Home‎ > ‎Oracle Identity Manager‎ > ‎Architecture‎ > ‎

Request And Approval





--- TODO: 
Approval workflow policies 
-- Instead of Approval policy which was evaluated earlier, use Workflow policy which is of form
if (condition) then (Workflow ID). Workflow ID: <default/DefaultOperationalApproval!5.0>, DIRECT -> implies skip workflow

Condition Syntax : http://docs.oracle.com/cd/E52734_01/oim/OMADM/workflowrules.htm#CJAFACAE - UI gives idea about what can be used. Looks very flexible

The check works such that
1. Authorization - is operation allowed
2. SOA allowed (
2. Bulk or future dated --> triggers request
3. workflow evaluation 
a. evaluate each rule as defined in sequence one by one
b. if condition true, stop
c. if no match, defaultRequestApprovalComposite in SOAConfig for bulk & defaultOperationApprovalComposite for other
4. workflow result (Most of the items have default rule for DIRECT for sysadmin roles and )
a. In case of DIRECT, the operation is initiated directly (TODO: Need to find if it is just orchestration without request being created or something more esoteric)
b. If workflow, then request is created and then initiates the appropriate orchestration)
5. In the approval step in the orchestration, workflow is reevaluated and then SOA composite is triggered.

Please note that not all the use-cases are supported CUDED user, CUD role, CUD user-role, CUDED user-Account, CUD user-entitlement and bulk version. Other items like organization, proxy user, etc are not supported.
Please note that Workflow Policies Enabled is set to false in case OIM is upgraded to PS3. So, additional step is needed to enable this and then migrate the workflow policies.

Please note: migration of policy works by completely replacing all the policy associated with a particular operation when we import anything along with associated policy.

PS: With this release system can be configured to run without SOA server
Use: Workflows Enabled property = false to disable SOA
Issue
1. Disconnected application instance manual fulfillment tasks WILL FAIL.
2. If selected user has pending account request (when SOA was disabled), the request for entitlements will never get completed.
3. Bulk entitlement request for user with multiple accounts or no accounts will fail
4.  Certification, SOD, UMS Notification (which uses SOA), Web service connector do not work

Good documentation of the request flow available in http://docs.oracle.com/cd/E52734_01/oim/OMADM/workflowrules.htm#OMADM5364
TODO: Need to look at how the Request engine integrates with orchestration engine. Has there been any significant change in the approach?