Step Elements
Note: Similar to variables, some parts of a step definition are included as attributes of the step and others are expressed as nested elements within the step.
The core of the workflow is contained within the step elements. The action attribute determines what processing the step performs. Steps usually contain one or more nested <Transition> elements and ideally also contain a nested <Description> element that tells the reader what the step is intended to do. At a minimum, a step should contain:
-
an icon
-
name
-
posX attribute
-
posY attribute
The action attribute determines what processing the step performs. Steps usually contain one or more nested <Transition> elements and ideally also contain a nested <Description> element that tells the reader what the step is intended to do.
<Step icon="Start" name="Start" posX="250" posY="126">
<Description>
The workflow's processing starts with this step.
</Description>
<Transition to="Initialize"/>
</Step>
Step Attributes
|
Step Attribute |
Purpose |
|
configForm |
A soft reference to the form that is presented to the Basic View of the Arguments tab on the Step Editor panel. |
|
name |
Short but descriptive name for step displayed in user interface graphical display below the step icon. |
|
icon |
Icon to display for the step in the user interface graphical Process Designer. Valid icon values include: |
|
posX, posY |
X and Y indicate positions where the step icon should be displayed on the user interface graphical Process Designer grid. If you omit the posX and posY values, the icon is displayed at the top right of the grid. You can drag the icon around to create the desired layout at a later time. |
|
action |
The processing action to take for the step, such as a script, rule, subprocess, or call. See Step Actions. |
|
wait |
Pauses the action for a specified duration, see Wait Attribute. |
|
catches |
Causes the step to be launch when Complete status is caught, rather than through a transition from another step. See Catches Attribute. |
|
resultVariable |
Variable name that contains the return value from the step. |
|
Nested Tag within Step Element |
|
|
Description |
Provide a description of the step purpose. |
|
Transition |
Identifies the next step the process moves to when the current step is complete. See Transition Element. |
|
Arg |
Passes variables to the step. Used for steps that require data to be passed in to them. |
|
Return |
Receives return values from subprocess steps. See Return Elements. |
|
Script |
Alternative to script in the Action attribute for the step. Use these step attributes for action scripts of any length or complexity. |
|
Source |
Nested within the Script tag and contains the Java BeanShell source for the action to execute. |
Transition Element
The transition element indicates the name of the next step the process executes following completion of the current step and is always nested within a step in the model. Transitions can contain conditions based on a string, script, rule, call method, or reference (similar to a variable initialization). The return value for conditions must be a Boolean (True / False). When multiple transitions are stipulated, they are evaluated in the order they are listed, and the transition for the first condition met is followed. The last transition in the list should, as a best practice, not contain any conditions so it can be used as the default action.
Transitions contain two attributes:
-
to – next step
-
when – condition for progressing to the next step
When a script is evaluated as the condition for a transition, it is often specified through these nested elements instead of as a when attribute on the transition element, especially if you use a long script.
|
Nested Tag |
Purpose |
|
Script |
Alternative to script in the transition when attribute. The script should be used for scripts of any length or complexity. |
|
Source |
Nested within the Script tag. This tag contains the BeanShell source for the condition evaluation. |
Example:
<Transition to="end">
<Script>
<Source>
("cancel".equals(violationReviewDecision) || ((size(policyViolations)
> 0 ) && (policyScheme.equals("fail"))))
</Source>
</Script>
</Transition>Conditions in the when attribute can be specified using the following types of conditions:
|
Condition Type |
Description and Examples |
|
string |
Not used. This condition type is an artifact of the common structure used for variable setting and does not apply to conditions. A literal value of True or False can be specified. However, using one of those literal values does not enable any evaluation in the transition. True always executes the associated step and False always bypasses the step. |
|
script |
Evaluates script result value to determine step transition. Very short scripts are specified inline on the transition element, within the when attribute. Longer scripts are expressed within nested <script> and <source> elements. Because script is the default transition when option, the "script:" prefix can be included or omitted. Examples: (1) In-line Script. Use only for very short, simple scripts. <Transition to="Exit On Policy Violation" when="script:((size(policyViolations)> 0) && (policyScheme.equals("fail")))"/> (2) Longer script within nested <script> tag should be use for transition scripts of any complexity or length. <Transition to="end"> <Script> <Source> ("cancel".equals(violationReviewDecision) || ((size(policyViolations) > 0 ) && (policyScheme.equals("fail")))) </Source> </Script> </Transition> |
|
rule |
Evaluates the return value of a workflow rule to determine step transition. Examples: <Transition to="Process Approval" when="rule:RequireApprovalRule"> |
|
call |
Evaluates return value of a call to a workflow library method to determine step transition. Example: <Transition to:"Check Status" when="call:requiresStatusCheck" /> |
|
ref |
Evaluates a defined, Boolean, workflow variable to determine step transition. Example: <Transition to="Refresh Identity" when="ref:doRefresh"/> |
|
Unconditional |
Specified as last transition option to give a default path for the transition. Example: <Transition to="Approve"/> |
Step Actions
Most steps involve much more than a name and a transition. Steps also include an action attribute that executes the workflow processing. The action of a step can be a script or can a rule, subprocess, or a call to a workflow library method.
|
Action Type |
Description |
|
Script |
Similar to scripts in other parts of the workflow XML, the script can be contained within the action attribute or can be nested within the Step in a <Script> block. Examples: (1) In-line Script, used only for very short, simple scripts.
<Transition to="Stop"/> </Step> (2) Longer script within nested <script> tag. Used for action scripts of any complexity or length. <Step name="Start" icon="Start" posX="20" posY="20"> <Script> <Source> String wfName = wfcontext.getWorkflow().getName(); System.out.println("Starting workflow: [" + wfName + "]"); </Source> </Script> <Transition to="Compile Provisioning Project"/> </Step> |
|
Rule |
A step can execute a block of Java BeanShell code encapsulated in a reusable workflow Rule. Example: <Step action="rule:WFRule_verifyIdentity" icon="Task" name="Verify Identity" posX="600" posY="202"> |
|
Subprocess |
When you include a <WorkflowRef> element within the step and reference the SailPoint.object.Workflow class and the specific workflow by name, a subprocess is defined. Example: <Step icon="Task" name="Initialize" posX="320" posY="126"> … <WorkflowRef> <Reference class="sailpoint.object.Workflow" name="Identity Request Initialize"/> </WorkflowRef> <Transition to="end"> </Step> |
|
Call |
Calls to workflow library methods can be used to do step processing. Call is the default action option. Therefore the "call:" prefix can be included or omitted. Example: <Step action="call:refreshIdentity" icon="Task" name="Refresh Identity" posX="618" posY="242"> |
Arguments
Any variables to be passed to a script, rule, subprocess, or library method must be declared as step arguments through <Arg> elements. Similar to other variables, the values for arguments can be specified by string, script, rule, call, or reference. The default specification type is string. Therefore, the "string:" qualifier can be omitted. However, arguments are also commonly passed by referencing workflow variables.
Step icon="Task" name="Initialize" posX="320" posY="126">
<Arg name="w" vaflolue="ref:flow"/>
<Arg name="formTemplate" value="string:Identity Update"/>
<Arg name="identityName" value="ref:identityName"/>
...
<Description>Call the standard subprocess to initialize the request,
this includes auditing, building the approvalset, compiling the plan into
project and checking policy violations.</Description>
...
<WorkflowRef>
<Reference class="sailpoint.object.Workflow" name="Identity Request
Initialize"/>
</WorkflowRef>
<Transition to="end">
</Step>When an argument is specified as a script, rule, or call, for example, <Arg name="myVar" value="rule:myWFRule"/>, any needed arguments to the script, rule, or library method cannot be explicitly specified.
Because these scripts, rules, and library methods automatically have access to the workflow context object, the scripts can access workflow variables directly through the workflow context get methods. These scripts/rules/methods can also access any step arguments that were defined before them in the step declaration. For example, the method that identifies the value for the Manager argument can use the value in the identityName argument in its processing, if needed. See the following example.
<Step icon="Task" name="Processing Step" posX="320" posY="126">
<Arg name="identityName" value="ref:identityName"/>
<Arg name="Manager" value="call:getManager"/>
...
</Step>The following table lists the available Arg attributes
|
Arg Attribute |
Purpose |
|
name |
Variable name in process to which the data is being passed. |
|
value |
Value to pass into the variable, such as string, script, rule, call, reference. |
Return Elements
To return more than one value from a subprocess, you can declare <Return> elements for the step. At a minimum, a return element contains: a name attribute and a to attribute. The name attribute is the name of the variable in the subprocess workflow and the to attribute is the variable name in the calling (current) workflow. If these names are the same in both workflows, a to attribute is not required. However, specifying a to attribute is a best practice for clarity.
Use the merge attribute when the variable is a List and the returned values should be appended to the current workflow's list instead of replacing it. Similar to Args, value attribute for return elements can be specified as a string, script, rule, call, or reference. String is the default. If the value argument is omitted, the value of the name variable is copied as-is into the to variable, However, a script/rule/method can be used to transform or modify the value as it is passed.
