Kuali eDoclite and Grouper for access forms workflow at Penn 9-Nov-2010, Kuali Days Chris Hyzer, University of Pennsylvania developer
eForms description Integration with Grouper Demo Making an eForm Production deployment Future plans Customizations Documentation contributions Wishlist 2 – 9/7/2015, © 2009 Internet2 Agenda
eForms description
In 2009 Penn wanted to convert paper access management forms to eForms 4 – 9/7/2015, © 2009 Internet2 Paper form screenshot
5 – 9/7/2015, © 2009 Internet2 Paper form screenshot (continued)
6 – 9/7/2015, © 2009 Internet2 Paper form screenshot (continued)
7 – 9/7/2015, © 2009 Internet2 Paper form screenshot (continued)
8 – 9/7/2015, © 2009 Internet2 Paper form screenshot (continued)
9 – 9/7/2015, © 2009 Internet2 Paper form existing list
Autofill personal information Common includes (privacy statement) Fill out form on behalf of someone else Org chart picker for data access Person picker from group (employee) Notification to requester when complete Report on form data Should require no Java to create forms 10 – 9/7/2015, © 2009 Internet2 Requirements
Route to members of Grouper group Route to selected group (pick school) Ability to return to previous route node Route to multiple groups at once Conditional routing Dynamic routing to someone entered on form 11 – 9/7/2015, © 2009 Internet2 Routing requirements
Submitters can see current and past forms Approvers can see current and past forms Certain people can edit certain forms 12 – 9/7/2015, © 2009 Internet2 Security requirements
Not a current Kuali customer (will be with OLE Library system) Integrate Rice with Grouper (yummy) – 2, 3, 4 on google for “rice grouper” Use eDoclite If gaps: – Ajax (haven’t had to do this yet, but will) – External picker screens – Java customizations, e.g. post processors Meets the requirements 13 – 9/7/2015, © 2009 Internet2 Design
Rice and Grouper integration
15 – 9/7/2015, © 2009 Internet2 Kuali Rice Middleware used by other Kuali and non-Kuali products KIM: Kuali Identity Management KSB: Kuali service bus KEN: Kuali enterprise notification KEW: Kuali enterprise workflow Components UI SOAP web services Web framework eDocLite: declarative workflow applications
16 – 9/7/2015, © 2009 Internet2 Internet2 Grouper Access management middleware Central groups and permissions store Components UI SOAP/Rest web services Loader to load groups from source systems Provisioning e.g. to LDAP or XMPP Lightweight Java client
17 – 9/7/2015, © 2009 Internet2 Internet2 Grouper advanced features Delegated privileges Adhoc groups based on loaded groups (includes/excludes) Composite groups: union, intersection, minus (e.g. require employee) UI screen for simple group management (customizable, skinnable) New in next release Rules, e.g. when membership list changes, auto- deprovision Point in time auditing, e.g. what groups has someone been in, who was a member 6 months ago Manage federated members
18 – 9/7/2015, © 2009 Internet2 Kuali Rice overridable services Group service getMembers, hasMember, assignMember, etc Identity service getPersonById, getPersonByPrincipal, etc Permissions service etc
19 – 9/7/2015, © 2009 Internet2 How to connect Rice to Grouper? Add two jars to Rice (grouperRice.jar and grouperClient.jar) Add and configure grouper.client.properties Configure Rice spring override to group and/or identity service Setup a Grouper folder for the “Rice root”
20 – 9/7/2015, © 2009 Internet2 Kuali Rice overridable services Rice request grouperRice.jar Kuali DB Rice server Grouper Registry Grouper WS server Grouper.client.properties grouperClient.jar
21 – 9/7/2015, © 2009 Internet2 Grouper client One jar (no conflicts with existing libraries) Supports all of Grouper WS API Command line example java –jar grouperClient.jar --operation=hasMemberWs --groupName=aStem:aGroup --subjectIds= Java library example new GcHasMember().assignGroupName("aStem:aGroup").addSubjectId(" ").execute(); Grouper WS server Grouper.client.properties grouperClient.jar REST LDAP
