Powered by Algolia

    Batch / Scheduled Tasks

    This sections helps to understand purpose of batch tasks in OpenIAM, explains idea of out of the box tasks.

    Batch task

    Usage of batch task provides ability to support any kind of business logic (like sending out notifications, build custom reports other periodical routine tasks). OpenIAM provides set of out of the box batch tasks, some of them can be customized via groovy scripts, some should remained as delivered. Below you can find descriptions.

    Running a shell script with a batch task

    If running sh. is required/necessary, you can use the following a code reference:

    ProcessBuilder processBuilder = new ProcessBuilder()
    

                            println "parameter_1: " + parameter_1
    

                            println "parameter_2: " + parameter_2
    

                            processBuilder.command("bash", "-c",
    

                                    "sh  /tmp/script.sh ${parameter_1} ${parameter_2} ")
    

    

                        try {
    

                            Process process = processBuilder.start()
    

                            BufferedReader reader = new BufferedReader(
    

                                    new InputStreamReader(process.getInputStream()))
    

                            StringBuilder output = new StringBuilder()
    

                            String line
    

                            while ((line = reader.readLine()) != null) {
    

                                output.append(line)
    

                            }
    

                            println("Script output:" + output)
    

                           
    

                        } catch (IOException e) {
    

                            e.printStackTrace()
    

                        } catch (InterruptedException e) {
    

                            e.printStackTrace()
    

                        }

    Due to security reasons, java.io package is not in the whitelist of imports (you can't just instantiate classes of this package in groovy). To tackle that add 

    -Dorg.openiam.groovy.extra.whitelist.package=java.io

    file for groovy-manager and esb, as follows:

    Shell script for a batch task

    into openiam-docker-compose/3.2/services/docker-compose.yaml (for Docker) or to /etc/systemd/system/openiam-groovy.service and /etc/systemd/system/openiam-esb.service (for RPM).

    For example,git status for RPM:

    ExecStart=/usr/local/openiam/services/start.sh groovy-manager "-Xmx512m -Djdk.tls.client.protocols=TLSv1.2 
    -Dorg.openiam.groovy.extra.whitelist.package=java.io

    Out of the box tasks

    Task nameShort description
    [Access Certification Reminder](2-scheduledtasks#Access Certification Reminder)Task sends out notifications for reviewers for uncompleted access review tasks
    [Access Certification reporting](2-scheduledtasks####Access Certification reporting)Task sends out an access certification report to a UAR manager upon completion of campaign
    ACCOUNT_LOCKED_NOTIFICATIONTask sends out notification 'ACCOUNT_LOCKED' for all locked account at the moment
    Activate by Start DateTask initiates user activation process
    Activation reminderTask sends out notification NEW_USER_ACTIVATION_REMIND to users with status PENDING_INITIAL_LOGIN and created recently
    AUTO_UNLOCKDeprecated, will be deleted in 4.2.1.3 Release
    Clean Auth State tableSystem task. Task set AUTH_STATE=0 in rows where LAST_LOGIN less then 24h and delete rows where LAST_LOGIN older than 30 days in table AUTH_STATE
    Clean Resource For Completed RequestsLegacy. Deprecated, will be deleted in 4.2.1.3 Release
    Cleanup OLD CSV FilesTask deletes CSV files attached in sync configurations more than year ago
    Delete/Deactivate by last DataTask sets status DEACTIVATE to users with status PENDING_DEACTIVATION and deletes user with status PENDING_DELETE
    Disable by last dateTask to implement termination process. Picks up set of users to be terminated and performs termination for them
    Escalation of expired requestsTask initiates escalation of access requests if approvers expired SLA
    Failed provision requests reportTask compiles and sends our report about failed provisioning events
    Group AttestationLegacy. Deprecated, will be deleted in 4.2.1.3 Release
    INACTIVE_USERTask picks up users who haven't logged in for 90 days, deactivates their accounts and sends our notification ACCOUNT_INACTIVE
    Notification of expiring/revoke of expired accessTask picks up users with access that is about to expired and sends our notification ACCESS_IS_ALMOST_EXPIRED. Also task initiates revoke access wrokflow for expired access
    Notification reminders for approversTask sends out notification APPROVER_REMINDER to approvers who didn't make decision for pending requests
    PASSWORD_EXPIREDTask sends out email notification PASSWORD_EXPIRED to users with expired password
    PASSWORD_NEAR_EXPTask sends out email notification PASSWORD_NEAR_EXPIRATION to users with almost expired password
    Perform Business Rules recalculationTasks applies recent changes in business rules to all user set

    Access Certification Reminder

    Access Certification reporting

    ACCOUNT_LOCKED_NOTIFICATION

    Activate by Start Date

    Activation reminder

    Clean Auth State table

    Cleanup OLD CSV Files

    Delete/Deactivate by last Data

    Disable by last date check

    Escalation of expired requests

    Failed provision requests report

    INACTIVE_USER

    Notification of expiring/revoke of expired access

    Notification reminders for approvers

    PASSWORD_EXPIRED

    PASSWORD_NEAR_EXP

    Perform Business Rules recalculation

    Previous
    Define API request
    Next
    /webconsole - access-certification