Batch/Scheduled tasks
Using batch tasks provides the ability to support various business logic operations, such as sending notifications, generating custom reports, and performing other periodic routine tasks. OpenIAM provides a set of out-of-the-box batch tasks; some can be customized via Groovy scripts, while others should remain as delivered. This section describes the most frequently used batch tasks provided in OpenIAM.
Running a shell script with a batch task
If running a shell script is required, you can use the following code reference:
ProcessBuilder processBuilder = new ProcessBuilder()println "parameter_1: " + parameter_1println "parameter_2: " + parameter_2processBuilder.command("bash", "-c","sh /tmp/script.sh ${parameter_1} ${parameter_2}")try {Process process = processBuilder.start()BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()))StringBuilder output = new StringBuilder()String linewhile ((line = reader.readLine()) != null) {output.append(line)}println("Script output:" + output)} catch (IOException e) {e.printStackTrace()} catch (InterruptedException e) {e.printStackTrace()}
Due to security reasons, the java.io package is not whitelisted for imports (you cannot directly instantiate classes from this package in Groovy). To resolve this, add the following property...
-Dorg.openiam.groovy.extra.whitelist.package=java.io
... to the configuration files for Groovy Manager and ESB as follows.
For Docker, modify the following.
_openiam-docker-compose/3.2/services/docker-compose.yaml_
For RPM, modify the following.
/etc/systemd/system/openiam-groovy.service/etc/systemd/system/openiam-esb.service
For example, for RPM:
ExecStart=/usr/local/openiam/services/start.sh groovy-manager "-Xmx512m -Djdk.tls.client.protocols=TLSv1.2-Dorg.openiam.groovy.extra.whitelist.package=java.io"
Out-of-the-box tasks
| Task Name | Description | 
|---|---|
| Access Certification Reminder | Sends notifications to reviewers for incomplete access review tasks. | 
| Access Certification Reporting | Sends an access certification report to a UAR manager upon campaign completion. | 
| Deleting User Access Request Campaign | Cancels user access request campaign tasks. | 
| ACCOUNT_LOCKED_NOTIFICATION | Sends an 'ACCOUNT_LOCKED' notification for all currently locked accounts. | 
| Activate by Start Date | Initiates the user activation process. | 
| Activation Reminder | Sends 'NEW_USER_ACTIVATION_REMIND' notifications to users with 'PENDING_INITIAL_LOGIN' status. | 
| Clean Auth State Table | Sets AUTH_STATE=0for rows whereLAST_LOGINis less than 24 hours old and deletes rows whereLAST_LOGINis older than 30 days. | 
| Cleanup Old CSV Files | Deletes CSV files attached in sync configurations older than one year. | 
| Delete/Deactivate by Last Data | Sets status DEACTIVATEfor users withPENDING_DEACTIVATIONstatus and deletes users withPENDING_DELETEstatus. | 
| Disable by Last Date | Executes LeaverProcess.groovyto terminate users based on predefined logic. | 
| Escalation of Expired Requests | Initiates escalation of access requests if approvers exceed SLA deadlines. | 
| Failed Provision Requests Report | Generates and sends reports on failed provisioning events. | 
| INACTIVE_USER | Deactivates users who haven't logged in for 90 days and sends 'ACCOUNT_INACTIVE' notifications. | 
| Notification of Expiring/Revoked Access | Sends 'ACCESS_IS_ALMOST_EXPIRED' notifications for expiring access and initiates the revoke access workflow for expired access. | 
| Notification Reminders for Approvers | Sends 'APPROVER_REMINDER' notifications for pending approval requests. | 
| PASSWORD_EXPIRED | Sends 'PASSWORD_EXPIRED' email notifications to users with expired passwords. | 
| PASSWORD_NEAR_EXP | Sends 'PASSWORD_NEAR_EXPIRATION' email notifications to users with soon-to-expire passwords. | 
| Perform Business Rules Recalculation | Applies recent business rule changes to the entire user set. | 
| Provision / Deprovision on date | Allows future-dated access provisioning. | 
