General workflow options

To configure general settings related to workflow:

Click Workflow > Options > General.
Enable options and type values for the fields listed in Table 1, “General workflow options”.
If required, configure event options listed in Table 2, “Workflow general events that launch interface programs”and Table 3, “Workflow manager service (idwfm) events that launch interface programs”.
Click Update.
Some of the options on this page may apply to products that you do not have installed.
Options marked with a in this document can also be configured from the Modules menu.

Table 1. General workflow options

Option	Description
ENABLE DELETE OTHER OWNER	Active Directory network resource owners are allowed to delete other group owners.
HIDE PLUGIN ERRMSG FROM USERS	Hide detailed plugin error messages from end users. When enabled, end uses only see "Plugin failed". When disabled (default) plugin error messages include the path to the plugin, and if possible, the script line number and error message.
IDACCESS GROUPS THRESHOLD	If the number of groups with access to a network resource is greater than or equal to this threshold, consider the resource problematic. This value is used by the IDACCESS TOO MANY GROUPS event option. For example, too many groups with access to a resource may indicate an infrastructure management issue. The interface program set by IDACCESS TOO MANY GROUPS can check to see if the problematic resource has been reviewed before, and if not, send information about the resource to the system administrator.
IDP APPROVE SINGLE RESOURCE	If enabled, authorizers can approve or deny requested resources individually. When enabled, an approved operation is immediately actioned, without waiting for the entire request to be approved; for example, where a request is submitted to add a user to three groups, as soon as group owner one approves their part, the user gets added to group one and that state is reflected on the authorization status page. Note This is setting is temporarily disabled if the request is for a group set or account set access. This is to prevent users from gaining access to denied requests of this type if a single resource is approved. See also: Act on individual entitlements in the end-user documentation.
IDP REQUIRES REASON APPROVAL	Authorizers are required to enter a reason when they approve a request.
IDP REQUIRES REASON REJECTION	Authorizers are required to enter a reason when they deny a request.
IDSYNCH FULL NAME FORMAT	How the full name of a user displays in email and Bravura Security Fabric web pages. See Determining the full name format.
IDV REQUIRES REASON COMPLETED	Implementers must enter a reason for marking a task as completed.
IDV REQUIRES REASON COULD NOT COMPLETE	Implementers must enter a reason for being unable to complete a task.
IDWFM AUTH PHASE PROPAGATION	If an authorizer is configured to be in more than one phase, allow the authorizer’s response in the first phase to be propagated to later phases.
IDWFM AUTO APPROVE	Allow requests where the requester is also the authorizer to be automatically approved.
IDWFM AUTO REJECT TIME	Number of days before a request is automatically denied if it is not processed. This field ignores the REQUIRES REASON DELETION option if it is set.
IDWFM CURRENT EVENT CACHE TIME	Cache events in the Workflow Manager Service that are younger than this many hours. Default is 12. The larger the number, the more memory spaces are allocated to the Workflow Manager Service for cache; however, if this number is too big, it may break Windows memory management, causing unexpected results.
IDWFM DAYS COUNT WEEKDAY ONLY	If enabled, the Workflow Manager Service auto reject time and escalation time only includes weekdays.
MAX AUTH ALLOWED	The maximum number of authorizers or implementers that the workflow service can assign to each resource in a request. When the number of authorizers or implementers exceeds this value, the request is put on hold. The value can be from 0 to 200. The default is 20.
