Skip navigation
2019

RSA IGL Services 101 blogs, help to explain various areas of RSA Identity Governance and Lifecycle, to ensure you are getting the most out of the product and following recommended practices. We hope to show you lots of great features, tips and tricks that you may not have been aware of!

 

This blog provides a high level index and summary of each workflow node available, taken from v7.1x of RSA IGL. As we dive into more detail of each node, we will provide a link below, to click and get more info. For example, please click "Milestone" in the table below.

If there is a specific node you would like to know more about, please let us know in the comments below

Workflow Node Summary

The workflow editor includes processing nodes common to and also specific to request, approval, fulfillment, and escalation workflows. Nodes are the building blocks you use to create and modify workflows. This following table lists nodes that you can use in request, approval, fulfillment, and escalation workflows.

 

Node

Description

Activity

Used to define a activity for a change request.

Approval

Used to define an approval for a change request.

Approvals Phase

Used to allow change request items to be approved as groups at the same level.

Cancel Change Request

Used to generate a milestone to cancel the entire change request processed by the workflow and revert all changes completed in the change request, reject the entire change request processed by the workflow, or put the change request in an error state.

Complete Assigned

Used in an escalation workflow to mark work assigned to a user (through an approval or activity) as completed.

Create Admin Error

Specifies the type of admin error to create for an administrator.

Decision

Evaluates a condition(s) based on a true or false result for outgoing transitions to an action or stop delimiter based on whether or not the condition exists.

Delay

Suspends a workflow temporarily based on date criteria. The date could be a specific date, the change request fulfillment date, a system calculated date relative to current time, the result of a java method that returns a date, or the result of a SQL query resulting in a date.

Form Approval

Used to define an approval for a change request generated from a form.

Form Fulfillment

Used to define a fulfillment for a change request generated from a form.

Fulfillment Handler

Invokes a Java class to fulfill changes in a request.

Fulfillment Phase

Used to allow change request items to be fulfilled as groups at the same level.

Get Remaining SecondsUsed to store how much time remains for a calculated due date, performs some escalation outside of the assigned user’s control, and then updates the due date for the assigned user based on the earlier recorded remaining time.

Java *

Provides an interface to a Java method passing any parameters and returning a true/false result you can incorporate into a workflow.

The Java node, can evaluate conditions and perform actions in a workflow required for an approval and to initiate completion of an activity.

Note that if you use the Java node in a workflow or use the Java tag in workflow forms, you should place custom classes or jars in one of the following directories:

  • aveksa.ear/aveksa.war/WEB-INF/plugins/JavaNode/lib
  • aveksa.ear/aveksa.war/WEB-INF/plugins/JavaNode/classes

The sample Java Node workflow is deployed and references classes in these plugin directories. The source files for the samples are also included in the plugin directory under the src directory.

Job State

Specifies a job state the pauses a workflow: Canceled, Error, or Suspension

Manual Fulfillment

Used to handle a fulfillment manually and not automatically by the system.

Mark Verified

Used to indicate that changes marked as pending verification should be marked as verified.

Milestone

Provides high-level status information about a workflow milestone you want displayed in a change request.

Next Value

Returns the next value for a given job level workflow variable. If no value is returned (the last value was previously retrieved), the node returns false, which can be tested on an outgoing transition. If a valid value is returned, a true return code is provided. This node is typically used to iterate through an array of values to get the next value in the array..

Provisioning Command

Used to complete a provisioning command in a data source for a particular business source.

Reassign

Used to assign an approval or activity to another user.

Reset Password

Used to generate an email notification prompting a user to retrieve a password that has been reset for the user.

REST Web Service *

Invokes a REST call to an endpoint. The responses and results from the calls are stored in the workflow variables based on the configuration in the node. This information can be used in a workflow’s decision logic.

The node supports:

  • GET and POST methods
  • Basic authentication
  • Header parameters.
  • XML and Properties response types
  • Parsing of the response using XPath and RegEx expressions.

