none
Extending conditional action workflows? RRS feed

  • Question

  • I've got a situation that's pretty common:

    1. Transition-in, criteria-based set to define a group of users
    2. Action workflow
    3. Single workflow action adding to a sync rule

    The challenge I have is that the criteria for the set is not complete as I need to look in a non-FIM database to see if an attribute is valid. There's no authorization workflows allowed for this and there's no extensible code option for sets (that would be really cool), so what I'm left wondering is, in the action workflow, could one workflow action do the validation and cancel the workflow if it fails validation? I don't think workflow actions can affect the workflow or other workflow actions.

    If that's not possible, I'm left wondering if it's possible to write a custom workflow activity that does the attribute validation and then manually adds the user to the sync rule via a powershell or web-services call. I don't know if that's possible though, I've not seen anything that says it is.

    What do people think? Is there a better way to do this kind of sophisticated-set/add-to-sync-rule logic.


    • Edited by Amethi Thursday, January 17, 2013 11:52 AM
    Thursday, January 17, 2013 11:50 AM

Answers


  • Maybe having TWO sets is possible solution. With the one set, it may be a fiddle to reset the transition into the set, for the case where it didnt quite meet the conditions for SyncRule attachment.

    With 2 sets.. One set triggers a WF which calls an Action which runs a Powershell script. This PS script can test the non-FIM data. If criteria is OK then the custom activity can set a user attribute to a value which then triggers the transition into the other Set which drives the existing WF which adds the sync rule.

    I think the only way forward for you is custom activity in a Workflow.

    Workflow actions can when driving custom activities can update the request and/or set workflow parameters.

    • Marked as answer by Amethi Thursday, January 17, 2013 4:20 PM
    Thursday, January 17, 2013 1:41 PM

All replies

  • Have you looked into possibility of transferring this rule into request MPR where you could use authorization workflow? 

    Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl

    Thursday, January 17, 2013 12:25 PM
  • No I haven't. I'm not sure how I'd do that without introducing significant policy configuration change.

    I've discovered the SynchronizationRuleActity in Windows Workflow Foundation, so I may be able to validate the attribute in a CWA and then add it to the sync rule manually. Whether or not I can use this activity is yet to be seen!

    Thursday, January 17, 2013 1:41 PM

  • Maybe having TWO sets is possible solution. With the one set, it may be a fiddle to reset the transition into the set, for the case where it didnt quite meet the conditions for SyncRule attachment.

    With 2 sets.. One set triggers a WF which calls an Action which runs a Powershell script. This PS script can test the non-FIM data. If criteria is OK then the custom activity can set a user attribute to a value which then triggers the transition into the other Set which drives the existing WF which adds the sync rule.

    I think the only way forward for you is custom activity in a Workflow.

    Workflow actions can when driving custom activities can update the request and/or set workflow parameters.

    • Marked as answer by Amethi Thursday, January 17, 2013 4:20 PM
    Thursday, January 17, 2013 1:41 PM
  • Thanks Harold, that does sound viable, though it's a complexity I'm not entirely happy with, but if I can't use the SynchronizationRuleActivity activity in a CWA then I'll have a closer look at it. Thanks for the idea.
    Thursday, January 17, 2013 2:23 PM
  • It seems like WAY to much work in trying to figure out how to add to a sync rule via custom workflow.

    I'll look at your suggestion Harold, thanks.

    Thursday, January 17, 2013 2:45 PM