Hello,
My Name is Thiago L Guimaraes. I am a Security Consultant and I work with Marco. I will publish some articles to help developers with different OIM topics.
The objective of Administrative Queues is: Improve the manageability of requests using users that are part of group queues authorized to manage those requests.
The idea is very simple. You only need to assign a group of users to manage a provisioning request using an entity called a queue.
In this queue you can have one or more group definitions. So, here we will use Administrative queue form to create and manage administrative queues. You assign queues to requests from form the Queues tab on the Request form(Data Object Manager–Object Definition tab).
A request can specify some Admin privileges for each group in the queue. In this example I’ve assigned two different groups and each have different administrative privileges for the request. The ‘DeleteAccess’ group is able to delete a request. And ‘WriteAccess’ group is able to modify a request.
Steps:
1. Create and configure an admin queue.
2. Raise a new request in order to provision a test resource which is following an approval flow
3. The request is assigned to the manager of the requester – who is able to approve the request
4. The members of the group associated with the administrative queue are able to approve the request
First go to User Management à Administrative Queue, create your ‘Queue Name’ and assign your Group Members as showing below:
Go to Adapter Factory –> Create your Entity Adapter .
Don’t forget to upload your Java code (.jar file) to JavaTasks directory in OIM_HOME/xellerate.
The Java code for the entity adapter is:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
| package adminqueuespjr;/** * * @author Thiago Leoncio * The wrapper class for Administrative Queue implementation on OIM 9.1.0.2 BP17 * Created On : 01/17/2012 */import Thor.API.Operations.tcQueueOperationsIntf;import Thor.API.Operations.tcRequestOperationsIntf;import Thor.API.tcResultSet;import Thor.API.tcUtilityFactory;import java.util.HashMap;import org.apache.log4j.Logger;public class AdministrativeQueueUtility { private static Logger logger = Logger.getLogger("ADMINQUEUE test"); public static void assignRequestToQueue(long requestKey, String queueName) { try { tcUtilityFactory apiFactory = OIMUtil.getUtilityFactory(); tcRequestOperationsIntf reqOpsIntf = null; long queueKey = 0; queueKey = getQueueKey(queueName); if (queueKey != 0) { reqOpsIntf = (tcRequestOperationsIntf) apiFactory .getUtility("Thor.API.Operations.tcRequestOperationsIntf"); reqOpsIntf.assignQueue(queueKey, requestKey); logger.info("Request " + requestKey + " assigned to " + queueName); } else { logger.info("Request " + requestKey + " not assigned to " + queueName + " as the queue does not exist."); } } catch (Exception e) { logger.error("Error assigning request " + requestKey + " to queue " + queueName, e); } } public static long getQueueKey(String queueName) { tcQueueOperationsIntf queueOpsIntf = null; HashMap<String, String> queueFilter; tcResultSet queues = null; long queueKey = 0; try { tcUtilityFactory apiFactory = OIMUtil.getUtilityFactory(); queueOpsIntf = (tcQueueOperationsIntf) apiFactory .getUtility("Thor.API.Operations.tcQueueOperationsIntf"); queueFilter = new HashMap<String, String>(); queueFilter.put("Queues.Queue Name", queueName); queues = queueOpsIntf.findQueues(queueFilter); if ((queues != null) && (queues.getRowCount() == 1)) { queues.goToRow(0); queueKey = queues.getLongValue("Queues.Key"); } } catch (Exception e) { logger.error( "Error occurred in method AdministrativeQueueUtility.getQueueKey.", e); } return queueKey; }} |
Mapping variables:
Data Object Manager –>Search for Request.
–UGP_KEY OF MY USER IS 42 WriteAccess group
Select * from UGP
Now when you raise a request that need approval from this type of groups, OIM behavior will be:
Logs:
DEBUG,07 Oct 2011 19:23:12,031,[XELLERATE.ACCOUNTMANAGEMENT],Class/Method: tcUtilityFactory/getRemoteUtility – Data: moUtil – Value: Thor.API.Operations.tcQueueOperationsClient
DEBUG,07 Oct 2011 19:23:12,032,[XELLERATE.APIS],Class/Method: tcQueueOperationsBean/findQueues entered.
DEBUG,07 Oct 2011 19:23:12,035,[XELLERATE.APIS],Class/Method: tcQueueOperationsBean/findQueues left.
DEBUG,07 Oct 2011 19:23:12,038,[XELLERATE.ACCOUNTMANAGEMENT],Class/Method: tcUtilityFactory/getRemoteUtility – Data: moUtil – Value: Thor.API.Operations.tcRequestOperationsClient
DEBUG,07 Oct 2011 19:23:12,058,[XELLERATE.ADAPTERS],Class/Method: tcAdpEvent/finalizeEntityAdapter entered.
DEBUG,07 Oct 2011 19:23:12,062,[XELLERATE.ADAPTERS],Class/Method: tcAdpEvent/finalizeEntityAdapter – Data: No Return Value mapping defined – Value:
DEBUG,07 Oct 2011 19:23:12,062,[XELLERATE.ADAPTERS],Class/Method: tcAdpEvent/finalizeEntityAdapter left.
INFO,07 Oct 2011 19:23:12,062,[XELLERATE.ADAPTERS],Event: adpTHIAGOADMINQUEUE has completed.
DEBUG,07 Oct 2011 19:23:12,683,[XELLERATE.APIS],Class/Method: tcFormDefinitionOperationsBean/findForms entered.
DEBUG,07 Oct 2011 19:23:12,691,[XELLERATE.APIS],Class/Method: tcFormDefinitionOperationsBean/findForms left.
DEBUG,07 Oct 2011 19:23:12,715,[XELLERATE.APIS],Class/Method: tcFormDefinitionOperationsBean/getFormFieldsData entered.
INFO,07 Oct 2011 19:23:12,722,[XELLERATE.APIS],Class/Method: tcFormDefinitionOperationsBean/getFormFieldsData: Form with key 4does not have any fields defined.
DEBUG,07 Oct 2011 19:23:13,604,[XELLERATE.ADAPTERS],Class/Method: tcRuleEvaluator/findApprovalProcessDeterminationRule entered.
1) –WITH QUM Administrative queue members
select * from qum
–WITH RQE table you can see request that were included into QUEUE TABLE
select * from rqe
Finally,
I hope this helps,
Thiago L Guimaraes
