Anonymous_User Absent Member.
Absent Member.
207 views

Task Notification for new Active Directory user to uaadmin


hi,

IDM users are creating from active directory only with first name, last
name,login disable and CN.I have designed a workflow from where uaadmin
or appadmin can start a work flow for any user to assign his
title,department,region and manager. Where mentioned manager is present
as approver. it working fine. Now I wanted to start this workflow
automatically when new user created in AD. so I was added a policy in AD
driver to start worflow. But it is not starting automatically and giving
error. Is it correct way to do this else please any one can help with
example to start a task notification to appadmin on new user creation
from AD.

I am getting below error. My policy and error are ..

Can any one help me in this issue?

<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>Start Workflow</description>
<conditions>
<and>
<if-operation op="equal">add</if-operation>
</and>
</conditions>
<actions>
<do-start-workflow id="cn=appadmin,ou=sa,o=system"
url="http://192.168.16.2:8180/IDMProv"
workflow-id="CN=ApproveCellPhone,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,O=novell">
<arg-password>
<token-named-password name="workflow-admin"/>
</arg-password>
<arg-dn>
<token-parse-dn dest-dn-format="ldap"
src-dn-format="qualified-slash">
<token-xpath expression="@qualified-src-dn"/>
</token-parse-dn>
</arg-dn>
<arg-string name="reason">
<token-text>new user creation in AD</token-text>
</arg-string>
</do-start-workflow>
</actions>
</rule>
</policy>

Below is attached of L4 trace of AD driver214


Thanks and Regards

Deb


+----------------------------------------------------------------------+
|Filename: workflow-error.txt |
|Download: https://forums.netiq.com/attachment.php?attachmentid=214 |
+----------------------------------------------------------------------+

--
deb_sarkar
------------------------------------------------------------------------
deb_sarkar's Profile: https://forums.netiq.com/member.php?userid=7951
View this thread: https://forums.netiq.com/showthread.php?t=52238

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Task Notification for new Active Directory user to uaadmin

On 11/19/2014 04:08 PM, deb sarkar wrote:
>
> hi,
>
> IDM users are creating from active directory only with first name, last
> name,login disable and CN.I have designed a workflow from where uaadmin
> or appadmin can start a work flow for any user to assign his
> title,department,region and manager. Where mentioned manager is present
> as approver. it working fine. Now I wanted to start this workflow
> automatically when new user created in AD. so I was added a policy in AD
> driver to start worflow. But it is not starting automatically and giving
> error. Is it correct way to do this else please any one can help with
> example to start a task notification to appadmin on new user creation
> from AD.
>
> I am getting below error. My policy and error are ..
>
> Can any one help me in this issue?
>
> <?xml version="1.0" encoding="UTF-8"?><policy>
> <rule>
> <description>Start Workflow</description>
> <conditions>
> <and>
> <if-operation op="equal">add</if-operation>
> </and>
> </conditions>
> <actions>
> <do-start-workflow id="cn=appadmin,ou=sa,o=system"
> url="http://192.168.16.2:8180/IDMProv"
> workflow-id="CN=ApproveCellPhone,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,O=novell">
> <arg-password>
> <token-named-password name="workflow-admin"/>
> </arg-password>
> <arg-dn>
> <token-parse-dn dest-dn-format="ldap"
> src-dn-format="qualified-slash">
> <token-xpath expression="@qualified-src-dn"/>
> </token-parse-dn>
> </arg-dn>
> <arg-string name="reason">
> <token-text>new user creation in AD</token-text>
> </arg-string>
> </do-start-workflow>
> </actions>
> </rule>
> </policy>
>
> Below is attached of L4 trace of AD driver214
>
>
> Thanks and Regards
>
> Deb
>
>
> +----------------------------------------------------------------------+
> |Filename: workflow-error.txt |
> |Download: https://forums.netiq.com/attachment.php?attachmentid=214 |
> +----------------------------------------------------------------------+
>

Greetings,
The trace is showing that the recipient can not be evaluated.
Either what you are passing in is not correct or the expression is not.

for recipient ''

The recipient must be the full dn of the user in eDirectory (

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Task Notification for new Active Directory user to uaadmin


Hi,

First, my apology for mentioning wrong policy.. it will be below.
Secondly, is it a reason that I am calling this workflow during user
addition action of AD driver? is it possible to happening because users
does not created in IDM during calling of this workflow?

