chap-workflow.xml revision 7d19a158b53f47b175ba1e6aad07c79365847ae6
<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2011-2012 ForgeRock AS
!
-->
<chapter xml:id='chap-workflow'
xmlns='http://docbook.org/ns/docbook'
version='5.0' xml:lang='en'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
xmlns:xlink='http://www.w3.org/1999/xlink'
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Business Processes & Workflow</title>
<para>Key to any identity management solution is the ability to provide
workflow driven provisioning activities, whether for self-service actions
such as request for entitlements, roles or resources, running sunrise or
sunset processes, handling approvals with escalations, or performing
maintenance.</para>
<para>OpenIDM provides an embedded workflow and business process engine
based on Activiti and the Business Process Model and Notation (BPMN) 2.0
standard.</para>
<note>
<para>The embedded workflow and business process engine is currently
provided as part of a separate, experimental download,
supported separately from the standard OpenIDM release.</para>
<!-- TODO: Confirm this approach for delivery -->
<para>You install
in the same way as standard OpenIDM. See the <link
xlink:href="install-guide#chap-install"
Guide</citetitle></link> for instructions. After starting OpenIDM, run
the <command>scr list</command> command at the console, and check that
bundle is active.</para>
<screen>-> scr list
...
[ 6] [active ] org.forgerock.openidm.external.activiti
...</screen>
<para>Contact ForgeRock at <link xlink:href="mailto:info@forgerock.com"
>info@forgerock.com</link> for details on support for the experimental
embedded workflow and business process engine.</para>
</note>
<para>More information about Activiti and the Activiti project can be found
<section xml:id="about-bmpm-2-activiti">
<title>About BPMN 2.0 & Activity Tools</title>
<para>Business Process Model and Notation 2.0 is the result of consensus
among Business Process Management (BPM) system vendors. The <link
(OMG) has developed and maintained the <link xlink:show="new"
2004.</para>
<para>The first version of the BPMN specification focused only on graphical
notation, and quickly became popular with the business analyst audience.
BPMN 1.x defines how constructs such as human tasks, executable scripts, and
automated decisions are visualized in a vendor-neutral, standard way. The
second version of BPMN extends that focus to include execution semantics,
and a common exchange format. Thus, BPMN 2.0 process definition models
can be exchanged not only between different graphical editors, but also
can be executed as is on any BPMN 2.0-compliant engine, such as the engine
embedded in OpenIDM.</para>
<para>Using BMPN 2.0, you can add artifacts describing workflow and business
process behavior to OpenIDM for provisioning and other purposes. For example,
you can craft the actual artifacts defining business processes and workflow
in a text editor such as <command>vi</command>, or using a special Eclipse
plugin. The Eclipse plugin provides visual design capabilities, simplifying
packaging and deployment of the artifact to OpenIDM. See the <link
xlink:show="new">Activiti BPMN 2.0 Eclipse Plugin</link> documentation for
instructions on installing Activiti Eclipse BPMN 2.0 Designer.</para>
<para>Also read the Activiti <citetitle>User Guide</citetitle> section
xlink:show="new"><citetitle>BPMN 2.0 Constructs</citetitle></link>, which
describes in detail the graphical notations and XML representations for
events, flows, gateways, tasks, and process constructs.</para>
</section>
<section xml:id="openidm-activity-limitations">
<title>Known Issues & Limitations</title>
<itemizedlist>
<para>The following are known issues and limitation for the experimental
embedded workflow and business process engine.</para>
<listitem>
<para>OpenIDM does not include a form generator, making it difficult to
include embedded forms. (OPENIDM-468)</para>
</listitem>
<listitem>
<!-- TODO: Issue ID? -->
<para>Error handling needs improvement. (OPENIDM-???)</para>
</listitem>
<listitem>
<para>This version depends on Activiti 5.8, which does not have the fix
xlink:show="new">ACT-583</link>: Processes are not found in the bar file,
