none
How to trigger a function evaluating activity after request approval? RRS feed

  • Question

  • Hi,

    I need help about workflow building in FIM Portal. I have created an authorizing workflow, which sends an email notification. Then I created a Management Policy Rule to trigger this workflow when an user changes the value of a custom referencing attribute bound to person object in FIM. I want then to "derefence" this attribute and store its value in a string attribute. But this should be done, only if the administrator approves the request of attribute value changing. I can "dereference" the attribute by using an action workflow with function evaluating activity, but this should happen only if the administrator  approves the request. Any idea how can I achieve this?

    Thank You

    Friday, May 18, 2012 1:18 PM

Answers

  • There are two ways I can think of to do this.

    You can either put the 'dereference' activity in the authorization workflow - after the approval activity. If the approval completes, the dereference activity will run.

    The other way is to create an action workflow containing the dereference activity. The action workflow will only execute if the authorization  workflow completes. Add this workflow to the same MPR as the authorization (although I would break them into two MPRs with the same request type for clarity)

    I believe I remember a recomendation not to do updates inside an authorization workflow, so the two-step option is probably the better choice.


    Frank C. Drewes III - Senior Consultant: Oxford Computer Group

    Friday, May 18, 2012 2:22 PM
  • Further to Frank's suggestion, you definitely should opt for an ACTION workflow to go in the SAME MPR as your AUTHZ workflow.  Utilize the ability of the Function Evaluator to resolve things like [//Target/Manager/DisplayName] to set string values based on references.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Saturday, May 19, 2012 2:22 PM
  • I was going to say ... sounds like you wanted a proper approval process (I misread you there), so you need to select the approval workflow in lieu of the notification for the AuthZ step.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Thursday, May 24, 2012 3:37 PM

All replies

  • There are two ways I can think of to do this.

    You can either put the 'dereference' activity in the authorization workflow - after the approval activity. If the approval completes, the dereference activity will run.

    The other way is to create an action workflow containing the dereference activity. The action workflow will only execute if the authorization  workflow completes. Add this workflow to the same MPR as the authorization (although I would break them into two MPRs with the same request type for clarity)

    I believe I remember a recomendation not to do updates inside an authorization workflow, so the two-step option is probably the better choice.


    Frank C. Drewes III - Senior Consultant: Oxford Computer Group

    Friday, May 18, 2012 2:22 PM
  • Further to Frank's suggestion, you definitely should opt for an ACTION workflow to go in the SAME MPR as your AUTHZ workflow.  Utilize the ability of the Function Evaluator to resolve things like [//Target/Manager/DisplayName] to set string values based on references.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Saturday, May 19, 2012 2:22 PM
  • Hi,

    thank you for your responses. I have tried what you suggested to me (I added the authorization workflow and the action workflow in the same MPR) but I got a PostProcessingError for the request of changing the attribute of the user. I chose "Notification" as activity type in the authorization workflow. The administrator receives the email but logged on FIM portal I can't see the pending approval under Approval Requests in Navigation Pane. 

    Thursday, May 24, 2012 1:30 PM
  • Have you checked your FIM mail server settings in the microsoft.resourcemanagement.service.exe.config file (i.e. are notifications working at all)?

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Thursday, May 24, 2012 2:23 PM
  • I am not using Exchange. I am using Kerio Mail server and I have configured in the proper way the microsoft.resourcemanagement.service.exe.config file for mail server. The mail arrives. The problem is that I can't see the pending approval under Approval Requests in Navigation Pane. No pending approval is listed even though the mail goes in destination. 

    Thursday, May 24, 2012 3:02 PM
  • Did you say you put an approval activity or just a notification activity in the Authorization workflow? From your earlier message it sounds like there was only the notification part.

    If the Authorization failed, you would have got 'access denied' - so Authorization completed

    When Action fails, you get "PostProcessing" - so the error is on the Action WF side.


    Frank C. Drewes III - Architect - Oxford Computer Group

    Thursday, May 24, 2012 3:28 PM
  • I was going to say ... sounds like you wanted a proper approval process (I misread you there), so you need to select the approval workflow in lieu of the notification for the AuthZ step.

    Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

    Thursday, May 24, 2012 3:37 PM