Workflow properties

Workflow properties

Workflow properties are used to configure the core IBM Security Identity Manager workflow engine.
Table 1 defines the properties used to configure the core IBM Security Identity Manager workflow engine.

Workflow configuration

enrole.workflow.lrucache.size

Size of the cache used to temporarily use and access workflow objects. Do not change it unless directed by IBM support. Making this value too large can result in out of memory conditions oIBM Security Identity Manager Server.
Example (default, commented out).
## enrole.workflow.lrucache.size=number_of_entries

where the default value of number_of_entries is 2000.

enrole.workflow.notifyoption

Do not change this property key and value unless you are a qualified administrator. Behavior of workflow email notifications. Values are:

0 (NOTIFY_NONE) – Security Identity Manager does not send email notifications when the workflow process completes.
1 (NOTIFY_REQUESTER) – A process completion notification is sent to the requester when the workflow process completes. Account email notifications are then sent to the requestee for the following account requests:

New Account
New Password
Change Account
Deprovision Account
Suspend Account
Restore Account
For example, when the workflow process completes for a new account request, a process completion notification is sent to the requester. A new account notification is then sent to the requestee.

Example (default).
enrole.workflow.notifyoption=1

enrole.workflow.notifypassword

Do not change this property key and value unless you are a qualified administrator. Type of email notification in a password transaction (caused when a user password is changed or automatically generated). Values are:

true – email notification of a password change can be sent to a user. The actual notification mechanism and whether to include the actual password in the email is dictated by the configuration of the enrole.workflow.notification.newpassword property value.
false – email notification of a password change is sent to a user. The email contains a URL where the user can obtain the password. The URL prompts the user for the shared secret.

Example (default).
enrole.workflow.notifypassword=true

enrole.workflow.notifyaccountsonwarning

Specifies whether account email notifications are sent when the account operation results in a warning. Values are:

true – Sends account email notifications.
false – Does not send account email notifications.

Example (default).
enrole.workflow.notifyaccountsonwarning=false

enrole.workflow.maxretry

Do not change this property key and value unless you are a qualified administrator.
Specifies the number of times an attempt is made to start a workflow that initially failed. See also enrole.workflow.retrydelay.
Example (default).
enrole.workflow.maxretry=2

enrole.workflow.retrydelay

Do not change this property key and value unless you are a qualified administrator.
Time delay [in milliseconds] between successive attempts to start a workflow application that initially failed. See also enrole.workflow.maxretry.
Example (default).
enrole.workflow.retrydelay=60000

enrole.workflow.skipapprovalforrequester

Do not change this property key and value unless you are a qualified administrator. For a workflow activity that requires approval, this property specifies whether to skip the approval for other approvers if the requester is also an approver. Values are:

true – Skips approval for other approvers if the requester is also an approver.
false – Forces an approval check from other required approvers of the activity, except the requester (if the requester is also an approver). If the requester is a single approver as a result of participant resolution, then the approval is skipped even when value is set to false.

Example (default).
enrole.workflow.skipapprovalforrequester=false

enrole.workflow.disablerequesteeapproval

Do not change this property key and value unless you are a qualified administrator. For a workflow activity that requires approval, this property specifies whether to disable the requestee approval if the requestee is also an approver. Values are:

true – Disables the requestee approval if the requestee is also an approver.
false – Sends an approval check to the requestee and other resolved participants if the requestee is also an approver.
The default value is false.
Example (default).
enrole.workflow.disablerequesteeapproval=false

For more information, see Planning > Workflow planning > Workflow participants > Disable requestee or requester approval on the IBM Security Identity Manager documentation.

enrole.workflow.disablerequesterapproval

Do not change this property key and value unless you are a qualified administrator.
IBM Security Identity Manager considers this property value only when the enrole.workflow.skipapprovalforrequester property value is set to false. For a workflow activity that requires approval, this property specifies whether to disable the requester approval if the requester is an approver. Values are:

true – A value set to false for the enrole.workflow.skipapprovalforrequester property disables automatic approval if the requester is a lone approver.
false – Works according to the value that you set for the enrole.workflow.skipapprovalforrequester property.

Example (default).
enrole.workflow.disablerequesterapproval=false

For more information, see Planning > Workflow planning > Workflow participants > Disable requestee or requester approval on the IBM Security Identity Manager documentation.

enrole.workflow.skipfornoncompliantaccount

Do not change this property key and value unless you are a qualified administrator.
Specifies whether to engage the entitlement workflow associated with the account. Specifies when a system account modification is triggered as a result of a policy enforcement action. Values are.

true – Skips this action.
false – Does not skip this action.

