Powered by Algolia

    Batch / Scheduled Tasks

    Usage of batch tasks provides the ability to support any kind of business logic (like sending out notifications, building custom reports and other periodical routine tasks). OpenIAM provides a set of out-of-the-box batch tasks, some of them can be customized via groovy scripts, some should remain as delivered. This section will provide descriptions for most frequent batch tasks provided in OpenIAM.

    Running a shell script with a batch task

    If running sh. is required/necessary, you can use the following a code reference:

    ProcessBuilder processBuilder = new ProcessBuilder()
    

       println "parameter_1: " + parameter_1
       println "parameter_2: " + parameter_2
    

        processBuilder.command("bash", "-c",
            "sh  /tmp/script.sh ${parameter_1} ${parameter_2} ")
                        try {
    

                            Process process = processBuilder.start()
    

                            BufferedReader reader = new BufferedReader(
    

                                    new InputStreamReader(process.getInputStream()))
    

                            StringBuilder output = new StringBuilder()
    

                            String line
    

                            while ((line = reader.readLine()) != null) {
                                output.append(line)
                            }
    

                            println("Script output:" + output)
                        } catch (IOException e) {
                            e.printStackTrace()
                        } catch (InterruptedException e) {
                            e.printStackTrace()
    

                        }

    Due to security reasons, java.io package is not in the whitelist of imports (you can't just instantiate classes of this package in groovy). To tackle that add 

    -Dorg.openiam.groovy.extra.whitelist.package=java.io

    file for groovy-manager and esb, as follows:

    Shell script for a batch task

    into openiam-docker-compose/3.2/services/docker-compose.yaml (for Docker) or to /etc/systemd/system/openiam-groovy.service and /etc/systemd/system/openiam-esb.service (for RPM).

    For example,git status for RPM:

    ExecStart=/usr/local/openiam/services/start.sh groovy-manager "-Xmx512m -Djdk.tls.client.protocols=TLSv1.2 
    -Dorg.openiam.groovy.extra.whitelist.package=java.io

    Out-of-the-box tasks

    Task nameShort description
    [Access Certification Reminder]Task sends out notifications for reviewers for uncompleted access review tasks
    [Access Certification reporting]Task sends out an access certification report to a UAR manager upon completion of campaign
    ACCOUNT_LOCKED_NOTIFICATIONTask sends out notification 'ACCOUNT_LOCKED' for all locked account at the moment
    Activate by Start DateTask initiates user activation process
    Activation reminderTask sends out notification NEW_USER_ACTIVATION_REMIND to users with status PENDING_INITIAL_LOGIN and created recently
    Clean Auth State tableSystem task. Task set AUTH_STATE=0 in rows where LAST_LOGIN less than 24 h and delete rows where LAST_LOGIN older than 30 days in table AUTH_STATE
    Cleanup OLD CSV FilesTask deletes CSV files attached in sync configurations more than year ago
    Delete/Deactivate by last DataTask sets status DEACTIVATE to users with status PENDING_DEACTIVATION and deletes user with status PENDING_DELETE
    Disable by last dateThis batch task when executed internally calls LeaverProcess.groovy which picks up the user to be terminated according to the logic written and terminates the user.
    Escalation of expired requestsTask initiates escalation of access requests if approvers expired SLA
    Failed provision requests reportTask compiles and sends our report about failed provisioning events
    INACTIVE_USERTask picks up users who haven't logged in for 90 days, deactivates their accounts and sends our notification ACCOUNT_INACTIVE
    Notification of expiring/revoke of expired accessTask picks up users with access that is about to expire and sends our notification ACCESS_IS_ALMOST_EXPIRED. Also task initiates revoke access workflow for expired access
    Notification reminders for approversTask sends out notification APPROVER_REMINDER to approvers who didn't make decision for pending requests
    PASSWORD_EXPIREDTask sends out email notification PASSWORD_EXPIRED to users with expired password
    PASSWORD_NEAR_EXPTask sends out email notification PASSWORD_NEAR_EXPIRATION to users with almost expired password
    Perform Business Rules recalculationTasks applies recent changes in business rules to all user set
    Provision / Deprovision on dateTask allows providing a future dated access.

    Access Certification Reminder

    Access Certification reporting

    ACCOUNT_LOCKED_NOTIFICATION

    Activate by Start Date

    Activation reminder

    Clean Auth State table

    Cleanup OLD CSV Files

    Delete/Deactivate by last Data

    Disable by last date check

    Escalation of expired requests

    Failed provision requests report

    INACTIVE_USER

    Notification of expiring/revoke of expired access

    Notification reminders for approvers

    PASSWORD_EXPIRED

    PASSWORD_NEAR_EXP

    Perform Business Rules recalculation

    Previous
    Whitelisting packages
    Next
    Provision/Deprovision on date