Run Report

Generates a report configured for the node in the workflow.

Run Review

Used to generate a user access review associated with the node.

Send Email

Generates email you want from the workflow. It supports the use of workflow variables or runtime workflow information to specify the To/From portions of the email.

Set Value

Creates or updates a job level workflow variable(s) using the value(s) provided. The value can be a literal or use other workflow variables that are evaluated at the time the node is executed

SOAP Web Service *

Invokes a SOAP call to an endpoint. The responses and results from the calls are stored in the workflow variables based on the configuration in the node. This information can be used in a workflow’s decision logic.

The node supports:

  • POST method
  • Basic authentication
  • WS-Security
  • Generic MIME Header
  • SOAP based XML response type
  • Parsing of the response using XPath and RegEx expressions

SQL Execute *

Runs an Insert/Update/Delete SQL command or a stored procedure where no result set is needed. It runs against the system database (AVDB). This node supports variables from the workflow with the SQL.

If you want to use an output parameter from your stored procedure (say, ‘success’ or “failure’ status) as a workflow variable for subsequent processing, you must define the stored procedure as a function and use the following syntax:

select sp_update_db (‘JOE’, ‘SMITH’, status) status from dual.

SQL Select *

To be updated.

Start

Used as the start delimiter for a workflow.

Stop

Used as the stop delimiter for a workflow.

Subprocess

Calls/interjects another workflow as a subprocess of the current workflow. This node is useful in compartmentalizing work items or to improve maintenance or re-use of workflows.

Text Node

Used to enter text into a workflow.

Transition

Used to connect two workflow nodes (processes) unidirectionally with a straight line. Transitions can be conditional or unconditional. A conditional transition occurs only if a particular condition is true. An unconditional transition can occur regardless of whether a condition is true. A transition is visually represented as an arrow.

Undo Changes

Used to generates changes to reverse the requested changes that have been fulfilled.

Wait for Verification

Used to create a database watch for evidence of a change request fulfillment.

 

Note: Not all controls and types are available for every workflow type. Also, nodes with an asterisk symbol ( * ) are designed for advanced application. These nodes should be implemented carefully because poorly defined nodes can negatively impact workflow performance.

RSA IGL Services 101 blogs, help to explain various areas of RSA Identity Governance and Lifecycle, to ensure you are getting the most out of the product and following recommended practices. We hope to show you lots of great features, tips and tricks that you may not have been aware of!

 

Please reply below with any questions or hit like if this is helpful!

 

Product Area: Reports/Charts/Table's

Data: App-Roles

Summary: Application roles collected within "directories" are not located in the PV_APPLICATION_ROLE view but are instead found under PV_DIRECTORY_ROLE view. If you use directories and collect in APP-ROLES, you must take this into account for all your reports/charts that you create, so that you dont miss out any information. 

RSA Field Example: If creating a report/chart to display all app_roles within RSA IGL which have a "privileged" flag set to "yes", you will need to take into account both these tables in the SQL.

SQL Example:

select 
    application_id,
    name
from avuser.pv_application_role
where lower(privileged) = 'yes'
union all
select
    application_id,
    name
from avuser.PV_DIRECTORY_ROLE
where lower(privileged) = 'yes'

 

These images show where the data is found.

 

Within the Directory "Navision - SQL Database" we can see the "app role" called "db_access_admin"

When searching against PV_APPLICATION_ROLE table - the result is not found

When searching against PV_DIRECTORY_ROLE table - the result is found

 

Thought I'd share this to save others time if they weren't already aware.

 

Cheers,

Clive

Services 101 blogs, help to explain various areas of RSA Identity Governance and Lifecycle, to ensure you are getting the most out of the product and following recommended practices. We hope to show you lots of great features, tips and tricks that you may not have been aware of!

Please reply below with any questions or hit like if this is helpful!

We are starting by looking at workflow nodes and in this blog, specifically the "milestone" node. 