Example (default).
enrole.workflow.skipfornoncompliantaccount=true

enrole.workflow.distribution

Do not change this property key and value unless you are a qualified administrator. Specifies whether workflow requests use the IBM Security Identity Manager shared queues, which allow for workload distribution. Values are:

true – Workflow requests are eligible for distribution.
false – Workflow requests are not eligible for distribution.

Example (default).
enrole.workflow.distribution=true

enrole.workflow.async_completion_enabled

Do not change this property key and value unless you are a qualified administrator. Specifies whether the system uses asynchronous completion checking for some system workflows, which can decrease database lock contention and improve performance. Values are:

true – Uses asynchronous completion checking.
false – Does not use asynchronous completion checking.

Example (default).
enrole.workflow.async_completion_enabled=true

enrole.workflow.async_completion_interval_sec

Do not change this property key and value unless you are a qualified administrator.
Specifies the interval in seconds that the system checks to see whether certain system workflows are complete. Only applicable when enrole.workflow.async_completion_enabled=true.
Example (default).
enrole.workflow.async_completion_interval_sec=30

enrole.workflow.notification.activitytimeout

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java™ class that generates the workflow activity timeout notification.
Example (default, entered as a single line).
enrole.workflow.notification.activitytimeout= com.ibm.itim.workflow.notification.TemplateActivityTimeoutNotification

enrole.workflow.notification.processtimeout

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates the workflow process timeout notification.
Example (default, entered as a single line).
enrole.workflow.notification.processtimeout=com.ibm.itim.workflow. notification.TemplateProcessTimeoutNotification

enrole.workflow.notification.processcomplete

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates the notification for when a workflow process is completed..
Example (default, entered as a single line).
enrole.workflow.notification.processcomplete=com.ibm.itim.workflow. notification.TemplateProcessCompleteNotification

enrole.workflow.notification.pendingwork

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates the notification for when a workflow process is completed for manual activities (Approvals and Requests for Information).
Example (default, entered as a single line).
enrole.workflow.notification.pendingwork=com.ibm.itim.workflow. notification.TemplatePendingWorkNotification

enrole.workflow.notification.newaccount

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates the notification for when a workflow process is completed for a new account.
Example (default, entered as a single line).
enrole.workflow.notification.newaccount=com.ibm.itim.workflow. notification.TemplateNewAccountNotification

enrole.workflow.notification.newpassword

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates a notification when a user changes a password. This property is used only when the value for the property is true.
enrole.workflow.notifypassword=true
This property responds to the following three-password change scenarios.

When a user changes the password for the account
When the administrator forces a password change on the account
When a user is successfully identified through the password challenge/response feature, and challenge/response is configured.

Valid classes include.

NewPasswordNotification
Email notification that includes the password (in ASCII text) is sent to a user (default).
EmptyNotificationFactory
Suppresses email notification. The preferred method for suppressing any notification is through the Workflow Notification GUI.
PasswordChangeNotificationFactory
Email notification that does not include the password is sent to a user. Message body says: "Process completed".

The EmptyNotificationFactory and PasswordChangeNotificationFactory classes are in the examples.jar package in the examples directory.
Example (default, entered as a single line).
enrole.workflow.notification.newpassword=com.ibm.itim.workflow. notification.TemplateNewPasswordNotification

enrole.workflow.notification.deprovision

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates deprovisioning notification.
Example (default, entered as a single line).
enrole.workflow.notification.deprovision=com.ibm.itim.workflow. notification.TemplateDeprovisionNotification

enrole.workflow.notification.workorder

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates work order notifications.
Example (default, entered as a single line).
enrole.workflow.notification.workorder=com.ibm.itim.workflow. notification.TemplateWorkOrderNotification

enrole.workflow.notification.changeaccount

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates account change notifications.
Example (default, as a single line).
enrole.workflow.notification.changeaccount= com.ibm.itim.workflow.notification.TemplateChangeAccountNotification

enrole.workflow.notification.restoreaccount

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates account restoration notifications.
Example (as a single line).
enrole.workflow.notification.restoreaccount= com.ibm.itim.workflow.notification.TempateRestoreAccountNotification

enrole.workflow.notification.suspendaccount

Do not change this property key and value unless you are a qualified administrator.
Specifies the default Java class that generates account suspension notifications.
Example (as a single line).
enrole.workflow.notification.suspendaccount= com.ibm.itim.workflow.notification.TemplateSuspendAccountNotification

