Powered by Algolia

    Batch/Scheduled tasks

    Using batch tasks provides the ability to support various business logic operations, such as sending notifications, generating custom reports, and performing other periodic routine tasks. OpenIAM provides a set of out-of-the-box batch tasks; some can be customized via Groovy scripts, while others should remain as delivered. This section describes the most frequently used batch tasks provided in OpenIAM.

    As of v2026.5.2, batch tasks run in a dedicated microservice, batch-task-manager, with its own JVM, its own resource budget, and its own database (batchtasks) — they no longer share heap with openiam-esb. Customer Groovy scripts that previously imported from org.openiam.esb.core.batch.tasks.* must be updated to org.openiam.batch.manager.initializer.* (and org.openiam.batch.manager.domain.BatchTaskEntity in place of org.openiam.esb.domain.BatchTaskEntity). See New in v2026.5.2 for the full package-move list and upgrade steps.

    Running a shell script with a batch task

    If running a shell script is required, you can use the following code reference:

    ProcessBuilder processBuilder = new ProcessBuilder()
    

    println "parameter_1: " + parameter_1
    println "parameter_2: " + parameter_2
    

    processBuilder.command("bash", "-c", 
        "sh /tmp/script.sh ${parameter_1} ${parameter_2}")
    

    try {
        Process process = processBuilder.start()
        BufferedReader reader = new BufferedReader(
            new InputStreamReader(process.getInputStream()))
        StringBuilder output = new StringBuilder()
        String line
        while ((line = reader.readLine()) != null) {
            output.append(line)
        }
        println("Script output:" + output)
    } catch (IOException e) {
        e.printStackTrace()
    } catch (InterruptedException e) {
        e.printStackTrace()
    }

    Due to security reasons, the java.io package is not whitelisted for imports (you cannot directly instantiate classes from this package in Groovy). To resolve this, add the following property...

    -Dorg.openiam.groovy.extra.whitelist.package=java.io

    ... to the configuration files for Groovy Manager and ESB as follows.

    Shell script for a batch task

    For Docker, modify the following.

    _openiam-docker-compose/3.2/services/docker-compose.yaml_

    For RPM, modify the following.

    /etc/systemd/system/openiam-groovy.service
    /etc/systemd/system/openiam-esb.service

    For example, for RPM:

    ExecStart=/usr/local/openiam/services/start.sh groovy-manager "-Xmx512m -Djdk.tls.client.protocols=TLSv1.2 
    -Dorg.openiam.groovy.extra.whitelist.package=java.io"

    Out-of-the-box tasks

    Task NameDescription
    Access Certification ReminderSends notifications to reviewers for incomplete access review tasks.
    Access Certification ReportingSends an access certification report to each campaign manager upon campaign completion.
    Deleting User Access Request CampaignCancels user access request campaign tasks.
    ACCOUNT_LOCKED_NOTIFICATIONSends an 'ACCOUNT_LOCKED' notification for all currently locked accounts.
    Activate by Start DateInitiates the user activation process.
    Activation ReminderSends 'NEW_USER_ACTIVATION_REMIND' notifications to users with 'PENDING_INITIAL_LOGIN' status.
    Clean Auth State TableSets AUTH_STATE=0 for rows where LAST_LOGIN is less than 24 hours old and deletes rows where LAST_LOGIN is older than 30 days.
    Cleanup Old CSV FilesDeletes CSV files attached in sync configurations older than one year.
    Delete/Deactivate by Last DataSets status DEACTIVATE for users with PENDING_DEACTIVATION status and deletes users with PENDING_DELETE status.
    Disable by Last DateExecutes LeaverProcess.groovy to terminate users based on predefined logic.
    Escalation of Expired RequestsInitiates escalation of access requests if approvers exceed SLA deadlines.
    Failed Provision Requests ReportGenerates and sends reports on failed provisioning events.
    INACTIVE_USERDeactivates users who haven't logged in for 90 days and sends 'ACCOUNT_INACTIVE' notifications.
    Notification of Expiring/Revoked AccessSends 'ACCESS_IS_ALMOST_EXPIRED' notifications for expiring access and initiates the revoke access workflow for expired access.
    Notification Reminders for ApproversSends 'APPROVER_REMINDER' notifications for pending approval requests.
    PASSWORD_EXPIREDSends 'PASSWORD_EXPIRED' email notifications to users with expired passwords.
    PASSWORD_NEAR_EXPSends 'PASSWORD_NEAR_EXPIRATION' email notifications to users with soon-to-expire passwords.
    Perform Business Rules RecalculationApplies recent business rule changes to the entire user set.
    Provision / Deprovision on dateAllows future-dated access provisioning.
    Previous
    Whitelisting packages
    Next
    Provision/Deprovision on date