MAX UPLOAD FILE SIZE	The maximum file size allowed for uploaded profile and request attributes. The default is 1000KB.
REQUIRES REASON DELETION	Requesters and recipients are required to enter a reason when they delete a change request when using the Requests .
WF ALLOW GROUP WITH NO ACCOUNT	Allow users to request groups on target systems where they do not have an account.
WF ATTRVAL PLUGIN RUN IDR SUMMARY	When enabled, the attribute validation plugin will execute on the request summary page. This will allow any additional attributes to be added to the request prior to submission. By default, this option is disabled.
WF CLEAN RESERVEOBJ	When a request is initiated, and before it is posted, Bravura Security Fabric reserves IDs to ensure that they are unique. By default, Bravura Security Fabric cleans up a request’s reserved objects when a request fails to post or goes into “On hold pending administrator intervention” status.This allow reservations to be made again if a previous request attempted to make the reservation and failed. Turn this off if you want clean up of reserved IDs to be handled in another way, for example, by calling API processes, to avoid situations where valid reservations are deleted.
WF HIDE AUTHORIZERS	When enabled, the list of authorizers assigned to a request is hidden on the request details page. By default, this option is enabled. Authorizers can choose to see who else may be reviewing a request by selecting the Authorizers checkbox. When disabled, the authorizers list is always shown.
WF HIDE OTHER OPERATIONS	When enabled, authorizers only see operations they are assigned to when reviewing a request. By default, this option is enabled. Authorizers can change this view by selecting a Show all—Show mine toggle, or by selecting an All operations checkbox on the request details page. When disabled, all operations that are part of a request are always shown.
WF ONLY PROP ATTRS ON UPDATE	When enabled, profile and request attribute changes are only propagated to target system attributes during profile update requests. By default, this option is disabled. When disabled, all updates to attributes are propagated to affected target systems, regardless of the operation being performed.
WF ONLY SHOW EXPECTED OPERATIONS	When a request is viewed and a resource is not enacted the default view will to show all operations expected. When this is set to enabled the request will show only the operations that will occur. Users can change this view on the request page with a Show all and Hide button.
WF PHASED AUTH	Enable this option to allow phased authorization of resources and policies. To disable this option, you must first delete all phases from resources and policies.
WF REMOVE PERMANENT RESERVATIONS ON DENIAL	Enable this option to allow deleting permanent reservations when the request is denied.
WF RESERVE ON PRIMARY	Enable this option to send reserve requests to the primary instance when the requests are made from a replication node.
WF RESOURCE RELATEDONLY	Enable this option to include only resources assigned to the recipient in authorizer notification emails
WF ROLE USERADDDEL IGNORE DEPS	When this option is enabled, role membership will be added or deleted even if some dependent operations fail.
WF RUN CONFLICTING OPS	When this option is enabled, conflicting operations (for example, remove a group, add the same group) are both run. If set to disabled, the operations cancel each other out, and neither is run.
WF USER EDITABLE PARENT REQUEST	Enable this option to allow workflow managers to manually "attach" and "detach" child requests to/from a specific parent request.
WF WAIT AUTHORIZER CALCULATION	Enable this option to get Bravura Security Fabric to wait while authorization requirements are being calculated before returning to CGI pages where requests are issued. This may be useful in cases where users who are auto-approved may be confused when the request status is temporarily shown as waiting for authorization.

