We are using IDM 3.5.1 (yes I know its old, but that's what we're stuck
with). We need to provide an approval workflow for provisioning new
users. therefore, we have used the Manual Task driver together with a
custom iManager task and some other drivers to deliver the process. For
the most part it works as stated below but there is one part of the
solution which is not ideal and we would like to improve but requires
XSLT code to resolve, which we have limited knowledge of.

What changes would we need to make to the XSL stylesheet to achieve the
required solution below?

Manual Task driver

Custom iManager task creates an edir account, login disabled
Manual Task driver reacts to the add event, and sends an email to a
Manager. Email contains an embedded URL pointing to the webserver
running on the MT Driver.
Manager clicks on the link, and a browser window will open with details
of the new user account. Manager must authenticate with his password,
and select an approve or deny option. Clicking on the submit button of
the webpage will POST the data to the MT Driver.
The MT driver will set a flag attribute on the new account
Other connected systems react to that flag attribute being set and
provision accounts for the approved user.
A template message is sent back to the Manager's browser to show the
action was successful.

This all works already, only a few tweaks to the MT driver required.


The embedded link in the mail that was sent to the Manager is still
"Active". The Manager can click on that embedded URL a week or a month
later and still get the webpage with the option to approve or deny the
request. So multiple approval POSTS are possible, or even an Approve
followed a fortnight later by a Deny. IDM policy can intercept these
events downstream and veto them. But there is no feedback to the Manager
about it.

Required Solution

On the IDM side, policy rules can check if a user account already has
the flag attribute added or not. If not, allow the event through (ie
initial approve/or deny decision). If the user account does have that
attribute set, then the account has already been approved or denied so
veto the event with an explanation message in trace. This is working

On the "desktop" side, send a template message to the Manager's browser
to explain that the action failed because the user has already been
processed. If changes to the flag attribute are required, go into
iManager and use the custom Modify task. This is not working (yet).

The MT driver uses an XSLT stylesheet to process HTTP Get and Post
actions, and combines that with various message templates to build
messages sent to the Manager's browser. The required logic would seem to
be to accept the HTTP Post from a Manager's approve or deny action,
query edirectory for that user and read if the flag attribute has
already been set or not. If it hasn't, continue with the current working
setup (standard out of the box stuff). But if the flag has already been
set, do not issue a Modify event into the Publisher channel and also
send a fail template message back to the Manager's browser to explain
why the action failed.

Any help much appreciated.

ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=51485