22 – 9/7/2015, © 2009 Internet2 Grouper client continued The debug flag shows XML (useful for examples)
23 – 9/7/2015, © 2009 Internet2 Grouper client continued
24 – 9/7/2015, © 2009 Internet2 eForms workflow with Grouper Initiator fills out form Grouper Registry Kuali DB Get members to route to and s Grouper WS Routes to approver group Routes to approver groupN Final Add a member to a Grouper group/role and/or assign permissions On login to Rice, get subject details Archive the document data, and workflow history One in group approves Grouper UI Person / org pickers 2
25 – 9/7/2015, © 2009 Internet2 KIM and Grouper differences KIM uses incrementor IDs and Grouper uses UUIDs Handled by not using any groups originating in Rice KIM has a name for a group. Grouper has two names for a group, a system name, and a friendly name Handled by only using the system name KIM services are largely driven by ID, the Grouper client generally used system name In Grouper 1.6, all client operations can use UUID KIM has no namespace on subjects, Grouper has one level deep namespace for subjects (sourceId) Concatenate sourceId::::subjectId, e.g. pennperson:::: KIM groups have active flags, not Grouper Inactive groups stored to grouper throw an exception
26 – 9/7/2015, © 2009 Internet2 KIM and Grouper differences (continued) KIM has one level deep namespace on Groups Designate “KIM” root folder in Grouper, which has one level deep folders inside, and groups in those folders KIM group desc is 4000 chars, Grouper is 1024 chars Descriptions > 1024 will be abbrev to 1024 (with ellipses) KIM has operations for adding or updating a group. Grouper can add, update, or add_or_update a group The grouper add_or_update will not be used KIM has operation to select multiple groups by ID This was added in Grouper KIM has lookupIds method for criteria to return groupIds This is not [yet] implemented in Grouper KIM can get groups for a subject only in one folder Grouper client and WS were enhanced to support this KIM gets all or direct or indirect groups for a subject Grouper client and WS were enhanced to support this
27 – 9/7/2015, © 2009 Internet2 KIM and Grouper differences (continued) Kim gets immediate / non immediate members of group Grouper client and WS were enhanced to support this KIM gets groups or people which are members of group Grouper client and WS were enhanced to support this Kim could get the memberships of a group Grouper client and WS were enhanced to support this Kim can create new groups in new namespaces Grouper added param "createParentStemsIfNotExist" Kim caches group information for 30 seconds There is a 30 second propagation delay from Grouper to Kim KIM has principalName, Grouper has subjectIdentifiers Configure attribute that is identifier for each applicable source in grouper.client.properties. Note not concatenated with the sourceId so it matches the principalName from the authn service
28 – 9/7/2015, © 2009 Internet2 KIM and Grouper differences (continued) KIM has principalId, the id of the principalName Grouper connector will use sourceId::::subjectIdentifier. KIM has phone numbers, affiliations, etc. Grouper subjects have id, name, description and attributes. The connector assumes you configure at least the name, subjectIdentifier (principalName), and address. Other stuff will be blank in Kuali. KIM has first, middle, and last name, Grouper has name. The connector splits the name into first, middle, and last Kuali can have multiple names Grouper connector will set only one name per subject Methods like getPrincipalByPrincipalNameAndPassword() are not applicable in Grouper and throw unimplemented exception Others like search by params, are unimplemented, return no results.
