Presentation is loading. Please wait.

Presentation is loading. Please wait.

Short Introduction to Workflow

Published byMárton Lakatos Modified over 5 years ago

Similar presentations

Presentation on theme: "Short Introduction to Workflow"— Presentation transcript:

1 Short Introduction to Workflow
David Edwards WW Tech Enablement SME for Identity Products, IBM Security

2 Agenda Revise IGI Workflow fundamentals
Processes and Activities Notifications Role Assignment and Operating Menus Overview of IGI Workflow Advanced Topics Pre-actions and post-actions (rules) Process notifications Reminders/Escalations External Authorizations Other advanced considerations

3 Revise IGI Workflow Fundamentals
Extracted from B300-ARMandWorkflow_v3 Enablement Module Revise IGI Workflow Fundamentals

4 Introduction to Access Request Management
The IGI workflow engine, ARM (Access Request Management) is specifically designed for managing Identity Lifecycle needs Identity Lifecycle is often called User Provisioning or just Provisioning in the IAM (Identity and Access Management) domain ARM supports a role-based workflow model ARM features a graphical designer to model custom processes What activities are needed for an access request or other identity lifecycle change? Includes the concept of a catalog of entitlements that can be requested Catalog has scope/visibility constructs – can control “who see’s what”

5 Introduction to Access Request Management
Menus based on Admin Roles + process activities Risk check on changes Catalog views, controlled by the process activities Catalog entries based on selection of catalog view Application Roles, Permissions and External Roles shown for specific applications

6 Sample Process – Self-Service Access Request
App. Manager Risk Manager Beneficiary Requests Access Approves Violation Approves Access Policy Violations? Fulfills Access Yes No Operator Connected? User Manager If system is connected, automatic provisioning will occur Multiple Actors are involved in the authorization process e.g. User Manager, Risk Manager etc. Can operate on a set of users according to their Scope (what the admin role allows them to do)

7 Creating a New Access Request – Process Definition
New Process definition: Define the Activities and configure the properties Build the new Process in the Process Management menu, concatenating previously created activities Can also define activities as part of building a process Assign a Role to each Activity (Role Association) Assign the operating Menu to each Role/Activity (Menu Creation) Release the process; switch it to “online” status Process definition is performed in the Process Designer module in the IGI Administration Console

8 Process Designer Definitions - Process
Process: A sequence of (one or more) Activities Can be one of three different Types: Workflow: Multi activity approval flow Direct: Single activity, no authorizations required (e.g. reset password) Escalation: Sub-flow for policy violations handling

9 Process Designer Definitions - Activity
Activity: Process building blocks Can be of different Types and Modes: Types Workflow: Steps for workflow processes Direct: Steps for direct processes Escalation: Steps for escalation processes Modes Generation: Create a new request Authorization: Authorization step (not necessarily required). Execution: Final step (not required for synchronized applications)

10 Workflows Are Not Just for Access Request
Many IdM flows can be structured and exposed in the Service Center “Access Requests” menu Account Change - Add or change an account (no delete) GEN / AUTH / EXE activities for account create and account modify User Access Change & Admin Access Change (traditional ARM) Request a change to access; add new access, request remove of existing access, request change to end-date Could be for external (target system) or internal (IGI) access (Admin Roles etc.) Special external AUTH activity to call out to external system Delegation Change & Admin Delegation Change (more traditional ARM) Request change to delegation for application-filtered access or internal access User Management - Insert or update a user (no delete!) GEN / AUTH / EXE activities for insert user and update user Entitlement Management – Insert or update an entitlement (no delete) Allows for role definition in the Service Center, including Role Mining GEN / AUTH / EXE activities for insert entitlement and update entitlement The model is easily extended for other operations ALSO Reports – direct report activities (single activity in a flow) Escalation activities for risk violations and redirects (single activity in a flow) Password activities for password management (e.g. help-desk or user manager)

11 Activity Scope/Operating Attributes – Beneficiary
Visibility for users who are affected by the request Scope of who can see the activity There are other scoping on users, applications etc. dependent on activity type not covered here. See the detailed workflow modules (B3**) in the IGI enablement box folders Scope on Users

12 Activity Scope/Operating Attributes – Required Data
Arguments/ settings to control activity operation Drives behavior of activity, often how it’s presented in Service Center UI User self-service access request UI Allowed operations Allowed entitlements Usability switches

