Batch / Scheduled Tasks

Usage of batch tasks provides the ability to support any kind of business logic (like sending out notifications, building custom reports and other periodical routine tasks). OpenIAM provides a set of out-of-the-box batch tasks, some of them can be customized via groovy scripts, some should remain as delivered. This section will provide descriptions for most frequent batch tasks provided in OpenIAM.

Running a shell script with a batch task

If running sh. is required/necessary, you can use the following a code reference:

ProcessBuilder processBuilder = new ProcessBuilder()
println "parameter_1: " + parameter_1
println "parameter_2: " + parameter_2
processBuilder.command("bash", "-c",
"sh /tmp/script.sh ${parameter_1} ${parameter_2} ")
try {
Process process = processBuilder.start()
BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()))
StringBuilder output = new StringBuilder()
String line
while ((line = reader.readLine()) != null) {
output.append(line)
}
println("Script output:" + output)
} catch (IOException e) {
e.printStackTrace()
} catch (InterruptedException e) {
e.printStackTrace()
}

Due to security reasons, java.io package is not in the whitelist of imports (you can't just instantiate classes of this package in groovy). To tackle that add

-Dorg.openiam.groovy.extra.whitelist.package=java.io

file for groovy-manager and esb, as follows:

Shell script for a batch task

into openiam-docker-compose/3.2/services/docker-compose.yaml (for Docker) or to /etc/systemd/system/openiam-groovy.service and /etc/systemd/system/openiam-esb.service (for RPM).

For example,git status for RPM:

ExecStart=/usr/local/openiam/services/start.sh groovy-manager "-Xmx512m -Djdk.tls.client.protocols=TLSv1.2
-Dorg.openiam.groovy.extra.whitelist.package=java.io

Out-of-the-box tasks

Task nameShort description
[Access Certification Reminder]Task sends out notifications for reviewers for uncompleted access review tasks
[Access Certification reporting]Task sends out an access certification report to a UAR manager upon completion of campaign
ACCOUNT_LOCKED_NOTIFICATIONTask sends out notification 'ACCOUNT_LOCKED' for all locked account at the moment
Activate by Start DateTask initiates user activation process
Activation reminderTask sends out notification NEW_USER_ACTIVATION_REMIND to users with status PENDING_INITIAL_LOGIN and created recently
Clean Auth State tableSystem task. Task set AUTH_STATE=0 in rows where LAST_LOGIN less than 24 h and delete rows where LAST_LOGIN older than 30 days in table AUTH_STATE
Cleanup OLD CSV FilesTask deletes CSV files attached in sync configurations more than year ago
Delete/Deactivate by last DataTask sets status DEACTIVATE to users with status PENDING_DEACTIVATION and deletes user with status PENDING_DELETE
Disable by last dateThis batch task when executed internally calls LeaverProcess.groovy which picks up the user to be terminated according to the logic written and terminates the user.
Escalation of expired requestsTask initiates escalation of access requests if approvers expired SLA
Failed provision requests reportTask compiles and sends our report about failed provisioning events
INACTIVE_USERTask picks up users who haven't logged in for 90 days, deactivates their accounts and sends our notification ACCOUNT_INACTIVE
Notification of expiring/revoke of expired accessTask picks up users with access that is about to expire and sends our notification ACCESS_IS_ALMOST_EXPIRED. Also task initiates revoke access workflow for expired access
Notification reminders for approversTask sends out notification APPROVER_REMINDER to approvers who didn't make decision for pending requests
PASSWORD_EXPIREDTask sends out email notification PASSWORD_EXPIRED to users with expired password
PASSWORD_NEAR_EXPTask sends out email notification PASSWORD_NEAR_EXPIRATION to users with almost expired password
Perform Business Rules recalculationTasks applies recent changes in business rules to all user set
Provision / Deprovision on dateTask allows providing a future dated access.

Access Certification Reminder

Access Certification reporting

ACCOUNT_LOCKED_NOTIFICATION

Activate by Start Date

Activation reminder

Clean Auth State table

Cleanup OLD CSV Files

Delete/Deactivate by last Data

Disable by last date check

Escalation of expired requests

Failed provision requests report

INACTIVE_USER

Notification of expiring/revoke of expired access

Notification reminders for approvers

PASSWORD_EXPIRED

PASSWORD_NEAR_EXP

Perform Business Rules recalculation