Edit a Workflow
Administrators can edit an existing workflow by selecting the workflow and clicking Details and then clicking Edit in the upper right-hand corner.
 |
In this example, if the entitlement requestor is not a manager, a manager must approve the request in order for the entitlement to be granted. However, if the requestor is a manager, the request is granted and the end action results.
 |
Once the Edit button is clicked, the interface allows the adding or removal of existing workflow actions to the workflow by clicking on the workflow path component directly.
 |
A workflow action can be removed by clicking the red trash can icon or modified by clicking the pencil icon. If the pencil icon is clicked, that action configuration can be modified. However, in this use case, if an action should take place in between existing actions, the line between the action paths should be clicked. In this case, an Email action was added which is the result of the choice to add an additional action prior to the End Action. When new actions are added, the process to add a new action is identical to the sequence defined in General Steps.
 |
Once the workflow is complete, click Save.
Using Expressions in Workflow Actions
Several fields within workflow actions can use custom expressions. These expressions provide values from various inputs into the workflow process.
There are several valid expression prefixes, and any suffix may be appended to a prefix. The suffix should reference a valid attribute. For instance, when referencing the recipient of a resource, the request suffix should refer to a valid attribute related to the person within LDAP.
Note
These expressions, when used as an expression for a Value Pair for the Connect and/or Connect (Advanced) Actions, must be surrounded by single quotes, e.g. '%{recipient.givenName}'
Valid Expression Prefixes
recipient - Refers to the recipient user of the workflow request
requestor/requester - Refers to the user who initiated the workflow request
addressee - Refers to the User or Group assigned to the current approval task for the workflow
approver - Refers to the User who responded to an approval task
approval - Refers to a particular approval response
resource - Refers to the Entitlement being granted/revoked
dss - Refers to a response value received from an Advanced RapidIdentity Connect Action
form - Refers to the form associated with the workflow request
The following items are currently available when using the 'resource' prefix:
name - The name of the Entitlement
description - The description of the Entitlement
binding - The binding of the Entitlement
icon - The icon URL for the Entitlement
owner - The User who is the owner of the Entitlement
Form Prefix
%{grant.form.<id>} - Refers to the form associated with the current grant request, and is only available during REVOKE workflows.
<id>is the unique form id.
User/Group Prefixes may refer to any directory attribute on that target object, with support for chaining if the attribute is a DN and references another valid directory object.
%{recipient.givenName} - Returns the value of the “givenName” attribute for the recipient of the workflow
%{requester.mail} - Returns the value of the “mail” attribute for the User who requested the workflow
%{recipient.manager} - Returns the value of the “manager” attribute on the recipient’s directory entry
%{recipient.manager.fullName} - Returns the value of the “fullName” attribute on the object pointed to by the recipient’s “manager” attribute
%{recipient} - Returns the idautoID of the recipient
%{recipient.id} - Returns the idautoID of the recipient
%{recipient.idautoID} - Returns the idautoID of the recipient
%{recipient.dn} - Returns the DN of the recipient
%{addressee.idautoID} - Returns the idautoID of the User/Group assigned to the current approval task
Approver/Approval Prefixes can optionally have an index so that information about approval steps beyond the first can be referenced.
%{approver.mail} - Returns the value of the “mail” attribute for the User who approved/denied the first approval task
%{approver0.mail} - Returns the value of the “mail” attribute for the User who approved/denied the first approval task
%{approver1.givenName} - Returns the value of the “givenName” attribute for the User who approved/denied the second approval task
%{approval1.comments} - Returns the comments (if any) from the approver of the second approval task
‘comments’ are currently the only information available when using the ‘approval’ prefix.
Miscellaneous Expressions
%{request.type} - Refers to the current workflow request. The only type that can be used with the request prefix is type, and the only types are GRANT and REVOKE.