Table 2. Workflow general events that launch interface programs

Option	Description
APPROVED EXCEPTION ADD FAILURE	An exception to a SoD rule fails to be added to the database.
APPROVED EXCEPTION ADD SUCCESS	An exception to a SoD rule is successfully added to the database.
APPROVED EXCEPTION DEL FAILURE	An exception to a SoD rule fails to be deleted from the database.
APPROVED EXCEPTION DEL SUCCESS	An exception to a SoD rule is successfully deleted from the database.
EXCEPTION DEFICIT PRIVILEGE ADD	A role-enforcement deficit exception is approved.
EXCEPTION DEFICIT PRIVILEGE DEL	A role-enforcement deficit exception is deleted.
EXCEPTION SURPLUS PRIVILEGE ADD	A role-enforcement surplus exception is approved.
EXCEPTION SURPLUS PRIVILEGE DEL	A role-enforcement surplus exception is deleted.
GROUP CREATE FAILURE	A group fails to be created.
GROUP CREATE SUCCESS	A group is created.
GROUP DELETE FAILURE	A group fails to be deleted.
GROUP DELETE SUCCESS	A group is deleted.
GROUP GROUPADD SUCCESS	A group has been successfully added to another group
GROUP GROUPADD FAILURE	A group has failed to be added to another group.
GROUP GROUPDELETE SUCCESS	A group has been successfully removed from another group.
GROUP GROUPDELETE FAILURE	A group has failed to be removed from another group.
GROUP OWNER ADD SUCCESS	A user is successfully made an owner of a group.
GROUP OWNER DELETE SUCCESS	A user’s ownership of a group is revoked.
IDACCESS TOO MANY GROUPS	A network resource plugin returns a number of groups greater than or equal to the value of the IDACCESS GROUPS THRESHOLD setting.
IMPLEMENTER POPULATED	Implementers are assigned to a resource.
NR CREATE FAILURE	Program to execute when a network resource failed to be created.
NR CREATE SUCCESS	Program to execute when a network resource is successfully created
NR DELETE FAILURE	Program to execute when a network resource failed to be deleted.
NR DELETE SUCCESS	Program to execute when a network resource is successfully deleted.
NR MOVE FAILURE	Program to execute when a network resource failed to be moved.
NR MOVE SUCCESS	Program to execute when a network resource is successfully moved.
NR UPDATE FAILURE	Program to execute when a network resource failed to be updated.
NR UPDATE SUCCESS	Program to execute when a network resource is successfully updated.
OBJECT RELATION ADD FAILURE	Program to execute when a relationship between two objects fails to be established.
OBJECT RELATION ADD SUCCESS	Program to execute when a relationship between two objects is established.
OBJECT RELATION DEL FAILURE	Program to execute when a relationship between two objects fails to be removed.
OBJECT RELATION DEL SUCCESS	Program to execute when a relationship between two objects is removed.
PREQUEST USED	A pre-defined request is used.
REMOVE ROLE FAILURE	A role fails to be removed from a user.
REMOVE ROLE SUCCESS	A role is successfully removed from a user.
USER CREATE FAILURE	An account fails to be created.
USER CREATE SUCCESS	An account is successfully created.
USER DELETE FAILURE	An account fails to be deleted
USER DELETE SUCCESS	An account is successfully deleted.
USER DISABLE FAILURE	An account fails to be disabled.
USER DISABLE SUCCESS	An account is successfully disabled.
USER ENABLE FAILURE	An account fails to be enabled.
USER ENABLE SUCCESS	An account is successfully enabled
USER GROUPADD FAILURE	A user fails to be made a member of a group.
USER GROUP ADD SUCCESS	A user is successfully made a member of a group.
USER GROUPDELETE FAILURE	A user fails to be removed from a group.
USER GROUPDELETE SUCCESS	A user is successfully removed from a group.
USER MOVECTX FAILURE	An account fails to be moved to another context.
USER MOVECTX SUCCESS	An account is successfully moved to another context.
USER UPDATE FAILURE	An account fails to be updated.
USER UPDATE SUCCESS	An account is successfully updated.
WF MODELAFTER USED	A request has been submitted using profile comparison.
WF MODELAFTER VIEW	A model user has been selected for profile comparison.
WF REQUEST ACTION FINALIZED	Some actions in a request have been finalized.
WF REQUEST COMPLETED	A request has been completed. No more actions are to be taken.
WF REQUEST DECIDED	A request has been fully decided. All actions have been approved, denied, or canceled.
WF REQUEST ONHOLD	A request has been put on hold.
WF REQUEST POSTED	A request has been posted to workflow.
WF REQUEST POST FAILURE	A request has failed to be posted to workflow.

Table 3. Workflow manager service (idwfm) events that launch interface programs

Option	Description
IDWFM EVENT ABORT	Workflow Manager Service aborts a workflow event.
IDWFM EVENT EMAIL MISSING	Workflow Manager Service detects the email address is missing for the email recipient.
IDWFM EVENT FAILURE	Workflow Manager Service fails to execute a workflow event.
IDWFM EVENT RETRY	Workflow Manager Service retries a workflow event.
IDWFM EVENT START	Workflow Manager Service starts a workflow event.
IDWFM EVENT SUCCESS	Workflow Manager Service succeeds in executing a workflow event.

Determining the full name format

You determine how Bravura Security Fabric displays the full name of a user in email and Bravura Security Fabric web pages by modifying the value of IDSYNCH FULL NAME FORMAT.

This field consists of sub-strings, where each are enclose by % characters and can contain specific start/end positions.

An end position cannot be specified without a start position.

Some sub-string examples include:

%FIRST_NAME% displays the first name as entered when the user was created.
%OTHER_NAME:1:2% displays the first letter of the other name as entered when the user was created.
%LAST_NAME:1:9% displays the first 8 letters of the last name as entered when the user was created.
%LAST_NAME:9% displays the last letters of the last name starting at the 9th letter as entered when the user was created.

The default is %FIRST_NAME% %OTHER_NAME% %LAST_NAME% which is the user’s first name followed by their other (middle) name and then their last name.

See also

See Modifying workflow options for sending mail to learn how to customize settings for sending messages during authorization workflow.

In this section:

General workflow options

Note

Determining the full name format

Search results