Querying Oracle IAM requests

When a request gets created in IAM to create a user of some sort, workflows can be set up to ensure approval from various actors depending on the business needs. In this situation, sometimes there is a need to review the requests that have been created, outside of the IAM interface. For this purpose, IAM provides API’s that help in querying existing requests.

OIM workflow API does not function properly with the other provisioning API’s and thus it is important to ensure that request processing is done in a separate application. This situation creates challenges in design and forces decoupling of workflow operations from other system operations.

In the following sections, we will concentrate on connection, configuration and querying the OIM workflow engine to prod the existing requests.

Connecting to OIM Service

When writing a web application, specially using SSO infrastructure, it is important to connect as an admin to the web service, and then identify the user who will perform the operation.

First, remote client configuration is set up for workflow services.

protected static iWorkflowServiceClient wfSvcClient = null;

WorkflowServicesClientConfigurationType wscct = new

WorkflowServicesClientConfigurationType();

List<ServerType> servers = wscct.getServer();

ServerType server = new ServerType();

server.setDefault(true);

server.setName(WORKFLOWCONTEXT);

servers.add(server);

Password pwd = new Password();

pwd.setValue(WEBSERVERPASSWORD);

RemoteClientType rct = new RemoteClientType();

rct.setServerURL(WORKFLOWURL);

rct.setUserName(WEBSERVERUID);

rct.setPassword(pwd);

rct.setInitialContextFactory("weblogic.jndi.WLInitialContextFactory");

rct.setParticipateInClientTransaction(false);

server.setRemoteClient(rct);

wfSvcClient = WorkflowServiceClientFactory.getWorkflowServiceClient(

WorkflowServiceClientFactory.REMOTE_CLIENT, wscct, null);

 

In addition, a query service is needed to perform queries.

protected static ITaskQueryService querySvc = null;

querySvc = wfSvcClient.getTaskQueryService();

 

Now, we have to ensure connection to the query service as an administrator

iWorkflowContext adminContext = querySvc.authenticate(WEBSERVERUID,

WEBSERVERPASSWORD.toCharArray(), null);

 if adminContext == null)

{

System.out.println("Unauthenticated");

}

 

If the connection is successful, then the requesting user is authenticated. This is based on the understanding that the requesting user has already been authenticated via SSO.

iWorkflowContext retval = querySvc.authenticateOnBehalfOf(adminContext, user);

if retval == null)

{

System.out.println("Failed to authenticate on behalf of user : " + user);

}

 

Where ‘user’ is the User Id of the requesting user.

Request Configuration

In order to set up the request, we need to perform a basic OIM connection and then get the request service object from the connection object.

 public class OIMConnect

{

 public static OIMClient client;

 ...

public OIMConnect()

{

...

client.login(OIMUserName, OIMPassword.toCharArray());

...

}

....

}

 ....

 OIMConnect conn = new OIMConnect();

RequestService reqsrvc = conn.client.getService(RequestService.class);

 

Additionally, returning attributes need to be defined after the query is performed as follows

List queryColumns = new ArrayList();

queryColumns.add("TASKID");

queryColumns.add("TASKNUMBER");

queryColumns.add("TITLE");

queryColumns.add("OUTCOME");

queryColumns.add("IDENTIFICATIONKEY");

Now we have the connection and the result format defined.

Querying Requests

A predicate object is created to set up the condition for the query. In this case, we would query the assigned tasks, which have not been completed yet. This will return the tasks assigned to the requesting user.

 Predicate whereclause =

new Predicate(TableConstants.WFTASK_STATE_COLUMN,

Predicate.OP_EQ,

IWorkflowConstants.TASK_STATE_ASSIGNED);

The query is performed, where both the approver context from workflow service and the query service based on OIM connection come together:

 List tasks =

querySvc.queryTasks(approverctx, queryColumns, null, //Do not query additional info

ITaskQueryService.AssignmentFilter.MY_AND_GROUP, null,

//No keywords

whereclause, //No custom predicate

null, //No special ordering

0, //Do not page the query result

0);

Processing tasks

The list of tasks can now be traversed as follows to get the various task attributes

 for (int i = 0; i < tasks.size(); i++)

{

 Task task = (Task)tasks.get(i);

int taskNumber = task.getSystemAttributes().getTaskNumber();

 String taskId = task.getSystemAttributes().getTaskId();

String outcome = task.getSystemAttributes().getOutcome();

String stat1 = task.getSystemAttributes().getState();

String idKey = task.getIdentificationKey();

 ....

}

Querying Request Attributes

We can now access the contents of the requests that are now pending, as a result of the query above. This is achieved by calling getBasicRequestData() method for the request service, using the task identification key.

Request req = reqsrvc.getBasicRequestData(idKey);

List<RequestEntityAttribute> fetchedEntityAttrList =

new ArrayList<RequestEntityAttribute>();

fetchedEntityAttrList = (( req.getTargetEntities()).get(0)).getEntityData();

RequestEntityAttribute entityField= new RequestEntityAttribute();

for(int j=0;j<fetchedEntityAttrList.size();j++)

{

entityField=fetchedEntityAttrList.get(j);

System.out.println(entityField.getName());

System.out.println(entityField.getValue());

 if("First Name".equalsIgnoreCase(entityField.getName()))

{

fName=""+entityField.getValue();

 }

if("Last Name".equalsIgnoreCase(entityField.getName()))

{

lName=""+entityField.getValue();

 }

if("Email".equalsIgnoreCase(entityField.getName()))

{

Email=""+entityField.getValue();

}

....

....

}

Conclusion

The code snippets above are meant to help in designing an external request approval system. If the system is protected under SSO, such as Oracle Enterprise Single Sign-On, the requests can be viewed or approved by the intended user.