Recertification extensions
The recertification extensions track the recertification state in a workflow.
Overview
A recertification extension is code that can be called directly from a workflow. An extension defined for accounts also handles the recertification state for accesses, and uses dataservices to update attributes stored on the account object in data services. These extension methods are integrated into the AccountExtensions class from the com.ibm.itim.workflowextensions package.
Because the recertification extensions provided are considered activities by the workflow engine, any failure in those extensions is returned as a failure when the activity completes. This result causes the recertification workflow to fail, and its failure is audited in the RECERTIFICATIONLOG audit table as well. The following extensions are provided:
- constructApprovalDocument
- recertificationMark
- recertificationMarkAccess
- recertificationSuspend
- recertificationCertify
- recertificationCertifyAccess
- recertificationAdminCertify
- recertificationAdminCertifyAccess
- remediateAccountsAndGroups
- remediateRoleMemberships
- updateRecertificationStatusAllApproved
- updateRecertificationStatusEmptyDocument
recertificationMark
The public ProcessResult recertificationMark(Account) extension updates erLastRecertificationAction for the target type, updating the erLastRecertificationAction attribute to:com.ibm.itim.dataservices.model.domain.Account.REJECTED_MARK = ‘REJECTED_MARK’
The recertification action is audited in RECERTIFICATIONLOG table for use by reports.
constructApprovalDocument
The public ProcessResult constructApprovalDocument(Person, RecertificationPolicy) extension constructs the PackagedApprovalDocument that is required for user-based recertification. This document contains all of the static roles, accounts, and groups for the specified person..
If there are no recertification targets for the person, this method returns a ProcessResult with a WARNING summary and an embedded message. In this case, it contains an output parameter list with an empty document. Otherwise, if successful, the ProcessResult contains a populated document for this particular person.
recertificationMarkAccess
The public ProcessResult recertificationMark(UserAccessAccount) extension has the same function for accesses as recertificationMark() has for users and accounts. It updates the erAccessLastRecertificationAction attribute specific to the UserAccess passed in to:com.ibm.itim.dataservices.model.domain.Account.REJECTED_MARK = ‘REJECTED_MARK’
The recertification action is audited in RECERTIFICATIONLOG table for use by reports. This method is for suspending accounts only. No method for suspending access is provided.
recertificationSuspend
The public ProcessResult recertificationSuspend(Account) extension updates erLastRecertificationAction for the account. It updates the erLastRecertificationAction attribute to:com.ibm.itim.dataservices.model.domain.Account.REJECTED_SUSPEND = ‘REJECTED_SUSPEND’
The recertification action is audited in RECERTIFICATIONLOG table for use by reports. This method is for suspending accounts only. No method for suspending access is provided.
recertificationCertify
The public ProcessResult recertificationCertify(Account) extension updates erLastRecertificationAction for the target type. It updates the erLastRecertificationAction attribute to:com.ibm.itim.dataservices.model.domain.Account.CERTIFIED = ‘CERTIFIED’
The recertification action is audited in RECERTIFICATIONLOG table for use by reports. This extension also updates the erLastCertifiedDate attribute with the current timestamp.
recertificationCertifyAccess
The public ProcessResult recertificationCertify(UserAccessAccount) extension updates erLastAccessRecertificationAction for the access. It updates the erLastRecertificationAction attribute for the specified UserAccess to:com.ibm.itim.dataservices.model.domain.Account.CERTIFIED = ‘CERTIFIED’
The recertification action is audited in RECERTIFICATIONLOG table for use by reports. This extension also updates the erAccessLastCertifiedDate attribute for the accessAttribute with the current timestamp. This method is the access version of recertificationCertify for users and accounts.
recertificationAdminCertify
The public ProcessResult recertificationAdminCertify(Account) extension updates erLastRecertificationAction for the target type. It updates the erLastRecertificationAction attribute to:com.ibm.itim.dataservices.model.domain.Account.CERTIFIED_ADMIN = ‘CERTIFIED_ADMIN’
The recertification action is audited in RECERTIFICATIONLOG table for use by reports. This extension also updates the erLastCertifiedDate attribute with the current timestamp.
recertificationAdminCertifyAccess
The public ProcessResult recertificationAdminCertify(UserAccessAccount) extension updates erLastRecertificationAction for the access. It updates the erAccessLastRecertificationAction attribute for the UserAccess passed in to:com.ibm.itim.dataservices.model.domain.Account.CERTIFIED_ADMIN = ‘CERTIFIED_ADMIN’
The recertification action is audited in RECERTIFICATIONLOG table for use by reports. This extension also updates the erAccessLastCertifiedDate attribute for the accessAttribute with the current timestamp. This method is the access version of recertificationAdminCertify for users and accounts.
remediateAccountsAndGroups
The public ProcessResult remediateAccountsAndGroups(PackagedApprovalDocument, Person, RecertificationPolicy, String) extension runs user recertification remediation on all of the accounts, groups, and accesses in the approval document. Each entry is processed based on the responses in the document and the enforcement action of the policy. Any recertification status updates are performed directly through data services. Any removals of accounts, groups, or accesses are handled by launching the appropriate workflow operation as a subprocess.
remediateRoleMemberships
The public ProcessResult remediateRoleMemberships(PackagedApprovalDocument, Person, RecertificationPolicy, String) extension runs user recertification remediation on all role memberships in the approval document. Each entry is processed based on the responses in the document and the enforcement action of the policy. If any roles are removed, this extension launches the person modify operation to process the removal and corresponding policy enforcement actions. If no role are removed, this activity directly invokes policy enforcement to verify the recertification is performed on every person.
updateRecertificationStatusAllApproved
The public ProcessResult updateRecertificationStatusAllApproved(PackagedApprovalDocument, Person, RecertificationPolicy) extension processes the approval document, and updates the recertification status of each entry. The entries include accounts, groups, and role memberships. This extension is only invoked when all choices in the document are approved. Different extensions are used for remediation. Any recertification status updates are performed directly through data services.
updateRecertificationStatusEmptyDocument
The public ProcessResult updateRecertificationStatusEmptyDocument(PackagedApprovalDocument, Person, RecertificationPolicy) extension updates the required recertification status on the person being recertified. It is the only action required in the case that the document does not contain any resources. The recertification status updates are performed directly through data services.
Parent topic: Workflow extensions