13 Activity Scope/Operating Attributes – Email Data
Specify the template for sent to beneficiary Defined in the Notification section of AGC notification template to use

14 Defining Process Configuration
The Process tab shows existing processes Modes of existing processes Process actions Configuration shows the current flow Actions Add new process Remove process Copy a process Export a process definition Import a process definition Go into Maintenance mode (to edit) Go back to Online mode (to use) Modes Off line On line Maintenance

15 Defining Process Configuration (cont.)
Use activity templates to build the flow As well as flow can have pre- and post- actions (rules) on each activity Can assign notification and escalation to activity Activity Templates Generate (Generation) Review (Authorization) Manual perform (Execution) Can control flow between activities Right arrow = Manage flow between activities (rules), notification, escalations Flag icon is Escalation Process

16 Defining Process Notifications
Leverage one of four Workflow Priority (& escalation) configurations Set in Process Designer -> Settings Type of notification (fixed to Reminder) Template from AGC Notification templates Override default settings in Workflow Priority for and SMS (if enabled)

17 Assigning Roles to Activities
Assign a Role-based Actor definition for each activity Admin Role is assigned, not an individual Scope of user in the role will determine what they can do

18 Assigning Operating Menus to Roles on Activities
Each Admin Role assignment to an Activity will result in a Service Center menu item User Manager Admin Role can authorize requests in the Access Request [Personal] workflow Menu Item will be “Authorize Employee Request” in the Access Requests menu Menu order/labels can be changed

19 Assigning Operating Menus to Roles on Activities
Each Admin Role assignment to an Activity will result in a Service Center menu item Which results in a new IGI permission being added to the appropriate Admin Role

20 Assigning Operating Menus to Roles on Activities
Each Admin Role assignment to an Activity will result in a Service Center menu item Which results in a new IGI permission being added to the appropriate Admin Role And menu item in the Service Center If a process is offline or maintenance mode, the menu items will show in the Process Designer (left) but not in the Access Request view in the Service Center (above).

21 Overview of Advanced Workflow Capabilities
Extracted from Various B3** Enablement Modules Overview of Advanced Workflow Capabilities

22 Advanced Workflow Capabilities
Previous section revised IGI Workflow fundamentals Activities and processes - a process is comprised of one or more activities Activities may generate, authorize (review) or execute (manual operation) Processes may be workflow (multiple activities), direct (single activities) or escalation (special activity out of flow) Workflow activities are tied to (assigned to) admin roles Activities have specific operations and operational arguments (scope, required data) Workflows can have notifications ( +SMS) and time-based escalations Can also apply advanced workflow capabilities Apply (Java) rules before/after an activity Apply notifications to individual activities Can add escalations to some activities Other activity-based settings Will walk through these..

23 Process Pre-Actions and Post-Actions
Add (Java) rule processing Pre-action – executed before the activity is performed Post-action - executed after the activity is performed Can be added or removed When added you get an arrow icon beside the activity icon to the left (pre-action) or right (post-action) of the activity icon Rules come from the Configure -> Rules section of Process Designer

24 Rules in Workflows Can assign rules as pre-actions and post-actions
A pre-action runs before the activity is committed to the DB Not before the Service Center form is presented Allows actions to NOT be committed to the DB (and not go into the history) Some examples of using rules Data validation For a GEN activity may have a pre-action to check data validity and pop-up if incorrect Skipping or modifying flow Can have a set of rules to automatically approve/revoke an access request Can have a linear set of activities and “branch” around them based on rule logic Turns a linear workflow into a branched/parallel workflow See the Rules Guide for examples ( Workflow rules defined in the Process Designer Rule class of “Workflow” Operates on SwimRequestBean() – need to go get anything else

25 Process Notifications
Add notifications to transitions between activities Can also add SMS to tell reviewer there is something to review Can be added or removed To generation (request), authorization (review), and execution Would be added as a post-activity Runs after an activity is completed Define the (and SMS) recipients based on the template

26 Process Notifications – Notification Templates
Notifications defined in the Access Governance Core Notification section AGC -> Configure -> Notifications Type “Access Request” is an arbitrary classification and could be from any type

