of the first column show if the role is currently assigned to the managed user.

- The values of the second column show if the role will be assigned to the managed user once the certification process is completed.

If the role is dynamic (assigned to the user based on the department the user belongs to)

then the value is readonly.

7. Complete the task by clicking on 'Complete' button after selecting the appropriate roles

by choosing one of the following options:

- Change: the user will be updated based on the values of the second column.

- Certify: the user will not be updated.

- Escalate: the manager can't decide so the certification task will be assigned to superadmin.

In this case log out and log in as superadmin. The user task assigned to superadmin has the same

elements as the one described here (apart of the 'Escalate' option).

8. The scheduled role certification can be triggered by enabling the scheduled

task in the samples/usecase/usecase5/conf/schedule-certificationEntitlements.json

file.

9. Log in to the UI as systemadmin (default password is 'Passw0rd').

10. Click on the 'Details' button of one of the Entitlements Status Check tasks.

The name, id and description of the role is shown on the UI.

Below that the assignment and the attribute belonging to the role are shown as a table.

Here the 'Value' field is editable: after clicking on the text new lines can be added and deleted

by pushing 'Enter' while typing. Note that this attribute in OpenIDM is multivalued, so

the separation of the values in this list is done based on the new lines of this UI field.

11. Once the 'Value' field contains the required values click on 'Complete'

after choosing one of the following options:

- Certify: the role will not be updated

- Update: the role will be updated by using the new 'Value'

Usecase6 - Password change reminder

In this use case we use TaskScanner to trigger a password change reminder workflow.

Every managed user created in OpenIDM has a dedicated attribute to store the date of the last password change event (lastPasswordSet).

This value is updated by an onStore script defined in managed.json which

sets the date of this attribute if a new password is stored for the user. The TaskScanner

scans that attribute and starts a workflow if the password was changed more than an hour ago.

The workflow is started by passwordchange.js javascript. There are two options to run this workflow:

- By default it sends the default OpenIDM notifications to the user (visible on the UI).

- It can send email notification to the user if configured.

- External email service of OpenIDM has to be configured using the following file:

samples/usecase/usecase6/conf/external.email.json

Update the smtp settings in this file before starting the workflow.

Note that if you want to use this option you have to make sure that the 'mail' attribute of the

managed user(s) used for this test case are valid email addresses.

To enable email notifications change the following parameter of passwordchange.js:

change "emailEnabled" : "false",

to "emailEnabled" : "true",

The workflow does the following:

- sends a notification to the user

- five minutes later sends an other notification to the user (if password was not changed yet)

- two minutes later changes the user's 'accountStatus' to 'inactive' and sends notification to the user (if password was not changed yet)

1. Start OpenIDM with the configuration for usecase6.

$ cd /path/to/openidm

$ ./startup.sh -p samples/usecase/usecase6

2. Activate the password change task scanner (it's inactive by default):

samples/usecase/usecase6/conf/schedule-taskscan_passwordchange.json

Change: "enabled" : false

to "enabled" : true

3. Log in to the UI as one of the sample users, e.g. user.0 (default password is 'Passw0rd').

Once the task scanner was triggered a notification is visible for the user on the OpenIDM UI.

4. To test the workflow the user can change the password either on the UI or using the following REST call:

curl -u openidm-admin:openidm-admin -X POST "http://localhost:8080/openidm/managed/user/user.0?_action=patch" -H "Content-Type: application/json" --data '[{"operation":"replace", "field":"password", "value":"newPassw0rd"}]'