Provision Users With Workflow

This sample demonstrates a typical workflow use case — provisioning new users.

The sample uses the Admin UI to set up the initial users and roles, then shows how users can complete their registration process in the End User UI.

The sample simulates the following scenario:

  • An existing employee requests that an outside contractor be granted access to an organization's system.

  • The system in this case, is the IDM managed user repository and a remote HR data source, represented by a CSV file (hr.csv).

  • User roles are stored separately, in a second CSV file (roles.csv).

The sample has three mappings—two for the bidirectional synchronization of the managed user repository and the HR data store, and one for the synchronization of the roles data to the managed repository.

Prepare the Sample

In this section, you start IDM, configure the outbound email service, and reconcile user and role data. The reconciliation operations create two managed users, user1 and manager1, and two managed roles, employee (assigned to user1) and manager (assigned to manager1).


Workflows are not supported with a DS repository. Before you test this sample, install a JDBC repository.

  1. Edit the /path/to/openidm/samples/provisioning-with-workflow/conf/datasource.jdbc-default.json file with the details of your JDBC repository. For more information, see Select a Repository.

  2. Start IDM with the configuration for the provisioning sample:

    /path/to/openidm/ -p samples/provisioning-with-workflow
  3. Log in to the Admin UI.

  4. Configure the outbound email service:

    1. From the navigation bar, click Configure > Email Settings.

    2. On the Email Settings page, enable the outbound mail service, enter the connection information, and click Save.

  5. Enable Password Reset.

    1. From the navigation bar, click Configure > Password Reset.

    2. On the Password Reset page, enable password reset, enter the applicable information, and click Save.


      For additional password reset information, see "Configuring Emails for Password Reset".

  6. Reconcile the role and user data.

    1. From the navigation bar, click Configure > Mappings.

    2. Select the first mapping (systemRolesFileRole_managedRole) and click Reconcile.

    3. To verify the reconciliation, from the navigation bar, click Manage > Role.

      IDM displays the two roles created in the previous step: employee and manager.

    4. From the navigation bar, click Configure > Mappings.

    5. Select the second mapping (systemCsvfileAccounts_managedUser), and click Reconcile.

      The reconciliation operation creates the top-level managers (users who do not have their own manager property) in the managed user repository. In this sample, there is only one top-level manager (manager1).

    6. Select the second mapping again (systemCsvfileAccounts_managedUser), and click Reconcile.

      This reconciliation operation creates the employees of the managers that were created by the previous reconciliation. In this sample, there is only one employee (employee1).

    7. From the navigation bar, click Manage > User, and verify the users manager1 and user1 exist.

  7. Verify the relationships between the new user and role objects:

    1. Click user1. The Manager field displays manager1 for this user.

    2. Click the Authorization Roles tab. user1 has two roles: openidm-authorized and employee.

    3. From the breadcrumb link at the top of the page, click User, and select manager1. The Manager field is empty for this user.

    4. Click the Authorization Roles tab. manager1 has three roles: manager, openidm-authorized, and openidm-tasks-manager.

  8. Verify the available workflows.

    1. From the navigation bar, click Manage > Processes.

    2. On the Workflow Processes page, select the Definitions tab.

    3. From the Definitions list, click Contractor onboarding process. IDM displays a diagram similar to the following:

      Sample workflow diagram
  9. Log out of the Admin UI.

Run the Sample

During this part of the sample, an existing employee initiates a Contractor Onboarding process. This process is a request to add a contractor to the managed user repository, with an option to include the contractor in the original HR data source (hr.csv).

When the employee has completed the required form, the request is sent to the manager for approval. Any user with the role manager can claim the approval task. If the request is approved, an email is sent to the address provided in the initial form, with a request for the contractor to reset their password. When the password reset has been completed, the contractor is created in the managed user repository. If a request was made to add the contractor to the original HR data source, this is done when the manager approves the request.

  1. Log in to the End User UI (https://localhost:8443/) as the user you created in the previous section (user1) with password Welcome1.

  2. Navigate to the dashboard, with the Dashboard icon (). Alternatively, select the Menu icon (), and select Dashboard.

  3. Initiate the provisioning workflow as user1:

    1. Scroll down to the Start a Process menu, and click Start next to the Contractor onboarding process.

      Complete the form for the sample user you will be creating. Use an email address to which you have access. You'll need access to complete this workflow.

      Activate the Create in CSV File option, which enables implicit synchronization from the managed user repository to the hr.csv file.


      Note that user1 does not provide a password for this user. A password reset request is sent to the email address provided on this form to ensure that only the actual contractor can log in with this account.

    2. Select Submit to initiate the process.

    3. Log out of the End User UI.

  4. Approve the workflow task as manager1:

    1. Log in to the End User UI as manager1, with password Welcome1.

    2. Navigate to the dashboard, with the Dashboard icon (). Alternatively, select the Menu icon (), and select Dashboard.

    3. Under Unassigned Tasks, locate the Approve Contractor task, select Assign, and select Assign to Me.

    4. Approve Contractor is now listed under My Tasks.

      Select Edit next to the task name.

    5. Review the form content. (It is the same content that you provided as user1.)

      Assuming the information is acceptable, select Accept.

    6. Log out of the End User UI.

  5. Verify that the contractor has been created in the HR data source (hr.csv):

    more /path/to/openidm/samples/provisioning-with-workflow/data/hr.csv
    "username","firstname","lastname","manager", "department","jobTitle",     ...,"password",...
    "user1",   "Ordinary", "Employee","manager1","dep1",      "job1",         ...,"Welcome1",...
    "manager1","Big",      "Manager", "",        "dep1",      "Manager",      ...,"Welcome1",...
    "bjensen", "Barbara",  "Jensen",  "user1",   "Payroll",   "Payroll clerk",...,       ...,...

    Note the addition of the new contractor entry, in this case, bjensen. Note also that there is no value for the password field, and that user1 is the manager of the new contractor.

  6. Complete the password reset process:

    1. Verify the inbox of the email account that you provided when you completed the initial form.

      You should have received two emails — one with the subject "Your account has been created" and one with the subject "Reset your password".

    2. Open the password reset email and select Password reset link.

      The link takes you to the End User UI, with the option to Reset Your Password.

    3. Enter a new password, and select Change Password.

      The password that you enter here must comply with the password policy that is configured for managed users. For more information, see "Enforcing Password Policy".

    4. Select Sign In and connect with the username and newly created password.

    5. Select the notifications icon (), and you should see welcome and password update messages:

      Notifications for new users
      Welcome and password update messages

  7. Verify that the new password has been propagated to the HR data source:

    Open /path/to/openidm/samples/provisioning-with-workflow/data/hr.csv and note that the password for the contractor has been added to their entry.

If you declined the approval request, the user is not created in either the managed user repository, or in the HR CSV file.

Read a different version of :