if they are below root.</para>
<para>To work around this issue, create a directory inside the .bar, and
put the BPMN XML artifact in the directory so that it is properly picked up
by the Process Engine.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="invoking-activiti-workflows">
<title>Invoking Activiti Workflows</title>
<para>You can invoke workflows and business processes from any trigger point
OpenIDM offers, including reacting to situations discovered during
function.</para>
<programlisting language="javascript">
/*
* Calling 'myWorkflow' workflow
*/
var map = {
"_action" : "myWorkflow",
"_workflowParams" : {
"foo" : "bar"
}
};
</section>
<section xml:id="sample-activiti-workflows">
<title>Example Activiti Workflows With OpenIDM</title>
<para>This section describes two example workflows, one using email
notification, the other involving a sunset process triggered during
reconciliation.</para>
<!-- TODO: Rather than include the samples only in the doc, deliver the
samples with OpenIDM an describe the highlights in the documentation. -->
<section xml:id="example-activiti-email-notification-flow">
<title>Example Email Notification Workflow</title>
<para>This example uses the Activiti Eclipse BPMN 2.0 Designer to set up an
email notification business process. The example relies on an SMTP server
listening on <literal>localhost</literal>, port 25.</para>
<variablelist>
<para>The example sets up a workflow that can accept parameters used to
specify the sender and recipient of the mail.</para>
<varlistentry>
<term><literal>${fromSender}</literal></term>
<listitem>
<para>Used to specify the sender</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>${toEmail}</literal></term>
<listitem>
<para>Used to specify the recipient</para>
</listitem>
</varlistentry>
</variablelist>
<para>Once you have defined the workflow, drag and drop components to create
the workflow. This simple example uses only a
<literal>StartEvent</literal>, <literal>MailTask</literal>, and
<literal>EndEvent</literal>.</para>
<mediaobject>
<alt>Email notification process</alt>
<imageobject>
</imageobject>
<textobject>
<para>The email notification workflow has a start event, mail task, and
end event.</para>
</textobject>
</mediaobject>
<para>After creating the workflow, adjust the generated XML source code to
use the variables inside the <literal><serviceTask></literal>
tag shown in the following listing.</para>
<programlisting language="xml">
<?xml version="1.0" encoding="UTF-8"?>
<definitions
xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:activiti="http://activiti.org/bpmn"
xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI"
xmlns:omgdc="http://www.omg.org/spec/DD/20100524/DC"
xmlns:omgdi="http://www.omg.org/spec/DD/20100524/DI"
typeLanguage="http://www.w3.org/2001/XMLSchema"
expressionLanguage="http://www.w3.org/1999/XPath"
targetNamespace="http://www.activiti.org/test">
<process id="EmailNotification" name="emailNotification">
<documentation>Simple Email Notification Task</documentation>
<startEvent id="startevent1" name="Start"></startEvent>
<sequenceFlow id="flow1" name="" sourceRef="startevent1"
targetRef="mailtask1"></sequenceFlow>
<endEvent id="endevent1" name="End"></endEvent>
<sequenceFlow id="flow2" name="" sourceRef="mailtask1"
targetRef="endevent1"></sequenceFlow>
<serviceTask id="mailtask1" name="Email Notification"
activiti:type="mail">
<extensionElements>
<activiti:field name="to" expression="${toEmail}"
></activiti:field>
<activiti:field name="from" expression="no-reply@forgerock.com"
></activiti:field>
<activiti:field name="subject" expression="Simple Email Notification"
></activiti:field>
<activiti:field name="html">
<activiti:expression><![CDATA[Here is a simple Email Notification
from ${fromSender}.]]></activiti:expression>
</activiti:field>
</extensionElements>
</serviceTask>
</process>
<bpmndi:BPMNDiagram id="BPMNDiagram_EmailNotification">
<bpmndi:BPMNPlane bpmnElement="EmailNotification"
id="BPMNPlane_EmailNotification">
<bpmndi:BPMNShape bpmnElement="startevent1" id="BPMNShape_startevent1">
<omgdc:Bounds height="35" width="35" x="170" y="250"></omgdc:Bounds>
</bpmndi:BPMNShape>
<bpmndi:BPMNShape bpmnElement="endevent1" id="BPMNShape_endevent1">