Parent topic: System property configuration in enRole.properties

Workflow configuration
enrole.workflow.lrucache.size
	Size of the cache used to temporarily use and access workflow objects. Do not change it unless directed by IBM support. Making this value too large can result in out of memory conditions oIBM Security Identity Manager Server. Example (default, commented out). ## enrole.workflow.lrucache.size=number_of_entries where the default value of number_of_entries is 2000.
enrole.workflow.notifyoption
	Do not change this property key and value unless you are a qualified administrator. Behavior of workflow email notifications. Values are: 0 (NOTIFY_NONE) – Security Identity Manager does not send email notifications when the workflow process completes. 1 (NOTIFY_REQUESTER) – A process completion notification is sent to the requester when the workflow process completes. Account email notifications are then sent to the requestee for the following account requests: New Account New Password Change Account Deprovision Account Suspend Account Restore Account For example, when the workflow process completes for a new account request, a process completion notification is sent to the requester. A new account notification is then sent to the requestee. Example (default). enrole.workflow.notifyoption=1
enrole.workflow.notifypassword
	Do not change this property key and value unless you are a qualified administrator. Type of email notification in a password transaction (caused when a user password is changed or automatically generated). Values are: true – email notification of a password change can be sent to a user. The actual notification mechanism and whether to include the actual password in the email is dictated by the configuration of the enrole.workflow.notification.newpassword property value. false – email notification of a password change is sent to a user. The email contains a URL where the user can obtain the password. The URL prompts the user for the shared secret. Example (default). enrole.workflow.notifypassword=true
enrole.workflow.notifyaccountsonwarning
	Specifies whether account email notifications are sent when the account operation results in a warning. Values are: true – Sends account email notifications. false – Does not send account email notifications. Example (default). enrole.workflow.notifyaccountsonwarning=false
enrole.workflow.maxretry
	Do not change this property key and value unless you are a qualified administrator. Specifies the number of times an attempt is made to start a workflow that initially failed. See also enrole.workflow.retrydelay. Example (default). enrole.workflow.maxretry=2
enrole.workflow.retrydelay
	Do not change this property key and value unless you are a qualified administrator. Time delay [in milliseconds] between successive attempts to start a workflow application that initially failed. See also enrole.workflow.maxretry. Example (default). enrole.workflow.retrydelay=60000
enrole.workflow.skipapprovalforrequester
	Do not change this property key and value unless you are a qualified administrator. For a workflow activity that requires approval, this property specifies whether to skip the approval for other approvers if the requester is also an approver. Values are: true – Skips approval for other approvers if the requester is also an approver. false – Forces an approval check from other required approvers of the activity, except the requester (if the requester is also an approver). If the requester is a single approver as a result of participant resolution, then the approval is skipped even when value is set to false. Example (default). enrole.workflow.skipapprovalforrequester=false
enrole.workflow.disablerequesteeapproval
	Do not change this property key and value unless you are a qualified administrator. For a workflow activity that requires approval, this property specifies whether to disable the requestee approval if the requestee is also an approver. Values are: true – Disables the requestee approval if the requestee is also an approver. false – Sends an approval check to the requestee and other resolved participants if the requestee is also an approver. The default value is false. Example (default). enrole.workflow.disablerequesteeapproval=false For more information, see Planning > Workflow planning > Workflow participants > Disable requestee or requester approval on the IBM Security Identity Manager documentation.
enrole.workflow.disablerequesterapproval
	Do not change this property key and value unless you are a qualified administrator. IBM Security Identity Manager considers this property value only when the enrole.workflow.skipapprovalforrequester property value is set to false. For a workflow activity that requires approval, this property specifies whether to disable the requester approval if the requester is an approver. Values are: true – A value set to false for the enrole.workflow.skipapprovalforrequester property disables automatic approval if the requester is a lone approver. false – Works according to the value that you set for the enrole.workflow.skipapprovalforrequester property. Example (default). enrole.workflow.disablerequesterapproval=false For more information, see Planning > Workflow planning > Workflow participants > Disable requestee or requester approval on the IBM Security Identity Manager documentation.
enrole.workflow.skipfornoncompliantaccount
	Do not change this property key and value unless you are a qualified administrator. Specifies whether to engage the entitlement workflow associated with the account. Specifies when a system account modification is triggered as a result of a policy enforcement action. Values are. true – Skips this action. false – Does not skip this action. Example (default). enrole.workflow.skipfornoncompliantaccount=true
