ForgeRock Identity Management includes an OOTB workflow engine based on BPMN (Business Process Model & Notation). This isn’t unique, most identity management solutions have some form of workflow engine. However in my experience they are typically based on some proprietary technology and/or very painful to work with.
I have recently had to build some workflows for various customer Proof of Concepts and I am really impressed by how quickly you can pull something together so I wanted to write up a blog entry.
So in this blog we are going to use a brand new instance of IDM (installed locally) and create a simple request and approval workflow which we will then test.
I am going to use Eclipse for this, there are other BPMN editors. I am also not going to spend much time talking about BPMN beyond what we need to build a meaningful workflow. Much more information is available here. In the spirit of this blog I am just going to get on with it and walk you through the basic steps to build and test a simple workflow.
Additionally, the workflow samples that ship with IDM are a brilliant place to start. I highly recommend taking a look at them and using them as the basis of your workflows until you get comfortable building them yourself.
I am going to assume you have an installation of ID already, if not check out my IDM beginners series.
IDM ships with a built in version of the Activiti workflow engine: https://www.activiti.org/. We are going to use the free Eclipse Activiti Workflow Designer to build our workflows.
Firstly, download and install the Eclipse IDE.
When you have Eclipse installed, fire it up and navigate to help -> install new software:
Enter the following location: https://www.activiti.org/designer/update/ and press OK.
Wait for the installation process to complete, now that is all out of the way. Lets get started!
Create a New Project
And press Finish.
Building a New Workflow
- A step to actually create a request for something (that is actually our StartEvent we just created).
- A step to gather some information and determine who the request needs to go to for approval.
- A step for the actual approval.
- A step for processing the result. Typically you also want to send an email containing the response. In fact, we probably need two steps here, one for success and one for failure.
java.util.logging.Logger logger = java.util.logging.Logger.getLogger("") logger.info("SimpleWorkflow - Process Request")
Testing the Workflow in IDM
More Workflow Logic
java.util.logging.Logger logger = java.util.logging.Logger.getLogger("") logger.info("SimpleWorkflow - Process Request " + initiatorId); // find user readStartUserFromRepoParams = [_queryId:'for-userName',uid:initiatorId] qresults = openidm.query('managed/user', readStartUserFromRepoParams) // get user details users = qresults.result execution.setVariable("userId", users._id) execution.setVariable("userName", users.userName) execution.setVariable("givenName", users.givenName) execution.setVariable("sn", users.sn) execution.setVariable("mail", users.mail) // set approver execution.setVariable("approverId", "openidm-admin")
However as before do not click Complete just yet, as we need to actually make this do something.
Final Workflow Logic
java.util.logging.Logger logger = java.util.logging.Logger.getLogger("") logger.info("SimpleWorkflow - Approved") java.text.SimpleDateFormat formatUTC = new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.S'Z'"); formatUTC.setTimeZone(TimeZone.getTimeZone("UTC")); requestDate = formatUTC.format(new Date()); def requesterNotification = [ "receiverId": userId, "requesterId" : "", "requester" : "", "createDate" : requestDate, "notificationType" : "info", "notificationSubtype" : "", "message" : "The access request was accepted" ]; openidm.create("repo/ui/notification/", null, requesterNotification)