<omgdc:Bounds height="35" width="35" x="410" y="250"></omgdc:Bounds>
</bpmndi:BPMNShape>
<bpmndi:BPMNShape bpmnElement="mailtask1" id="BPMNShape_mailtask1">
<omgdc:Bounds height="55" width="105" x="250" y="240"></omgdc:Bounds>
</bpmndi:BPMNShape>
<bpmndi:BPMNEdge bpmnElement="flow1" id="BPMNEdge_flow1">
<omgdi:waypoint x="205" y="267"></omgdi:waypoint>
<omgdi:waypoint x="250" y="267"></omgdi:waypoint>
</bpmndi:BPMNEdge>
<bpmndi:BPMNEdge bpmnElement="flow2" id="BPMNEdge_flow2">
<omgdi:waypoint x="355" y="267"></omgdi:waypoint>
<omgdi:waypoint x="410" y="267"></omgdi:waypoint>
</bpmndi:BPMNEdge>
</bpmndi:BPMNPlane>
</bpmndi:BPMNDiagram>
</definitions></programlisting>
<para>In Eclipse, select the project, then right click and select
Create deployment artifacts to generate the components and package them
in a .bar file for deployment in the <filename>workflow</filename>
directory where you installed OpenIDM. OpenIDM can pick up the new
workflow dynamically.</para>
<!-- TODO: Add specifics here... -->
<para>Before you deploy the .bar, work around the issue mentioned above
by adding the XML artifact in the right place in the .bar.</para>
<para>After you deploy the .bar, create a script in
OpenIDM. The script invokes the workflow.</para>
<programlisting language="javascript">
/*
* Calling 'EmailNotification' workflow
*/
var map = {
"_action" : "emailNotification",
"_workflowParams" : {
"fromSender" : "noreply@openidm",
"toEmail" : "john.doe@corp.com"
}
};
<para>Also, create a schedule configuration object in
installed OpenIDM. The following schedule invokes the workflow once per
minute.</para>
<programlisting language="javascript">
{
"enabled" : true,
"type" : "cron",
"schedule" : "0 0/1 * * * ?",
"invokeService" : "script",
"invokeContext" : {
"script" : {
"type" : "text/javascript",
"file" : "script/invokeEmailNotification.js"
},
}
}</programlisting>
<para>TODO: Show and explain the result.</para>
</section>
<section xml:id="example-activiti-recon-sunset-flow">
<title>Example Sunset Workflow Triggered By Reconciliation</title>
<para>OpenIDM can allow deferred deprovisioning and disabling, such as
needed when an external consultant's contract expires or is up for
renewal. This example shows how OpenIDM can be used to handle such
scenarios.</para>
<!-- TODO: Finish the example, and then rewrite this section. Perhaps
all of this should be in one of the samples, rather than describing how
it all works in great detail here? -->
<para>To understand the scenario, consider the target resource and the
authoritative source.</para>
<para>Set up a CSV file connector to connect to an authoritative source
file containing the following.</para> <!-- TODO: Howto steps or link to howto -->
<!-- TODO: need a script or steps to generate dates for the example, because
the dates here will not be useful if you read the documentation in 2013, right? -->
<programlisting language="csv" width="112">
firstName,uid,"lastName","email","employeeNumber",password,"sunrise","sunset","active"
"Darth","DDOE","Doe","doe@forgerock.org","123456","Z29vZA==","2011-11-30T10:17:00","2011-12-23T16:12:00","TRUE"</programlisting>
<para>The authoritative source contains the field, <literal>sunset</literal>,
containing a time and date string referring to a time in the future.</para>
<para>Set up a simple XML connector to replicate fields in the authoritative
CSV source on a 1-to-1 basis.</para> <!-- TODO: Howto steps or link to howto -->
<para>Define a Sunset Workflow using Activiti Eclipse BPMN 2.0
Designer.</para>
<mediaobject>
<alt>Sunset workflow process</alt>
<imageobject>
</imageobject>
<textobject>
<para>The sunset workflow starts by saving the invoke context, prepares
the call to OpenIDM, reads the user, runs an email notification, disables
the account, and ends.</para>
</textobject>
</mediaobject>
<para>Use the following XML artifact.</para>
<programlisting language="xml">
<?xml version="1.0" encoding="UTF-8"?>
<definitions id="definitions"
xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"
xmlns:activiti="http://activiti.org/bpmn"
targetNamespace="Examples"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL
<process id="sunset" name="sunset usecase">
<startEvent id="start" />
<sequenceFlow sourceRef="start" targetRef="saveInvokeContext"/>
