Anonymous_User Absent Member.
Absent Member.
160 views

How to improve workflow for MT driver


Hi,
We are using IDM 3.5.1 (yes I know its old, but that's what we're stuck
with). We need to provide an approval workflow for provisioning new
users. therefore, we have used the Manual Task driver together with a
custom iManager task and some other drivers to deliver the process. For
the most part it works as stated below but there is one part of the
solution which is not ideal and we would like to improve but requires
XSLT code to resolve, which we have limited knowledge of.

What changes would we need to make to the XSL stylesheet to achieve the
required solution below?

Manual Task driver

Custom iManager task creates an edir account, login disabled
Manual Task driver reacts to the add event, and sends an email to a
Manager. Email contains an embedded URL pointing to the webserver
running on the MT Driver.
Manager clicks on the link, and a browser window will open with details
of the new user account. Manager must authenticate with his password,
and select an approve or deny option. Clicking on the submit button of
the webpage will POST the data to the MT Driver.
The MT driver will set a flag attribute on the new account
Other connected systems react to that flag attribute being set and
provision accounts for the approved user.
A template message is sent back to the Manager's browser to show the
action was successful.

This all works already, only a few tweaks to the MT driver required.

Problem:

The embedded link in the mail that was sent to the Manager is still
"Active". The Manager can click on that embedded URL a week or a month
later and still get the webpage with the option to approve or deny the
request. So multiple approval POSTS are possible, or even an Approve
followed a fortnight later by a Deny. IDM policy can intercept these
events downstream and veto them. But there is no feedback to the Manager
about it.

Required Solution

On the IDM side, policy rules can check if a user account already has
the flag attribute added or not. If not, allow the event through (ie
initial approve/or deny decision). If the user account does have that
attribute set, then the account has already been approved or denied so
veto the event with an explanation message in trace. This is working
OK.

On the "desktop" side, send a template message to the Manager's browser
to explain that the action failed because the user has already been
processed. If changes to the flag attribute are required, go into
iManager and use the custom Modify task. This is not working (yet).

The MT driver uses an XSLT stylesheet to process HTTP Get and Post
actions, and combines that with various message templates to build
messages sent to the Manager's browser. The required logic would seem to
be to accept the HTTP Post from a Manager's approve or deny action,
query edirectory for that user and read if the flag attribute has
already been set or not. If it hasn't, continue with the current working
setup (standard out of the box stuff). But if the flag has already been
set, do not issue a Modify event into the Publisher channel and also
send a fail template message back to the Manager's browser to explain
why the action failed.


Any help much appreciated.
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=51485

Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: How to improve workflow for MT driver

> Required Solution

> On the "desktop" side, send a template message to the Manager's browser
> to explain that the action failed because the user has already been
> processed. If changes to the flag attribute are required, go into
> iManager and use the custom Modify task. This is not working (yet).
>
> The MT driver uses an XSLT stylesheet to process HTTP Get and Post
> actions, and combines that with various message templates to build
> messages sent to the Manager's browser. The required logic would seem to
> be to accept the HTTP Post from a Manager's approve or deny action,
> query edirectory for that user and read if the flag attribute has
> already been set or not. If it hasn't, continue with the current working
> setup (standard out of the box stuff). But if the flag has already been
> set, do not issue a Modify event into the Publisher channel and also
> send a fail template message back to the Manager's browser to explain
> why the action failed.


I have never touched this driver, barely even knew it existed. Not even
sure I could instantiate such a driver today.

Do you have sample XSLT of what it is doing, to see if it is something
obvious?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to improve workflow for MT driver


geoffc;247368 Wrote:
> > Required Solution

>
> > On the "desktop" side, send a template message to the Manager's

> browser
> > to explain that the action failed because the user has already been
> > processed. If changes to the flag attribute are required, go into
> > iManager and use the custom Modify task. This is not working (yet).
> >
> > The MT driver uses an XSLT stylesheet to process HTTP Get and Post
> > actions, and combines that with various message templates to build
> > messages sent to the Manager's browser. The required logic would seem

> to
> > be to accept the HTTP Post from a Manager's approve or deny action,
> > query edirectory for that user and read if the flag attribute has
> > already been set or not. If it hasn't, continue with the current

> working
> > setup (standard out of the box stuff). But if the flag has already

> been
> > set, do not issue a Modify event into the Publisher channel and also
> > send a fail template message back to the Manager's browser to explain
> > why the action failed.

>
> I have never touched this driver, barely even knew it existed. Not even
> sure I could instantiate such a driver today.
>
> Do you have sample XSLT of what it is doing, to see if it is something
> obvious?

Geoff,
I have added the IDM Trace log file for the Manual Task driver to paste
bin. - http://pastebin.com/tDq39pah
Also uploaded the template XML and XSLT files that are relevant.
post_response_template.xml - http://pastebin.com/0JPm7seG
post_invalid_auth_template.xml - http://pastebin.com/AZGgUXYj
post_modify_template.xml - http://pastebin.com/DVFD9RuQ
form_template.xml - http://pastebin.com/8BCtsbTr


The trace file covers the ACP user creation and subsequent approval by
the coordinator. In the trace, the coordinator approval can be seen
arriving at -

[08/10/14 21:39:12.875]:MT-ACC3 :ACP-MT-Access3:
XslServlet: HTTP GET:

The trace from that point on follows the xslt processing that we need to
change to do a query and result process, then switch returned html
response docs based on the result "already acpenabled or not?"
Hope this helps in spotting what we need to do.

Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=51485

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to improve workflow for MT driver


Missed the process_template.xsl file off the previous post. here is the
pastebin http://pastebin.com/Gx8K2jSp


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=51485

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to improve workflow for MT driver


Geoff,
Did you get a chance to look at the pastebin entries I posted? Any
thoughts?
Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=51485

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.