27 Process Escalations Add optional escalation to activity
Runs another process when conditions met Example is SoD/SA violation in access request – run special approval process for risk owner A redirect is also an escalation but not applied directly to activities Can be added or removed To some generation (request) activities Appears as a pre- activity; runs after the request is submitted Can select any escalation processes already defined in Process Designer

28 Reminder/Escalation in Processes – Configure Priorities
IGI introduced Workflow Priority Allows reminder/ escalation mechanism for processes (i.e. workflows) Turn on! Set intervals for expiration and reminders Four fixed levels No significance in name, one is not “higher” than another Unassigned = special, no expire, no reminder Pick template (note fixed Type = Reminder) Set defaults for /SMS (can be overridden on each activity using this priority level)

29 Reminder/Escalation in Processes – Assign Priorities
Priorities are associated with processes Priority settings can be overridden in the process Select one of four priorities What action at expiration? Allow override of priority settings What process to use for escalation Send notifications? Pick template (note fixed Type = Reminder) Set overrides for /SMS (can be overridden on each activity using this priority level)

30 External Authorization (External Access Request Approval)
External call to authorize (approve/reject) access request e.g. ServiceNow Implemented via REST API or Java Special Activity functionality “External Request Authorization” Has “External Authorization” Required Data to point to the integration implementation Sample code provided for ServiceNow Could be combined with a local authorization or be the sole authorization activity in the workflow See SGHJR_5.2.2/com.ibm.igi.doc/administering/cpt/ cpt_ext_auth.html External System

31 Other Workflow Configuration Considerations
User Management aka Contractor Management Need to define insert user & update user flows May also need user attribute management User virtual view in ACG > Settings View included in workflow activity configuration May need to configure form lookups See B330-ContractorManagement module Account Management Request and modify accounts May also have implications on access request where user does not have an account Need to define extended attributes on the account configuration before configuring workflow “Target Attributes” discovered from target May have default & enforced values based on user attributes and/or fixed strings Also have attribute-permission mappings See B340-AcctAttributeMgmt module Password Management Support for manager/helpdesk password reset i.e. other than self-service Normally only a GEN and EXE activities No need for approval and will slow process Options to Force re-authentication to IGI Allow show/hide password, auto generate only Whether to password to user As there’s no AUTH activity, there is no notification/escalation option See B351-ConfigPwdWorkflow module The labs cover both User and Account management workflow configuration

32 Mandatory closing slide with copyright and legal disclaimers.
9/3/2019 Mandatory closing slide with copyright and legal disclaimers.

Download ppt "Short Introduction to Workflow"

Similar presentations

Workflow & Event Derivation Workshop

Workflow & Event Derivation Workshop
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Workflow & Event Derivation Workshop

Workflow & Event Derivation Workshop
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
® IBM Software Group © IBM Corporation ITIM 4.6 - Common Lifecycle Operation Modifications.

® IBM Software Group © IBM Corporation ITIM Common Lifecycle Operation Modifications.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice SISP Training Documentation Template.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice SISP Training Documentation Template.
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.

Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice SISP 6.1 Delta Training Documentation.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice SISP 6.1 Delta Training Documentation.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.

Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.

Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Page 1 of 42 To the ETS – Create Client Account & Maintenance Online Training Course Individual accounts (called a Client Account) are subsets of the Site.

Page 1 of 42 To the ETS – Create Client Account & Maintenance Online Training Course Individual accounts (called a Client Account) are subsets of the Site.
Using Workflow With Dataforms Tim Borntreger, Director of Client Services.

Using Workflow With Dataforms Tim Borntreger, Director of Client Services.
Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED CREATING A SIMPLE PROCESS.

Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED CREATING A SIMPLE PROCESS.
Overview of Basic 3D Experience (Enovia V6) Concepts

Overview of Basic 3D Experience (Enovia V6) Concepts
Configuring the User and Computer Environment Using Group Policy Lesson 8.

Configuring the User and Computer Environment Using Group Policy Lesson 8.
 1- Definition  2- Helpdesk  3- Asset management  4- Analytics  5- Tools.

 1- Definition  2- Helpdesk  3- Asset management  4- Analytics  5- Tools.
SCC P2P – Collaboration Made Easy Contract Management training

SCC P2P – Collaboration Made Easy Contract Management training

Similar presentations

Ads by Google