<scriptTask id="saveInvokeContext" scriptFormat="groovy"
activiti:returnVariable="invokecontext">
<script>
<![CDATA[
invokecontext =
]]>
</script>
</scriptTask>
<sequenceFlow sourceRef="saveInvokeContext"
targetRef="timerintermediatecatchevent1"/>
<intermediateCatchEvent id="timerintermediatecatchevent1"
name="TimerCatchEvent">
<extensionElements>
<activiti:field name="t" expression="${time}"
></activiti:field>
</extensionElements>
<timerEventDefinition>
<timeDate >${time}</timeDate>
</timerEventDefinition>
</intermediateCatchEvent>
<sequenceFlow sourceRef="timerintermediatecatchevent1"
targetRef="idmCall"/>
<serviceTask id="idmCall" activiti:delegateExpression="${openidm}"
activiti:async="true">
<extensionElements>
<activiti:field name="userName" expression="${userName}"
></activiti:field>
<activiti:field name="system" expression="${system}"
></activiti:field>
</extensionElements>
</serviceTask>
<sequenceFlow sourceRef="idmCall" targetRef="readUserAccount"/>
<scriptTask id="readUserAccount" scriptFormat="groovy"
activiti:returnVariable="user" >
<script>
<![CDATA[
out:println '********Sunset date for user ' + userName
putApprover(invokecontext.getApprover())
putRequester(invokecontext.getRequester())
pushActivityId(invokecontext.popActivityId())
user = openidm.read(system + userName);
]]>
</script>
</scriptTask>
<sequenceFlow sourceRef="readUserAccount" targetRef="sendMail"/>
<serviceTask id="sendMail" name="Email Notification"
activiti:type="mail">
<extensionElements>
<activiti:field name="to" expression="${toEmail}"
></activiti:field>
<activiti:field name="from" expression="no-reply@forgerock.com"
></activiti:field>
<activiti:field name="subject" expression="Disabling User"
></activiti:field>
<activiti:field name="text">
<activiti:expression><![CDATA[
The following user has been disabled:
${user}]]>
</activiti:expression>
</activiti:field>
</extensionElements>
</serviceTask>
<sequenceFlow sourceRef="sendMail" targetRef="disableAccount"/>
<scriptTask id="disableAccount" scriptFormat="groovy">
<script>
<![CDATA[
out:println '********Disabling user account ' + userName
user['__ENABLE__'] = false
openidm.update(system + userName, null, user)
]]>
</script>
</scriptTask>
<sequenceFlow sourceRef="disableAccount" targetRef="end"/>
<endEvent id="end"/>
</process>
</definitions></programlisting>
<para>Set up a deferred action during reconciliation by reacting to a
<literal>FOUND</literal> situation. When called, the script invoked must
return the proper action to the found situation, which in the case of this
example is <literal>LINK</literal>.</para>
<para>Add the following script to
invoked when reconciliation encounters a <literal>FOUND</literal>
situation.</para>
<programlisting language="javascript">
/*
* Calling 'sunrise' workflow
*/
var map = {
"_action" : "sunrise",
"_workflowParams" : {
"userName" : target.__UID__,
"time" : source.sunset,
"toEmail" : "manager@corp.org",
"fromSender" : "noreply@openidm"
}
};
"LINK"</programlisting>
<para>Add the following schedule to
installed OpenIDM to invoke the script.</para>
<programlisting language="javascript">
{
"enabled" : true,
"type" : "cron",
"schedule" : "0 08 16 * * ?",
"invokeService" : "discovery-engine",
"invokeContext" : {
"action" : "reconcile",
"mapping" : {
"name" : "CSV_XML",
"correlationQuery" : {
"type" : "text/javascript",
"source" : "var myarray = [source.uid];var map = {
'query' : {
'Equals': {'field' : 'name','values' : myarray}
}
};map;"
},
"properties" : [
{
"source" : "firstname",
"target" : "firstname"
},
{
"source" : "uid",
"target" : "name"
},
{
"source" : "lastname",
"target" : "lastname"
},
{
"source" : "email",
"target" : "email"
}
],
"policies" : [
{
"situation" : "CONFIRMED",
"action" : "IGNORE"
},
<emphasis role="bold">{
"situation" : "FOUND",
"action" : {
"type" : "text/javascript",
"file" : "script/triggerSunset.js"
}
},</emphasis>
{
"situation" : "ABSENT",
"action" : "IGNORE"
},
{
"situation" : "AMBIGUOUS",
"action" : "IGNORE"
},
{
"situation" : "MISSING",
"action" : "IGNORE"
},
{
"situation" : "UNQUALIFIED",
"action" : "IGNORE"
},
{
"situation" : "UNASSIGNED",
"action" : "IGNORE"
}
]
}
}
}</programlisting>
<para>TODO: Show results</para>
</section>
</section>
</chapter>