none
Workflow order AuthZ and Action RRS feed

  • Question

  • Hi all, I've got an issue with an Authz and Action workflow. I would like to start an action workflow after an AuthZ workflow was fired regardles of the result of the AuthZ workflow. I configured an MPR and added my two workflows. But the action workflow is only fired if I accept the AuthZ workflow. Did this change form 2010 to 2010 R2 oder MIM? https://msdn.microsoft.com/en-us/library/windows/desktop/ee652475(v=vs.100).aspx

    As far as I understand the article it states that the action workflow is executed after AuthZ, correct?

    Carol is refering to exactly the same thing in her article.

    http://www.wapshere.com/missmiis/authorization-after-an-action

    Problem behind this is the fact that I need to split a user change request into multiple parts to allow approval for individual attributes.

    I would like to avoid writing my own custom approval activity.

    Thanks Chris
    Wednesday, August 24, 2016 12:43 PM

All replies

  • Yes, Action workflows are after AuthZ workflows.

    Authentication and authorization activities makes sure you can do the change. Action starts when change is already done.

    There is no way to run those two at once and the only way to fullfil your needs would be to go with Carol's solution or equivalent.

    And I don't see any way to start Action workflow regardless of AuthZ workflow result here.

    The only workaround than can work would be to do one request that would invoke two other - one would end with action activity and the second would invoke something like described by Carol.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Wednesday, August 24, 2016 3:07 PM
  • The easiest way to look at it is that the AuthN and AuthZ workflows are kicked off then the request is received by the MIM service but before any changes are made to the MIM Service datastore.  The Action workflows are kicked off only after the request is successfully completed and the MIM Service datastore has been updated.

    In the case of a successful AuthZ workflow, the Action workflow will fire.  However, an Action worfklow will not be triggered on a request where the AuthZ workflow failed or was denied, given the Action WF is triggered by a change in the datastore.

    If you want to trigger an Action WF on the rejection or failure of an AuthZ workflow, it can be done, but at that point, you're looking MPRs that are triggered by failed or rejected requests, and custom workflows that can will read the failed request (which is the target resource in this scenario) and then pull information regarding that request for use by your Action WF (e.g. what changes were rejected, who requested, who rejected, etc.).

    I've implemented this type of scenario for a few clients, just takes a bit more heavy lifting to get it right.

    Cheers,

    Marc


    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
    http://www.avaleris.com

    Wednesday, August 24, 2016 4:29 PM
  • Thanks for your replies.

    @Marc: As far as I understand your post there is no way without a custom WF activity, right?

    thanks again.

    Chris


    Thursday, August 25, 2016 8:28 AM
  • Hi Chris,

    It really depends on what you want to do in the case of failed/rejected requests.  You can only action the fact that the request has failed, so from a WF perspective, you're working with the Request that actually failed, and not the resource on which the request was being made.

    If you only need to notify someone of a failed request, then you probably have enough information on the Request object itself to do the notification.

    However, if you're looking to provide more details on the object that was being changed so that you can have a more meaningful message in the notification, you'll need a custom workflow to either capture those details in the AuthZ phase and pass through the workflow pipeline to the Action WF, or extract those details from the failed Request during the Action phase.

    Cheers,

    Marc


    Marc Mac Donell, VP Identity and Access Solutions, Avaleris Inc.
    http://www.avaleris.com

    Monday, August 29, 2016 5:25 PM