Skip to main content

Modifying how operations are viewed

You can use the workflow view modification plugin to modify which operations are visible to viewers of workflow requests in Bravura Security Fabric . This is useful in cases where access changes such as account creation, additions to groups, or role changes are known only at an abstract level. This plugin can be used where:

  • Viewing operation details may be excessive or confusing

  • Details should be accessible but a summary would be more appropriate

  • Some details are irrelevant to an authorizer who is authorizing a single group addition

  • It may be inappropriate for an authorizer of one operation to see what else is being requested

This is an alternative to mapping several operations to a single request using the operation rewrite plugin. The following use cases demonstrate how the operations view modification plugin might be used:

Use case 1: Showing authorizers only what they are authorizing

Normally, authorizers can see all operations that are part of a request, including those that they are not required to authorize. This may be confusing for an authorizer who only needs to authorize part of a request, and may even lead them to mistakenly deny the request.

The workflow view modification plugin can run to only display operations for which the viewer is the authorizer.

Use case 2: Abstract modifications

The requester wants to remove a user’s “floor fire marshal” role. This entails the user being removed from a distribution list, and from three groups, and restricting their access within the building’s security system.

End users – the requester, recipient and the assigned authorizers – do not understand the list, the groups, or the security system. All they understand or care about is that the user is no longer the floor fire marshal.

The requester changes some attributes on the user’s profile page and submits the request.

Bravura Security Fabric runs the request rewrite plugin to “fan out” the request to include operations affecting the list, the groups and the security system (using an implementer target). It also includes a psuedo operation to “update the user” to remove her from the floor fire marshal role.

The workflow view modification plugin rewrites what the users see so that the request only contains the removal from the role. The plugin can make the real operation details available if the user clicks a Details button where a summary of the request is listed.

The plugin is run by the Requests app whenever a request is viewed on the request details pages.

To use this plugin, type the name of the plugin in the IDSYNCH WORKFLOW MOD VIEW PLUGIN field on the Workflow > Options > Plugins configuration page.

There are no shipped plugins in use with this plugin point. A sample, plugin-wf-modview.psl, is available in the samples\ directory.

Write a custom workflow modify view plugin

Requirements

See Writing plugins for general requirements.

Execution points

The plugin is run by the Workflow Manager Service.

Input

Input to the plugin includes:

"" "" = {
  "module" = "<module>"
         
  "recipient" "user" = { } #Recipient's data if they are an
         
                         # existing user
  "request" "" = { #Standard request data listing resources
    "resource" "" = {}
      }
  "detailResource" = "<itemID>" #If this is present,
                   # the user has just clicked the 'Details' button
                   # next to the resource with the itemID.
                   # The plugin should return only resources
                   # that are considered details of that resource.
  "requester" "user" = {} #Requester's data
         
  "viewer" "user" = {} #Viewer's data
                       # -- requester, recipient, or authorizer
   }

The "resource" KVGroup includes an "enact" key that is used to indicate which resources are affected during the request. This can be used to hide resources that are not affected during the request. For example, if the resource "enact" key is set to false, then the action on the resource is not executed, so it could be hidden.

Output

The operation view modification plugin returns the following output:

"" "" = {
 "errmsg" = ""    # error message, if any
 "retval" = "<N>"   # 0 is success, anything else is failure
 "changed" = "(true|false)"  # If this is included and set to false, it
                             # will be assumed that all items will be
                             # visible.
  "resource" "" = {
                   #Followed by any number of resource entries
          "display" = "(true|false)" # If this is present and set to false,
                             # hide the resource.  If the item is not in
                             # the output, it will be displayed.
          "detailsAvailable" = "(true|false)" # If this is present and set to
                             # true, display a button to allow details to
                             # be viewed for this resource. The plugin
                             # determines what resources are considered to
                             # be details of this resource.
    }
  }
In this section: