OIM/SOA default request rejection workflow

Question

I’m configuring the workflow for requests to grant / revoke a role in OIM 11.1.2.3 / SOA 11.1.1.9.

If the request is initiated by a user who is in a particular Admin Role, and the request is to assign / revoke a particular role, I can set up a workflow rule to approve the request and the role will be granted / revoke via the ‘direct’ no workflow processing.

If the request is initiated by a system admin, I can use an out-of-the-box workflow rule to approve the request and the role will be granted / revoke via the ‘direct’ no workflow processing.

I need to reject the request in any other circumstances.

I think the way to do this is to create a custom SOA workflow composite which just has the single REJECT outcome and configure it as the final workflow rule so that it will execute if the earlier rules do not match.

Is this approach to achieving the requirement correct? I do not want to trigger any human interaction, just reject the change and end the processing.

Answer 1

We have decided to achieve this requirement using a data validator instead of a REJECT SOA workflow.

We have created a custom validator that extends AssignRolesDataValidator. If the request is initiated by anyone who is not a sysadmin and not in the required Admin Role/s for the role being requested, the data validator will throw an InvalidRequestDataException and an error message is displayed on the screen. The processing only continues and evaluates the workflow rules if the data validator validate() method completes without an exception, i.e. if the request is allowed to be made by that user. The workflow rules then simply deal with how the request is approved (in each case above, via a 'direct' assignment and no workflow), rather than with the decision to approve or reject.

This has the benefit of only allowing 'valid' requests (assignment of roles by valid Admin Role members) but complicates how the logic for the flow is configured. We will need to maintain both the data validator code and the workflow rules.

Any feedback / advise would be most welcome.