The RSA Services team love to use Milestone Nodes whenever possible and find they are a great addition to any workflow. However they are surprised to find they are not being used enough by our customers to help make things easier and clearer!

 

Thanks to the PS rockstars: Clive Morrish, Ahmed Nofal and Mostafa Helmy for their help on this blog.

Click the images to enlarge if you need!

Product Area: Workflow's

Note: A summary of all workflows is found here: RSA IGL Services 101: Explaining Workflow Nodes - Summary

Workflow Node: Milestones

Time to apply: <10 minutes

Impact: High positive impact for end users, Low risk to workflow process as nothing is being changed to effect the flow.

Summary: Using "Milestone" nodes, provide a great way to help track the route a workflow has taken and give some business friendly information about what's happening, without having to drill into the processing itself. This helps business end users and admin's alike, as the Milestones are captured on the Request Tab to provide an easy to use reference point. 

RSA Field Example: To put it in generic terms, what we really use them for, is to help determine why the CR has ended up where it has, without having to look at the processing workflow. We typically use them after decision nodes or to provide success/failure response. 

As shown in this status image below, to meet a customer requirement we needed to identify requests created as a result of an account being Revoked within an account review and handle them differently. This is the first decision within the workflow and we use the Milestone to confirm this, without this Milestone you'd need to view the processing workflow to confirm the route the request has taken.

 

Then, because it’s a revoke from a review, there's a requirement to create a new CR from the workflow. This milestone not only confirms the new CR has been created but also provides the new CR id. This provides an audit-able trail and helps users with locating the new CR.

 

In its simplest form, the Supervisor Approval workflow could be updated to include Milestone to advise if a supervisor couldn’t be found! Without the milestone, you'd need to dig a little deeper to extract this useful information.

 

 

Usage: All workflows should include milestones where possible, especially ones which are seen by business users, to make their understanding clearer and the process more simple.

General Notes/Benefits

  • Positive business impact to provide added information and details
  • Reduced help desk calls, where business users don't understand whats happened and why
  • Aid with troubleshooting
  • Can be used to provide error handling
  • Can be used to assist with tracking/auditing
  • Can provide dynamic variables from the request
    • As an example, you could have a workflow create an additional CR, a milestone can be used to confirm the new CR has been created successfully and also provide the CR ID, as shown below:

 

Configuration:  

  • We are using v7.1x in the example below, however most versions of the older product also have milestones available. 
  • Milestone nodes are found under the "Modeler Toolbox", about halfway down, as shown in the image below. Just drag and drop them into your workflow.

  • Milestone nodes have a couple of basic properties:
    • General: Name
      • Keep the node name generic and configure the milestone message under the Status options, for the following reasons
      • Variables cannot be used within the Node Name but they can be when using the Status options
      • The status options can be used to control when the milestone is displayed
    • General: Description
      • A simple description of what the milestone is doing, for future reference.

 

  • Status options:
    • Planned (Possible)
    • Completed
      • Planned (Definite) - we recommend not to use this one and to stick with the Possible/Completed

 

To help try and explain these, we have created the following workflow that contains a Milestone for each option.

 

 

The Planned (Possible) message will be displayed even though at this point the workflow has not yet transitioned through the node. This is a way to provide some information about a potential next step in the process, which is upcoming. 

 

 

 

Completed will populate the message only after the workflow has successfully transitioned through/past the node:

  

 

RSA PS Recommendation

Leave both ‘Planned’ options empty and only populate the Completed option to show the business which items have actually happen in the process flow, so as to not cause any confusion.

Final note.

Milestone nodes, also make use of the helpful information "i" button, found at the end of the status details. The "i" button displays details directly from the request. The below image is the first decision in the License Review workflow which checks if the requested entitlement is licensed or not. By clicking on the "i" button it confirms which entitlement it’s referring to, this is really relevant if you have CR containing multiple items (which is a common use case)