29 – 9/7/2015, © 2009 Internet2 Salary management eForm
30 – 9/7/2015, © 2009 Internet2 Salary management eForm (continued)
31 – 9/7/2015, © 2009 Internet2 Salary management eForm (continued)
32 – 9/7/2015, © 2009 Internet2 eForms demo workflow Initiator fills out form If on behalf of someone else, they need to approve it, unless it is a ‘remove access’ 1 4 Supervisor (person picker) 2 On behalf of remove? 3 No Yes Grouper group selected from available schools Note: supervisor cannot be the same as ‘On behalf of’ School adminHRPayroll HR and payroll could approve in parallel in future 8 Operations Grant access that isn’t automatically provisioned Change KEW initiator to ‘on behalf of’ user 7 Data admin Assert that form is valid 9 Data admin Assert that privileges were granted correctly Final Send to ‘on behalf of’ user
33 – 9/7/2015, © 2009 Internet2 Grouper Rice demo Demo movie
Making an eForm
35 – 9/7/2015, © 2009 Internet2 Make an eForm Attributes Rule templates Doctype Settings and security Route nodes and rules Route paths eDocLite Screen fields HTML via XSL template
36 – 9/7/2015, © 2009 Internet2 Attributes – in this case for dynamic routing salaryManagementAccessForm.onBehalfOfPennId onBehalfOfPennId salaryManagementAccessForm.supervisorPennIdRoleAttribute supervisorPennId salaryManagementAccessForm.groupName Supervisor selects the group name who is the third approver groupName Note: XML not complete
37 – 9/7/2015, © 2009 Internet2 Rule templates – group of rules salaryManagementAccessForm.onBehalfOfPennId salaryManagementAccessForm.supervisorPennIdRoleAttribute salaryManagementAccessForm.groupName Note: XML not complete or correct
38 – 9/7/2015, © 2009 Internet2 Doctype – settings and security GrouperEdocliteDatabasePostProcessor financialBalancesAdmins kualiAdmins HumanResourcesReaders … initiator salaryManagementAccessForm. InitiatorTemplate org.kuali.rice.kew.mail. Node Note: XML not complete or correct
39 – 9/7/2015, © 2009 Internet2 Doctype – route nodes and rules salaryManagementAccessForm.onBehalfOfRuleTemplate Note: XML not complete or correct
40 – 9/7/2015, © 2009 Internet2 Doctype – route paths Note: XML not complete or correct
41 – 9/7/2015, © 2009 Internet2 eDocLite – link attributes with screen fields Note: XML not complete or correct
42 – 9/7/2015, © 2009 Internet2 eDocLite – define all screen fields Please find your supervisor add update remove Please select 'Privilege change' … Note: XML not complete or correct
43 – 9/7/2015, © 2009 Internet2 eDocLite – XSL variables Note: XML not complete
44 – 9/7/2015, © 2009 Internet2 eDocLite – custom Javascript validations //get the value from the privilege change radio button var privilegeChange = $('input[name=privilegeChange]:checked').val(); //if we are updating or removing, then the oracle ID is required if (privilegeChange == 'update' || privilegeChange == 'remove') { if (riceIsBlank($('input[type=text][name=oracleId]').val())) { alert('Please enter the Oracle ID that needs to be ' + privilegeChange + 'd'); return false; } Note: uses jquery
45 – 9/7/2015, © 2009 Internet2 eDocLite – screen HTML with XSL variables … Expiration date (yyyy-Mon-dd) … …
46 – 9/7/2015, © 2009 Internet2 eDocLite – associate style, def, doctype salaryManagementAccessForm salaryManagementAccessForm.form salaryManagementAccessForm.style true
47 – 9/7/2015, © 2009 Internet2 eDocLite – rules onBehalfOfRuleTemplate basRuleTemplate2 Route to financial balances bas true hrReviewRuleTemplate HumanResources Note: not complete or correct XML
48 – 9/7/2015, © 2009 Internet2 eDocLite – template for initiator when final Salary Management Data Warehouse Access You now have access to the Salary Management data collection in the Warehouse. Your ID, for the Data Warehouse and Business Objects, is: … Note: note complete XML
49 – 9/7/2015, © 2009 Internet2 Setup or re-use groups in Grouper
50 – 9/7/2015, © 2009 Internet2 Setup or re-use groups in Grouper (continued)
51 – 9/7/2015, © 2009 Internet2 Setup or re-use groups in Grouper - continued Create a group Allow the Rice grouperClient user to READ members Add members (usually ~2 for approvers, one primary, one backup) Grant privileges if self managed (maybe the approvers can delegate to others) If so, send the link to the Grouper simple management UI for the group
52 – 9/7/2015, © 2009 Internet2 Setup or re-use groups in Grouper - continued Send link for simple membership UI to editors
53 – 9/7/2015, © 2009 Internet2 Make an eForm - summary Lots of XML to write Lots of copy/paste (don’t mess that part up, could affect existing forms) Not too hard Could be time consuming and require an expert for troubleshooting Penn only uses central data administration to manage the forms (no one else can use the ingester)
