README revision c45eda9efe7eb59595c39710b8446429f6e6e2d7
842ae4bd224140319ae7feec1872b93dfd491143fieldingIn the usecase folder there are a set of files which together tell a user story based on some common examples.
842ae4bd224140319ae7feec1872b93dfd491143fieldingAfter building the openidm-zip project these files are copied and organized in an appropriate folder structure,
842ae4bd224140319ae7feec1872b93dfd491143fieldingeach usecase folder contains the files that are needed for that certain use case sample.
842ae4bd224140319ae7feec1872b93dfd491143fieldingAll the samples assume a certain initial setup of managed users in OpenIDM.
842ae4bd224140319ae7feec1872b93dfd491143fieldingThe users are organized the following way:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk- there are 20 ordinary users: user.0 ... user.19 where
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - user.0 .. user.4 belong to Human Resources having user.0 as Manager,
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk user.0 .. user.3 employees and user.4 contractor
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - user.5 .. user.9 belong to Production Planning having user.5 as Manager,
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk user.5 .. user.8 employees and user.9 contractor
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - user.10 .. user.14 belong to Sales & Distribution having user.10 as Manager,
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk user.10 .. user.13 employees and user.14 contractor
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - user.15 .. user.19 belong to Treasury & Payments having user.15 as Manager,
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk user.15 .. user.18 employees and user.19 contractor
9d129b55f5a43abf43865c6b0eb6dd19bc22aba8ianhFurthermore we have the following special users:
9d129b55f5a43abf43865c6b0eb6dd19bc22aba8ianh- hradmin: user representing the human interaction of the HR department
9d129b55f5a43abf43865c6b0eb6dd19bc22aba8ianh- systemadmin: user representing the human interaction of the populated systems (“Business” and “Project”)
9d129b55f5a43abf43865c6b0eb6dd19bc22aba8ianh- superadmin: user representing the manager of the managers
9d129b55f5a43abf43865c6b0eb6dd19bc22aba8ianhList of use cases
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturkUsecase1 - Initial reconciliation
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk In this step we import the users from OpenDJ to OpenIDM using reconciliation.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk To prepare to run the sample, download OpenDJ directory server from
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk http://forgerock.org/opendj.html. Install OpenDJ using QuickSetup:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk * Use "password" as the password for cn=Directory Manager.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk * Import samples/usecase/data/hr_data.ldif during installation.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 1. Start OpenIDM with the configuration for usecase1.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 2. Run reconciliation.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk $ curl -u openidm-admin:openidm-admin -X POST "http://localhost:8080/openidm/recon?_action=recon&mapping=systemHRAccounts_managedUser"
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 3. Query the managed users created by reconciliation
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk $ curl -u openidm-admin:openidm-admin "http://localhost:8080/openidm/managed/user?_queryId=query-all-ids"
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk There should be 23 users created.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturkUsecase 2 - New user onboarding
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk In this step we simulate an HR employee starting the onboarding process for an employee
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk and approval step of the manager.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk If we want to use email notifications as part of the process make the following changes:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - External email service of OpenIDM has to be configured using the following file:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Update the smtp settings in this file before starting the workflow.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Change the notification email properties in the workflow definition file:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk samples/usecase/usecase2/workflow/newUserCreate.bpmn20.xml
c332befc1519a1016d8de07608f0b859e6fab580jim emailParams = [_from : 'usecasetest@forgerock.com', _to : 'notification@example.com',
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk _subject : 'Use Case Test Notification', _type : 'text/plain',
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk _body : 'The requested user ' + userName + ' was successfully created']
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Change the _from and _to fields to contain valid email addresses.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 1. Start OpenIDM with the configuration for usecase2.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 2. Log in to the UI as user.1 (this user belongs to HR department, default password is 'Passw0rd')
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 3. Select the User Onboarding Process by clicking on it.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 4. Fill the fields of the form presented by the UI. The fields marked with x are mandatory.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Department field:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk By selecting one of the four departments we define which department the new user
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk will belong to. Based on this the workflow will select the possible candidate assignees
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk for the manager approval user task: it will be either superadmin (as manager of everyone)
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk or the manager of the selected department (see description above).
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk example: if HR is selected the manager candidates will be user.0 and superadmin.
3d81c6f18deabacd15101eda69f7d16bf466d22dniq - User Type field:
3d81c6f18deabacd15101eda69f7d16bf466d22dniq if the User Type field is Employee then the user will have access to an account called "Business".
3d81c6f18deabacd15101eda69f7d16bf466d22dniq This is represented on the managed user in OpenIDM repository by having the following attribute on
3d81c6f18deabacd15101eda69f7d16bf466d22dniq the managed user:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk accounts : [ "Business"]
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk if the User Type is Contractor then the new user won't have any accounts associated to it in
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk managed user representation in OpenIDM.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Send Email Notification field:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk If 'No' is selected for this field then no email notifications will be sent.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf Notifications will be added to the OpenIDM repository which will appear on UI.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf 5. Start the workflow by clicking on Start button.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 6. Log out and log in as the manager of the department selected in the initial start form
28fe44817329b1183f64e878c258962f90423a8dniq example: if HR was selected then log in as user.0
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 7. Click on the Onboarding approval task appearing on UI as task in the group queue
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk and assign the user task to user.0 (select 'Assign it to me'). The task appears now in 'My tasks'.
dcda744296f197717c5105fd197e94ceba7880d7jim 8. Click on the Task and then on the 'Details' button.
28fe44817329b1183f64e878c258962f90423a8dniq - Start Date field:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk filling this field results in the user being created and adding the startDate property
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk to the user. Furthermore, the user status will be 'inactive'.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk The field is optional, it will be used by TaskScanner to trigger sunrise workflow.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - End Date field:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk filling this field results in the user being created and adding the startDate property
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk to the user.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk The field is optional, it will be used by TaskScanner to trigger sunset workflow.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Manager field:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Selecting yes will add 'title' field to the new managed user with the value 'manager'.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Decision field:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Selecting 'Reject' terminates the workflow and sends a notification to the start user
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk of the workflow.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Complete the task by clicking on 'Complete' button.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 9. If 'Accept' was selected then the user is created as a managed user in OpenIDM.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Two OpenIDM notifications are created about this event: one for the start user and one for the
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk new user. Those are visible on the UI after login with the appropriate user.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk If email notification was selected then one email is sent to the user configured at the
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk beginning of the use case sample.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 10. Sunrise workflow
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk If the sunrise date of the new user was set then the user was created with inactive account status.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk To trigger sunrise activate the sunrise task scanner (it's inactive by default):
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk samples/usecase/usecase2/conf/schedule-taskscan_sunrise.json
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Change: "enabled" : false
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk to "enabled" : true
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk The scan will run every minute and checks for users having sunrise date before
a865e849a3b00dc8524ecdda09a1699452876219mturk current date plus one day.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Once the scan is triggered it picks the new user, starts the sunrise workflow on it:
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf - changes the account status to active
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - adds an OpenIDM notification to the new user (visible when logging in to OpenIDM UI).
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk 11. Sunset workflow
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk If the sunset date of the new user was set then sunset workflow can be triggered
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk To trigger sunset activate the sunset task scanner (it's inactive by default):
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk samples/usecase/usecase2/conf/schedule-taskscan_sunset.json
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Change: "enabled" : false
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk to "enabled" : true
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk The scan will run every minute and checks for users having sunset date before
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk current date plus one day.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf Once the scan is triggered it picks the new user, starts the sunset workflow on it:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - a user task is assigned to the manager of the user (e.g. in our sample the assignee is user.0)
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Log in to OpenIDM UI with user.0 and select the task in 'My tasks'
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Decision field:
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Accept termination: the user's account status will be set to inactive and hradmin
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk receives an OpenIDM notification about it.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Modify date: the sunset date of the user will be changed and the manager
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk of the user receives an OpenIDM notification about it (user.0 in our sample).
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturkUsecase 3 - User access request
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk In this step we simulate a user starting an access request and having 2-level approval for it.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf If we want to use email notifications as part of the process make the following changes:
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf - External email service of OpenIDM has to be configured using the following file:
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf Update the smtp settings in this file before starting the workflow.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf - Change the notification email properties in the workflow definition file:
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf samples/usecase/usecase3/workflow/accessRequest.bpmn20.xml
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk emailParams = [_from : 'usecasetest@forgerock.com', _to : 'notification@example.com',
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk _subject : 'Use Case Test Notification', _type : 'text/plain', _body : 'The access request was accepted']
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Change the _from and _to fields to contain valid email addresses.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Note that there are 2 occurences of the emailParams, change both.
