Create Workflow with input form for collecting input data

Hello All,

I am relatively new to AR, and I have to create a worklow for new users. If the User is created, a multi admin workflow should start. Initialision of the workflow is clear for me. Now the challenge, where I did not know how to achieve this goal?

The workflow should forward an request to an admin, which provides a phone number for the new User (posssible solution an input form). After providing this, the workflow should go to another adimin, who also types in AD Attributes and so on. At the end of the workflow a final approver should check the input from the others, and if ok, the AD Attributes should be set after approval from last approver.

Now my question, how can I achieve this? Are there existing forms for this input data, and how are this attributes are saved in the forms during the running workflow? I searched OneIdentidy Support KB and also searched this forum, but could find an appropriate possible solution.

Does anybody have an idea how to solve this? Any help will be welcome!

Many Thanks in advance!

Markus

Parents
  • What I would do is:

    Create an AR Workflow that notifies the Admin to go to the new user's property page to put in the phone number.  You can embed the name of the new user in the notification easily as there is a "token" for the in-process user's details (name or any other property) available.

    In the Web UI, your admin would go to the user properties page of the newly created user as requested by the notification

    The entry of the phone number (actually the "Save" action) by the Admin would then trigger the next workflow to tell the next admin to go and edit the required attributes (the phone number modification is the workflow trigger / start condition).  To make the attribute update task easier for the next admin, using out of the box customization, I would create a new tab on the existing user properties dialog of the Web UI that contains the required attributes.

    You would once again use the setting of the attributes as a trigger / start condition for the last workflow that would request approval for the setting of the attributes from whomever you choose (by way of an Approval activity in the workflow inserted prior to the update attributes action).

  • Hey Johnny,

    many thanks for your help and suggestion, but I actually stuck in the starting of the workflow, it did not start! I created a sync workflow for creation of users from an HR System. The User will be created successfully in a dedicated OU.

    Now I would like to start the workflow, where dedicated User should provide information for these Users (e.g. phone number, mobile number, hardware ordering etc.). But I tried many things for "Conditions for starting the workflow", meaning creation of the user, or modifiing of the user etc, but nothing worked for me, the workflow did not start? Do not know if I make a logical error in thinking?

    Any idea what I do wrong?

  • You should be able to set a condition of the start where:

    Triggering event is the creation of the user

    Setup a further condition where the action is taken by your sync service account in your "new users" OU.

    Do you have a separate user account running your sync service jobs?

  • I take it that this initial workflow is just for sending a notification and not an approval workflow? There are essentially three items that can be configured to start a workflow. The Operation Conditions or action, which in this case should be set to Create User. The next items are Initiator Conditions or "who and where", this tells Active Roles to start the workflow if it was done by a certain set of users on a certain directory container. It defaults to Any User as the initiator and all of Active Directory for the container. The last items that can be configured are LDAP filtering conditions, but these are blank by default. Is this what you have configured?

  • Hello Johnny,

    in general these Trigger works, if I try to create a new User in my OU via MMC. But it seems that this did work with an Synchronization Task. My Synchronisation task creates users, but did not start the workflow, which has the trigger "create user". It seems to be handeled different. If I look for the Change history of the newly created user via Synchronization task, it is empty. Meaning the creation via Synchronization task will not handelt like creation via GUI.

    This means I still have the problem to find a workflow starting trigger with an created user via synchronisation service. Ideas are very welcome ;-)

    Best Regards Markus

Reply
  • Hello Johnny,

    in general these Trigger works, if I try to create a new User in my OU via MMC. But it seems that this did work with an Synchronization Task. My Synchronisation task creates users, but did not start the workflow, which has the trigger "create user". It seems to be handeled different. If I look for the Change history of the newly created user via Synchronization task, it is empty. Meaning the creation via Synchronization task will not handelt like creation via GUI.

    This means I still have the problem to find a workflow starting trigger with an created user via synchronisation service. Ideas are very welcome ;-)

    Best Regards Markus

Children
  • Is the connection in your Sync Service to Active Directory or Active Roles? If you cannot see the creation activity of the user in Change History on that user object, then that could mean the user was created directly in Active Directory.

  • Workflows can only be triggered by Active Roles clients. The Active Roles Synchronization Service can be an Active Roles client, but it can also bypass Active Roles and connect to Active Directory natively.

    Make sure that the connection which you are using is a connection to an Active Roles Administration Service and not to Active Directory. If it is not, you will need to create an Active Roles Administration Service connection and recreate the Workflow (Workflows cannot be changed to use a different connection after they are created).

  • Thanks for your help, this was my first mistake, I created an AD Connection Sync. I created a new with Active Roles Server Connection. But the Workflow is still not working!

    If I run the connector sync with the synchronisation account, then the Workflow is skipped, because it is an ARS Administrative Account. And if I run the connector with a non administrative Account I get the following error during Sync step:

    Activity 'Approval rule Festnetznummer' in workflow 'New User Workflow' returned an error.
    Your operation cannot be processed.
    The operation you have requested requires approval by authorized persons, whereas the application you are using does not support the creation of approval requests. Use the Active Roles Web Interface to perform operations that require approval.

  • That's an interesting dilemma.  Let me share with you what I recently did for a customer.  They too have the sync service creating accounts.  

    In their environment, the account is created and a notification e-mail is sent to the Manager of the user object to ask them to confirm that they actually want the account.  Within the e-mail, is a link to the user object in the ARSelfService site.  The Manager goes to the object and selects "Yes, I need this account" from a dropdown (setup with a simple PGV policy on virtual attribute) to acknowledge that they want the the account.  There is also an option to say "No, I don't need the account".  If the Manager selects this option, then the account is deprovisioned and eventually deleted.

    I don't know if this is a practical solution for you but I thought I would share.

  • This is relevant:

    Title: Can Quick Connect / Active Roles Synchronization Service integrate with Active Roles Workflows?
    Solution: 96700
    URL: https://support.oneidentity.com/kb/96700