Is their any other way to do this? It will be help full if any one can
details.

<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>Start Workflow</description>
<conditions>
<and>
<if-operation op="equal">add</if-operation>
<if-class-name op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-start-workflow id="CN=appadmin,OU=sa,O=data"
url="http://192.168.16.2:8180/IDMProv" workflow-id="CN=Update Employee
Title,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=GKLABDrvSet,O=system">
<arg-password>
<token-named-password name="workflow-admin"/>
</arg-password>
<arg-dn>
<token-parse-dn dest-dn-format="ldap"
src-dn-format="qualified-slash">
<token-xpath expression="@qualified-src-dn"/>
</token-parse-dn>
</arg-dn>
<arg-string name="reason">
<token-text>new hire</token-text>
</arg-string>
</do-start-workflow>
</actions>
</rule>
</policy>

Regards

Deb


--
deb_sarkar
------------------------------------------------------------------------
deb_sarkar's Profile: https://forums.netiq.com/member.php?userid=7951
View this thread: https://forums.netiq.com/showthread.php?t=52238

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Task Notification for new Active Directory user to uaadmin


Hello,

I would put that auto-start of the workflow in a loopback or null
driver, operating on the add event for the user account. Then you know
that the user exist when the workflow starts.
If you do it in the AD driver on the add event (coming from AD), the
user doesn't exist and there might be a race condition.

br
/Anders


--
abergvall
------------------------------------------------------------------------
abergvall's Profile: https://forums.netiq.com/member.php?userid=278
View this thread: https://forums.netiq.com/showthread.php?t=52238

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Task Notification for new Active Directory user to uaadmin

abergvall wrote:

>
> Hello,
>
> I would put that auto-start of the workflow in a loopback or null
> driver, operating on the add event for the user account. Then you know
> that the user exist when the workflow starts.
> If you do it in the AD driver on the add event (coming from AD), the
> user doesn't exist and there might be a race condition.


In my experience, there is no race condition. It just won't work as the object just hasn't been created yet.


The solution from Anders is definitely the "best practices" way to solve this. If that approach is acceptable to the customer, I would suggest you go with that approach.


I however had a customer who had this exact requirement and wanted to guarantee that this workflow could only be triggered during publisher add on a specific driver.

We solved this with the following logic:



1. Create a new policy on publisher command transform.

2. Add the two rules from the article:
https://www.netiq.com/communities/cool-solutions/delving-into-and-beyond-the-current-op-part-3/

"Convert Regular add to validated direct write + empty modify"
and
"Generic validated direct-write"

3. Move your existing policy to run directly afterwards
4. Your existing policy is scoped to trigger on modify instead of add.
5. The modify lacks a qualified dn, so you have to query for this before transforming it to a LDAP DN.

The updated policy would look something like this (untested):

<rule>
<description>Start Workflow</description>
<conditions>
<and>
<if-operation op="equal">modify</if-operation>
<if-dest-dn op="available"/>
<if-op-property mode="nocase" name="from-direct-add" op="equal">true</if-op-property>
</and>
</conditions>
<actions>
<do-start-workflow id="cn=appadmin,ou=sa,o=system" url="http://192.168.16.2:8180/IDMProv" workflow-id="CN=ApproveCellPhone,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,O=novell">
<arg-password>
<token-named-password name="workflow-admin"/>
</arg-password>
<arg-dn>
<token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
<token-xpath expression="query:readObject($destQueryProcessor,'',@dest-dn,'','')[1]/@qualified-src-dn"/>

</token-parse-dn>
</arg-dn>
<arg-string name="reason">
<token-text>new user creation in AD</token-text>
</arg-string>
</do-start-workflow>
</actions>
</rule>
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Task Notification for new Active Directory user to uaadmin


alexmchugh, Thanks for this information. It is a nice advice. If require
definitely I will use it.


Thanks and Regards

Deb


--
deb_sarkar
------------------------------------------------------------------------
deb_sarkar's Profile: https://forums.netiq.com/member.php?userid=7951
View this thread: https://forums.netiq.com/showthread.php?t=52238

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Task Notification for new Active Directory user to uaadmin


Thanks Anders,

From loop back it has resolved.

Regards

Deb


--
deb_sarkar
------------------------------------------------------------------------
deb_sarkar's Profile: https://forums.netiq.com/member.php?userid=7951
View this thread: https://forums.netiq.com/showthread.php?t=52238

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.