ef5650b61a8e35f3cc93ec07e73efc17ea329894jorton 1. Start OpenIDM with the configuration for usecase3.
f86b4df17588d404f3da535a8054f43b0642f92aniq 2. Log in to the UI as user.1 (this user belongs to HR department, default password is 'Passw0rd')
f86b4df17588d404f3da535a8054f43b0642f92aniq 3. Select the Access Request Process by clicking on it and start the workflow.
f86b4df17588d404f3da535a8054f43b0642f92aniq 4. A new task appears in 'My tasks', click on it and select 'Details'.
f86b4df17588d404f3da535a8054f43b0642f92aniq - Access to Business system field: the value is reflecting the current value in OpenIDM database
f86b4df17588d404f3da535a8054f43b0642f92aniq - Access to Project system field: the value is reflecting the current value in OpenIDM database
f86b4df17588d404f3da535a8054f43b0642f92aniq - Send Email Notification field:
f86b4df17588d404f3da535a8054f43b0642f92aniq If 'No' is selected for this field then no email notifications will be sent.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf Notifications will be added to the OpenIDM repository which will appear on UI.
40b22d3b20454959fe51fdc89907908d77701078minfrin - Request field: Cancel terminates the process and does not change anything.
40b22d3b20454959fe51fdc89907908d77701078minfrin Accept starts a user task assigned to the manager of the user (user.0 in this sample).
40b22d3b20454959fe51fdc89907908d77701078minfrin Click on Complete after selecting the values.
40b22d3b20454959fe51fdc89907908d77701078minfrin 5. Log out and log in as the manager of the start user (user.0 in this sample)
40b22d3b20454959fe51fdc89907908d77701078minfrin 6. Click on the User Access Request Approval task appearing on UI as task in the group queue
40b22d3b20454959fe51fdc89907908d77701078minfrin and assign the user task to user.0 (select 'Assign it to me'). The task appears now in 'My tasks'.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf 7. Click on the task and then on the 'Details' button.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf The two fields showing the required access rights are modifiable by the manager.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf Complete the task by clicking on 'Complete' button after selecting the Decision.
40b22d3b20454959fe51fdc89907908d77701078minfrin The decision can be
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk - Reject: the start user (in our sample user.1) receives a notification about the denial. An OpenIDM
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk notification is created about this event which is visible on the UI after log in with the appropriate user.
e99dfd55d29a7b4209b814efc7270d0b74ccee74niq If email notification was selected then one email will be sent to the user configured at the
e99dfd55d29a7b4209b814efc7270d0b74ccee74niq beginning of the use case sample.
e99dfd55d29a7b4209b814efc7270d0b74ccee74niq Accept starts a user task assigned to systemadmin.
e99dfd55d29a7b4209b814efc7270d0b74ccee74niq 8. If the manager accepted log out and log in as systemadmin (default password is "Passw0rd").
e99dfd55d29a7b4209b814efc7270d0b74ccee74niq 9. Click on the User Access Request Approval task appearing on UI in 'My tasks' and then on the 'Details' button.
e99dfd55d29a7b4209b814efc7270d0b74ccee74niq The two fields showing the required access rights are modifiable by the systemadmin.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk Complete the task by clicking on 'Complete' button after selecting the Decision.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk The request can be
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf - Reject: the start user (in our sample user.1) receives a notification about the denial. An OpenIDM
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf notification is created about this event which is visible on the UI after log in with the appropriate user.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf If email notification was selected then one email will be sent to the user configured at the
475311484e1d0f01d41e0f48bfecf1f4bca2ff07rpluem beginning of the use case sample.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf - Accept: user.1 is updated in managed users table of OpenIDM reflecting the requested changes.
13852d30fd6e3ffee07702f9222a0dd5aeec75ebmturk An OpenIDM notification is created about this event which is visible on the UI after login with the appropriate user.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf If email notification was selected then one email will be sent to the user configured at the
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf beginning of the use case sample.
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf In this sample there is an escalation step attached to the manager approval task. If the manager does not complete
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf the user task within 10 minutes then a new user task is created and assigned to superadmin. It has the same user interface
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf as the one assigned to the manager of the user and has the same functionalities. If the superadmin
78b8e4dd910f03af0a602bc4b63ad7bc69868ee3sf completes this task then the execution is passed to the administrator approval (systemadmin).