-
name attribute – name of the variable in the subprocess workflow
-
to attribute – variable name in the calling (current) workflow
Note: If these names are the same in both workflows, a to attribute is not required. However, specifying the to attribute is best practice.
<Step icon="Task" name="Initialize" posX="320" posY="126">
<Arg name="flow" value="ref:flow"/>
<Arg name="formTemplate" value="string:Identity Update"/>
<Arg name="identityName" value="ref:identityName"/>
...
<Return name="project" to="project"/>
<Return merge="true" name="workItemComments" to="workItemComments"/>
<WorkflowRef>
<Reference class="sailpoint.object.Workflow" name="Identity Request
Initialize"/>
</WorkflowRef>
<Transition to="end">
</Step>The following table lists the available Return attributes.
|
Return Attribute |
Purpose |
|
name |
Variable name in process from which the data is returned. |
|
to |
Variable name in the workflow step to which the data is passed. |
|
value |
Value to pass into the variable, such as string, script, rule, call, reference. |
|
merge |
Flag indicating that the value should be merged into the target variable instead of replacing the variable. This attribute is used for list variables. |
|
local |
Only applies to returns on Approvals. (See Approval Steps). A flag that indicate the value is passed to local storage within the parent approval and not passed to a workflow case variable. This attribute is used for complex approvals where a work item state is saved for later analysis in a script. |
Call
Note: Installations can create custom libraries for commonly used and required business methods. However, custom library methods must be named with unique names that do not conflict with standard library method names. Conflicts resolve as a reference to the standard library method. It is possible to extend a standard library and overload its method names. Extending a standard library is not consider a best practice. Therefore, the best practice is to create new names for nonstandard methods. Creating new names makes it clear that the method is not a standard method.
Use calls to workflow library methods to do step processing. Similar to subprocesses, they sometimes require arguments to be passed to them. You declare method arguments the same way as subprocesses. You use Library methods with a call action. See the following example.
<Step action="call:refreshIdentity" icon="Task" name="Refresh Identity" posX="618" posY="242">
<Arg name="identityName" value="ref:identityName"/>
<Arg name="correlateEntitlements" value="string:true"/>
<Description>Add arguments as necessary to enable refresh features. Typically you
only want this to correlate roles. Don't ask for provisioning since that
can result in provisioning policies that need to be presented and it's
too late for that. This is only to get role detection and exception
entitlements in the cube.</Description>
<Transition to="Notify"/>
</Step>The methods available for the call action are those included in the libraries attribute for the workflow element, if specified. If no libraries attribute is specified, the workflow automatically has access to the methods in the Identity, Role, PolicyViolation, and Lifecycle Manager libraries. If other libraries, including custom libraries, are explicitly listed in the libraries attribute, any of the default libraries whose methods are needed by the workflow must also be explicitly included in the list to be available. See Workflow Library Methods for details about the methods available in each library.
Wait Attribute
The step wait attribute causes the workflow to pause in its execution for the duration specified. The wait value can be specified as a string, script, rule, call, or reference. String is the default.
<Step name="Wait for next check" wait="ref:provisioningCheckStatusInterval">
<Description>
Pause and wait for things to happen on the PE side.
Use the configurable interval to determine how long
we wait in between checks.
</Description>
<Transition to="CheckStatus"/>
</Step>This attribute creates a special type of step with the sole purpose of creating a pause in the action. Wait steps are commonly used in retry logic to enable behind-the-scenes processing to occur before the workflow attempts to repeat an action.
Catches Attribute
These steps are not caused through a transition from a previous step. These steps are caused by a thrown message that the steps intercepts or catches. Currently, only a complete message is thrown and can be caught. This process occurs when one of the following items occurs:
-
All sequential steps in a workflow are executed to completion.
OR -
Failure condition results in the termination of the workflow.
<Step catches="complete" icon="Task" name="Finalize">
<Arg name="project" value="ref:project"/>
<Arg name="approvalSet" value="ref:approvalSet"/>
<Arg name="trace" value="ref:trace"/>
<Description>
Call the standard subprocess that can audit/finalize the request.
</Description>
<WorkflowRef>
<Reference class="sailpoint.object.Workflow" name="Identity Request Finalize"/>
</WorkflowRef>
<Transition to="end"/>The primary purpose of these steps is to update the IdentityRequest object, which tracks and reports the status of a LifecycleManager request, making the history of LCM request processing available even after the TaskResult for the workflow was purged.
Each installation can drive custom logic based on catching this complete message.