Penn production deployment
55 – 9/7/2015, © 2009 Internet2 Penn stats 26 forms in “soft launch”, users can use paper or eForms Live for 1 month A few dozen eForms initiated A dozen users A few user comments that we are incorporating (included in this presentation) Lots of interest to expand the conversion of paper forms to eForms
56 – 9/7/2015, © 2009 Internet2 Penn internal guidelines Keep all parts of form in CVS CVS is the system of record (cannot get XML out of Rice) Naming standard for all parts Starts with unique camel-case prefix, e.g. salaryManagementAccessForm. Note, the doctype should just be salaryManagementAccessForm since user sees it
57 – 9/7/2015, © 2009 Internet2 CVS screenshot of forms
58 – 9/7/2015, © 2009 Internet2 CVS screenshot of form history Note, this could be subversion, or whatever
59 – 9/7/2015, © 2009 Internet2 Our copy of Rice is in CVS
60 – 9/7/2015, © 2009 Internet2 Separate out customized files
61 – 9/7/2015, © 2009 Internet2 Externalize parts that change per env
62 – 9/7/2015, © 2009 Internet2 Ant script generates four warfiles Warfiles for local dev, integrated dev, test, prod Once the tomcat is setup (5.5, config stub in /conf with password, encryption files, etc) Similar to this documentdocument Each tar.gz has a different kualiRice.war in it
Future plans
64 – 9/7/2015, © 2009 Internet2 Future plans More code generation to ease form creation Convert more access management forms Roll-out a service for other schools in the University Not sure how this will be structured
Customizations
66 – 9/7/2015, © 2009 Internet2 Change “Route” button text Our users didn’t know what “route” meant, vs. “save” We changed “route” to “submit”, and put an alert on “save” and “save note”
67 – 9/7/2015, © 2009 Internet2 Change Save alert Our users didn’t know that Save doesn’t Route We put an alert on “save” and “save note” Note: we should probably clarify “disapprove” and “return to previous” similarly…
68 – 9/7/2015, © 2009 Internet2 Link to My Submissions Would be nice to have a link to My Submissions from static HTML Similar to links to start documents, or action list
69 – 9/7/2015, © 2009 Internet2 Link to My Submissions (continued) Just add a JSP to kuali webapp
70 – 9/7/2015, © 2009 Internet2 Generate parts of eDocLite Supports up to 50 orgs, all be defined
71 – 9/7/2015, © 2009 Internet2 Generate parts of eDocLite Generate HTML for orgs
72 – 9/7/2015, © 2009 Internet2 Generate “custom tag” with Java in XSL Screenshot
73 – 9/7/2015, © 2009 Internet2 Generate “custom tag” with Java in XSL Generate HTML for orgs (java source)
74 – 9/7/2015, © 2009 Internet2 Generate “custom tag” with Java in XSL (continued) Generate HTML for orgs (XSL)
75 – 9/7/2015, © 2009 Internet2 Pickers from external applications On eDoclite External application Press ‘Select’ on popup Javascript in the edoclite sets the ‘readonly’ fields Popup.close() Note: a variable is passed to the picker and back so the Javascript knows which fields to set. Can have multiple person pickers on the same screen a 3b Rice eDocLite Press button for popup 2 Submit GET to edoclite HTML page that calls javascript opener.handle(), due to browser restrictions Note: this is a lot simpler if the external application is hosted on the same URL base as eDocLite… Note: another issue, ahem…
76 – 9/7/2015, © 2009 Internet2 Authentication service override More flexible with SSO Requires Grouper group (e.g. active Penn member)
77 – 9/7/2015, © 2009 Internet2 Immediate and daily notifications Penn wants immediate notifications on action items If an item is more than one day old, send daily
78 – 9/7/2015, © 2009 Internet2 Immediate and daily notifications (continued) Make a view to hold people to send to Note: sometimes there are orphans in krew_actn_itm_t From FINAL docs From CANCELLED docs We manually delete them from the table
79 – 9/7/2015, © 2009 Internet2 Remove title column from search results For eDocLite only Rice deployments, this col is redundant
80 – 9/7/2015, © 2009 Internet2 On behalf of vs. initiator Access management admins would like on behalf of to be initiator… for ‘my forms’, searching, results lists, etc
81 – 9/7/2015, © 2009 Internet2 Message to user when buttons pressed eDocLite by default shows a readonly screen (confusing) (granted if exceptions happen, might not be accurate ) Several pieces to make this happen… threadlocal for request, and request parameters… and the XSL logic