enrole.workflow.distribution
	Do not change this property key and value unless you are a qualified administrator. Specifies whether workflow requests use the IBM Security Identity Manager shared queues, which allow for workload distribution. Values are: true – Workflow requests are eligible for distribution. false – Workflow requests are not eligible for distribution. Example (default). enrole.workflow.distribution=true
enrole.workflow.async_completion_enabled
	Do not change this property key and value unless you are a qualified administrator. Specifies whether the system uses asynchronous completion checking for some system workflows, which can decrease database lock contention and improve performance. Values are: true – Uses asynchronous completion checking. false – Does not use asynchronous completion checking. Example (default). enrole.workflow.async_completion_enabled=true
enrole.workflow.async_completion_interval_sec
	Do not change this property key and value unless you are a qualified administrator. Specifies the interval in seconds that the system checks to see whether certain system workflows are complete. Only applicable when enrole.workflow.async_completion_enabled=true. Example (default). enrole.workflow.async_completion_interval_sec=30
enrole.workflow.notification.activitytimeout
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java™ class that generates the workflow activity timeout notification. Example (default, entered as a single line). enrole.workflow.notification.activitytimeout= com.ibm.itim.workflow.notification.TemplateActivityTimeoutNotification
enrole.workflow.notification.processtimeout
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates the workflow process timeout notification. Example (default, entered as a single line). enrole.workflow.notification.processtimeout=com.ibm.itim.workflow. notification.TemplateProcessTimeoutNotification
enrole.workflow.notification.processcomplete
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates the notification for when a workflow process is completed.. Example (default, entered as a single line). enrole.workflow.notification.processcomplete=com.ibm.itim.workflow. notification.TemplateProcessCompleteNotification
enrole.workflow.notification.pendingwork
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates the notification for when a workflow process is completed for manual activities (Approvals and Requests for Information). Example (default, entered as a single line). enrole.workflow.notification.pendingwork=com.ibm.itim.workflow. notification.TemplatePendingWorkNotification
enrole.workflow.notification.newaccount
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates the notification for when a workflow process is completed for a new account. Example (default, entered as a single line). enrole.workflow.notification.newaccount=com.ibm.itim.workflow. notification.TemplateNewAccountNotification
enrole.workflow.notification.newpassword
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates a notification when a user changes a password. This property is used only when the value for the property is true. enrole.workflow.notifypassword=true This property responds to the following three-password change scenarios. When a user changes the password for the account When the administrator forces a password change on the account When a user is successfully identified through the password challenge/response feature, and challenge/response is configured. Valid classes include. NewPasswordNotification Email notification that includes the password (in ASCII text) is sent to a user (default). EmptyNotificationFactory Suppresses email notification. The preferred method for suppressing any notification is through the Workflow Notification GUI. PasswordChangeNotificationFactory Email notification that does not include the password is sent to a user. Message body says: "Process completed". The EmptyNotificationFactory and PasswordChangeNotificationFactory classes are in the examples.jar package in the examples directory. Example (default, entered as a single line). enrole.workflow.notification.newpassword=com.ibm.itim.workflow. notification.TemplateNewPasswordNotification
enrole.workflow.notification.deprovision
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates deprovisioning notification. Example (default, entered as a single line). enrole.workflow.notification.deprovision=com.ibm.itim.workflow. notification.TemplateDeprovisionNotification
enrole.workflow.notification.workorder
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates work order notifications. Example (default, entered as a single line). enrole.workflow.notification.workorder=com.ibm.itim.workflow. notification.TemplateWorkOrderNotification
enrole.workflow.notification.changeaccount
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates account change notifications. Example (default, as a single line). enrole.workflow.notification.changeaccount= com.ibm.itim.workflow.notification.TemplateChangeAccountNotification
enrole.workflow.notification.restoreaccount
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates account restoration notifications. Example (as a single line). enrole.workflow.notification.restoreaccount= com.ibm.itim.workflow.notification.TempateRestoreAccountNotification
enrole.workflow.notification.suspendaccount
	Do not change this property key and value unless you are a qualified administrator. Specifies the default Java class that generates account suspension notifications. Example (as a single line). enrole.workflow.notification.suspendaccount= com.ibm.itim.workflow.notification.TemplateSuspendAccountNotification