R2 Authorization after Action

R2 introduced a new property to the UpdateResourceActivity, CreateResourceActivity and DeleteResourceActivity classes called “ApplyAuthorizationPolicyProperty”. Setting this to “true” in your custom activity allows an Authorization activity to be triggered by an Action workflow.

I have finally had an opportunity to try this out.

My Use Case

I’m developing a solution based around Services, Roles and Entitlements. Services have one or more Roles, and you need an Entitlement specific to a Service-Role combo to get access to it. Depending on the Service there are different requirements for approvals and notifications.

A number of the Services have a training requirement and this should be the final approval step in the process. Here’s how it might go:

  1. User requests an entitlement,
    1. Manager must approve,
  2. Entitlement is created with Training set to “Requested”,
    1. Workflow triggers to update Training to “Done”,
      • Trainer must approve,
  3. Entitlement now active with Training=”Done”.

Before R2 that “Trainer must approver” step wasn’t possible, at least not without some externally-triggered PowerShell trickery. Now we can do it, but you will have to write a custom activity to do your equivalent of my step 2a above.

Custom Update Activity

To demonstrate this functionality I wrote a very simple activity that uses the UpdateResourceActivity to set a value.

    

 There is only one code activity and then the UpdateResourceActivity.

Here’s the code activity:

    Private Sub InitializeUpdateActivity_ExecuteCode(ByVal sender As System.Object, ByVal e As System.EventArgs)
        '' Get containing Workflow
        Dim containingWorkflow As SequentialWorkflow = Nothing
        If Not SequentialWorkflow.TryGetContainingWorkflow(Me, containingWorkflow) Then
            Throw New InvalidOperationException("Could not get parent workflow!")
        End If

        Me.updateResourceActivity1.UpdateParameters = New UpdateRequestParameter() {New UpdateRequestParameter(Me.Attribute, UpdateMode.Modify, Me.Value)}
        Me.updateResourceActivity1_ActorId1 = containingWorkflow.ActorId
        Me.updateResourceActivity1_ResourceId1 = containingWorkflow.TargetId

        If Me.AuthZAfterAction = True Then Me.updateResourceActivity1_ApplyAuthorizationPolicy1 = True

    End Sub

The important bit is setting the ApplyAuthorizationPolicy property to True.

In case you want to see them here are links to the full Activity and UI code:

Policy Objects to Create

Sets:

  • “Entitlements where Training is Requested”
  • “Entitlements where Training is Done”

Workflow Definitions:

  • Action: “Set Training to Done”. Uses my CustomUpdate activity as pictured above, with “Allow Authorization” ticked.
  • AuthZ: “Get Trainer Approval”. Just a standard Approval activity.

MPR “Entitlement Workflow: Initiate training request”

  • Type = Transition In 
  • Transition Set = “Entitlements where Training is Requested”
  • Action WF = “Set Training to Done”

MPR “Entitlement Workflow: Get trainer approval”:

  • Type = Request
  • Requestor = “All People”
  • Operation = Modify
  • Target before set =”Entitlements where Training is Requested”
  • Target after set = “Entitlements where Training is Done”
  • AuthZ WF = “Get Trainer Approval”

The Results

To test that I really can have an approval after an action all I need do is edit an existing entitlement and set Training to “Requested”:

Looking at the Requests log I can see that a couple of things have happened straight away:

  • My request to change the value to “Requested” is Post-Processing,
  • There is a new request to change the value to “Done” which is “Authorizing”, and
  • An approval has been created.

Going back to check the entitlement – the expected value of “Requested” is the currently committed value.

The approver responsible for saying when training is done just has to approve the pending request:

Once that is complete the entitlement object now shows a correct training status of “Done”.

 

So there we have it

It looks like it is now possible to trigger an approval from a change being made by an action workflow.

I still need to try out a few other things – like whether it makes any difference if the Sync Engine made the change – but so far it looks promising.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.


Leave a Reply

Your email address will not be published. Required fields are marked *


*