Batch/Scheduled tasks

Using batch tasks provides the ability to support various business logic operations, such as sending notifications, generating custom reports, and performing other periodic routine tasks. OpenIAM provides a set of out-of-the-box batch tasks; some can be customized via Groovy scripts, while others should remain as delivered. This section describes the most frequently used batch tasks provided in OpenIAM.

Running a shell script with a batch task

If running a shell script is required, you can use the following code reference:

ProcessBuilder processBuilder = new ProcessBuilder()

println "parameter_1: " + parameter_1
println "parameter_2: " + parameter_2

processBuilder.command("bash", "-c", 
    "sh /tmp/script.sh ${parameter_1} ${parameter_2}")

try {
    Process process = processBuilder.start()
    BufferedReader reader = new BufferedReader(
        new InputStreamReader(process.getInputStream()))
    StringBuilder output = new StringBuilder()
    String line
    while ((line = reader.readLine()) != null) {
        output.append(line)
    }
    println("Script output:" + output)
} catch (IOException e) {
    e.printStackTrace()
} catch (InterruptedException e) {
    e.printStackTrace()
}

Due to security reasons, the java.io package is not whitelisted for imports (you cannot directly instantiate classes from this package in Groovy). To resolve this, add the following property...

-Dorg.openiam.groovy.extra.whitelist.package=java.io

... to the configuration files for Groovy Manager and ESB as follows.

For Docker, modify the following.

_openiam-docker-compose/3.2/services/docker-compose.yaml_

For RPM, modify the following.

/etc/systemd/system/openiam-groovy.service
/etc/systemd/system/openiam-esb.service

For example, for RPM:

ExecStart=/usr/local/openiam/services/start.sh groovy-manager "-Xmx512m -Djdk.tls.client.protocols=TLSv1.2 
-Dorg.openiam.groovy.extra.whitelist.package=java.io"

Out-of-the-box tasks

Task Name	Description
Access Certification Reminder	Sends notifications to reviewers for incomplete access review tasks.
Access Certification Reporting	Sends an access certification report to a UAR manager upon campaign completion.
Deleting User Access Request Campaign	Cancels user access request campaign tasks.
ACCOUNT_LOCKED_NOTIFICATION	Sends an 'ACCOUNT_LOCKED' notification for all currently locked accounts.
Activate by Start Date	Initiates the user activation process.
Activation Reminder	Sends 'NEW_USER_ACTIVATION_REMIND' notifications to users with 'PENDING_INITIAL_LOGIN' status.
Clean Auth State Table	Sets `AUTH_STATE=0` for rows where `LAST_LOGIN` is less than 24 hours old and deletes rows where `LAST_LOGIN` is older than 30 days.
Cleanup Old CSV Files	Deletes CSV files attached in sync configurations older than one year.
Delete/Deactivate by Last Data	Sets status `DEACTIVATE` for users with `PENDING_DEACTIVATION` status and deletes users with `PENDING_DELETE` status.
Disable by Last Date	Executes `LeaverProcess.groovy` to terminate users based on predefined logic.
Escalation of Expired Requests	Initiates escalation of access requests if approvers exceed SLA deadlines.
Failed Provision Requests Report	Generates and sends reports on failed provisioning events.
INACTIVE_USER	Deactivates users who haven't logged in for 90 days and sends 'ACCOUNT_INACTIVE' notifications.
Notification of Expiring/Revoked Access	Sends 'ACCESS_IS_ALMOST_EXPIRED' notifications for expiring access and initiates the revoke access workflow for expired access.
Notification Reminders for Approvers	Sends 'APPROVER_REMINDER' notifications for pending approval requests.
PASSWORD_EXPIRED	Sends 'PASSWORD_EXPIRED' email notifications to users with expired passwords.
PASSWORD_NEAR_EXP	Sends 'PASSWORD_NEAR_EXPIRATION' email notifications to users with soon-to-expire passwords.
Perform Business Rules Recalculation	Applies recent business rule changes to the entire user set.
Provision / Deprovision on date	Allows future-dated access provisioning.

Whitelisting packages

Provision/Deprovision on date