82 – 9/7/2015, © 2009 Internet2 Add vs. remove branch code If ‘remove’ then ‘on behalf of’ doesn’t approve form Doctype: Java Note: would be nice to be able to do this without Java
83 – 9/7/2015, © 2009 Internet2 Group and permission provisioning to Grouper When eForm is complete, initiator can be automatically granted group memberships or permissions in Grouper Doctype: Or, to not save in database also: Note: would be nice to be able attach multiple post processors to pick and choose…
84 – 9/7/2015, © 2009 Internet2 Group provisioning to Grouper (continued) Example screenshot of form
85 – 9/7/2015, © 2009 Internet2 Group provisioning to Grouper (continued) Configure in the grouper config file
86 – 9/7/2015, © 2009 Internet2 Group provisioning to Grouper (continued) Result is initiator is in group, and optional sent to admins
87 – 9/7/2015, © 2009 Internet2 Permission provisioning to Grouper (continued) Sample screenshot
88 – 9/7/2015, © 2009 Internet2 Permission provisioning to Grouper (continued) Note, you can provision groups and permissions in same form Configure in the grouper config file for roles to provision
89 – 9/7/2015, © 2009 Internet2 Permission provisioning to Grouper (continued) Configure in the grouper config file for operation to provision Note, had to add enhancement of “replace” as a Grouper permissions web service operation…
90 – 9/7/2015, © 2009 Internet2 Permission provisioning to Grouper (continued) Configure in the grouper config file for actions to provision
91 – 9/7/2015, © 2009 Internet2 Permission provisioning to Grouper (continued) Configure in the grouper config file for permissions to provision
92 – 9/7/2015, © 2009 Internet2 Permission provisioning to Grouper (continued) Configure in the grouper config file for permissions to provision (continued)
93 – 9/7/2015, © 2009 Internet2 Permission provisioning to Grouper (continued) once permissions provisioned
Documentation contributions
95 – 9/7/2015, © 2009 Internet2 Doc additions – quick start Windows / Mysql quick start Linux / Oracle quick start
96 – 9/7/2015, © 2009 Internet2 Doc additions – eDocLite examples
97 – 9/7/2015, © 2009 Internet2 Doc additions – eDocLite example
98 – 9/7/2015, © 2009 Internet2 Doc additions – eDocLite example (continued)
99 – 9/7/2015, © 2009 Internet2 Doc additions – eDocLite example (continued)
100 – 9/7/2015, © 2009 Internet2 Doc additions – eDocLite example (continued)
101 – 9/7/2015, © 2009 Internet2 Doc additions – eDocLite example (continued)
102 – 9/7/2015, © 2009 Internet2 Doc additions – eDocLite example (continued)
103 – 9/7/2015, © 2009 Internet2 Doc additions – eDocLite example (continued)
104 – 9/7/2015, © 2009 Internet2 Doc additions – eDocLite example (continued) These examples work start to finish Would be nice to get contributions like this from other users
105 – 9/7/2015, © 2009 Internet2 Doc additions – service overrides The group and entity service overrides of the Grouper KIM connector are open source, can be used as examples All the design and discussion is on the Grouper KIM connector wiki
Wishlist
107 – 9/7/2015, © 2009 Internet2 Penn’s eDoclite wishlist (most things have been discussed with Kuali team and might be Jiras) Note: things might exist already, and I don’t know about them Workflow GUI Improved security Fewer silent failures E.g. in a mail node is in non prod and doesn’t have testAddress, then it silently doesn’t send the E.g. if route to inputted user is not quite correct, the user data will be blank, and skips that node E.g. XSL you do instead of: java.lang.NullPointerException at org.kuali.rice.kew.edl.EDLControllerChain.renderEDL(EDLControllerChain.java:50)
108 – 9/7/2015, © 2009 Internet2 Penn’s eDoclite wishlist (continued) Dynamic split node that doesn’t require Java Maybe I will contribute this? On upgrade from to , Grouper connector broke due to Rice API changes, prefer backwards compatible The Rice ingester sometimes has orphaned rules / templates / etc. Nice to be able to replace with ingester Sometimes orphans in krew_actn_itm_t, nice to have daemon to clean it up (erroneous daily s) Would be nice if search screens had default sort order (e.g. eDocLite search could default to sort by document type) Would be nice of all overridable services had good Javadoc Would be nice if Document Operation Screen were better documented including examples
109 – 9/7/2015, © 2009 Internet2 Penn’s / Jira requests 51 s to rice-collab, all answered 13 Jira’s initiated, 5 closed
Phew…. We made it…
Kuali eDoclite and Grouper for access forms workflow at Penn 9-Nov-2010, Kuali Days Chris Hyzer, University of Pennsylvania developer For more information, visit – 9/7/2015, © 2009 Internet2