Tuesday, November 9, 2010

Adding External Users as Document Reviewers – Advanced Workflow Features part II

Most enterprises today use directory services for organizing users, resources, services and other objects of the heterogeneous enterprise. LDAPs are the authentication and authorization source for the various enterprise applications.

Oracle UCM can leverage these enterprise LDAPs by configuring security providers. The users in LDAP providers are identified as EXTERNAL users by the UCM. UCM queries its internal security tables to see if a user exists and if a user does not exist then queries LDAP provider for security information.

Troy Allen, in his blog on Getting User Information - Advanced Workflow Features, provides a good insight into dynamically adding users to workflow using events. Things get little different when the users are not LOCAL users within the UCM security tables but are defined externally in an LDAP. The Oracle UCM USERSECURITYATTRIBUTES table (reference http://senasystems.blogspot.com/2010_09_01_archive.html) holds user role information only for local users. External user roles are not stored in this table.

Below is an amendment to the Getting User Information - Advanced Workflow Features blog where the users are external.

Situation: An administrator wants to create a workflow where the participating users are external users and are dynamically derived based upon particular Security Role that users belong to.

Issue: UCM does not store role information of external users.
Solution: Depending on the user requirements there are two approaches to this. Solution 1 should be adopted when the latest user and role information is required. Solution 2 should be adopted when the latest user and role information is not critical but performance is.

Solution 1
Create a custom component and retrieve user information from LDAP using a Java Service Handler. Invoke this service from the workflow entry event script. This approach provides latest up to date information however has performance impact as every document workflow item will retrieve user information from the LDAP.

Solution 2
In UCM provider configuration, you can map LDAP user attributes to UCM user attributes. UCM creates or updates an entry in the “USERS” table every time an external user logs into UCM. The mapped attributes are also stored in the “USERS” table during this process. This feature comes handy when creating advanced workflow that needs to add reviewers at run time based on user role information.

A field that carries user role information can be mapped to a UCM user attribute field and during the workflow event this mapped user attribute can be queried to determine if the user should participate in the workflow or not.

Let’s go into details of Solution 2.

  1. Add a Custom User Attribute:
    Launch User Admin applet and click on Information Fields tab.

    Click on Add to add a custom User Attribute. Enter the name of the field “UserRole”. Set appropriate flags on this screen as you would like. Ideally this should be a “view only Field” since it is managed under LDAP administration.

  2. Map LDAP Attribute to User Attribute:

    I. Create a LDAP Provider
    Launch providers page under Administration > Providers and create an LDAP provider. Use information below to create provider and map LDAP attributes to user attributes.

    This is the basic LDAP provider set up screen. Key information you need is
    LDAP server – Where is the LDAP server?
    Suffix – What is the root dn of user and group information?
    LDAP Port – 389 in most of the cases but change it based on LDAP configuration.

    II. Map User Role Information
    Add appropriate group mapping to either “cn=” or check the “Use Full Group Names” checkbox to provide full dn of the groups node.

    Note: “cn=” should be based on your directory structure and the value you have entered for “LDAP Suffix”.

    Tip: Roles defined in LDAP must exist in UCM with the same name.

    III. Map User Attributes
    Under the attribute map section, you can map ldap attribute to user attribute. Add LDAP attribute as “userrole”, select newly created user attribute under User Attribute option list and click on “Add” button.

    Note: You need to restart the server for the provider changes to take effect.

  3. Create a Custom Component
    Create a custom component that can read this user attribute and make the user role information available to the workflow entry event.

    Again, Troy Allen’s blog Getting User Information - Advanced Workflow Features provides very detailed information on how to create this component so we will not go in much detail here but only highlight the changes required.

    Add a new query to the Workflow_Example component with ID “qgetusersandmappedroles”. Add query text as “select dname, uUserRole from users”.

    (Note: The custom user attribute gets added to the Users table so we can easily fetch the same from users table. All custom attributes starts with a “u”).

    Add a new Service “UserRoleMappings” that uses the new query and creates a resultset named “UserLoop”.

    Enable the component and restart the server.

  4. Change Workflow Entry Event Script
    Now that we have mapped LDAP attributes and created custom component, we are ready to modify the workflow entry event script to use the new component. Script below will run through all users in “USERS” table and add the users that belong to “REVIEWER_ROLE” role as a reviewer of the document.
    <$loop UserLoop$>
      <$if uUserRole like "REVIEWER_ROLE"$>
        <$if xcount < 1$>
          <$xuserlist="" & xtempuserlist & " , " & dName$>
        <$xcount = xcount + 1$>

Test your changes

  1. Check in a document matching your workflow criteria to test the workflow.
  2. Go to Workflow Assignments to ensure the document is in the queue.
  3. From the Actions left-hand icon, click on Workflow Info. You should see all the users internal and external that were part of “REVIEWER_ROLE” role.

Points to Note:

  • If the requirement is to have all the users irrespective of their existence in “USERS” table, participate in the workflow then solution 1 is appropriate.
  • Solution 2 expects an attribute similar to userrole in user dn that carries user role information. LDAP administrator needs to set this up if it does not exist already.


  1. All the knowledgeable works are very good and unique and Thanks for sharing all this.
    Dell customer care

  2. شركة مراقبة النمل الأبيض في الطائف:
    النمل الأبيض ، ودعا حشرة الأرض ، هي من بين أخطر الحشرات الموجودة في المنزل
    شركة مكافحة النمل الابيض
    شركة مكافحة النمل الابيض بالطائف
    شركة مكافحة حشرات بالطائف
    شركة رش مبيدات بالطائف

  3. Aurion pro techno is a website which has a blog of adding external users as document reviews. It has multiple features that works in advanced part. Also you need to write my essay for me to manage quality work easily. It also has various authentic sources which works fast etc. Join their website for more information.

  4. Alternatives on the OnePlus 7T happen to be said consist of ' Fi 802.11 a/b/g/n/ac, Wireless wireless v5.00, Universal serial bus types d, 3G, In addition 4G(Who have help during music rock bracelet 40 searched by the few LTE websites in the indian subcontinent).

    Com checking PixelSome information useful guides filter gadgets within the affiliate marketing program, This one pixel Cheap Yeezys For Sale provides you website statistics for these components(Online privacy)ClickscoThis regarded as a computer files maintenance website discovering readers doings(Online privacy).

    Hagen what's more excelled at snowboarding unfortunately at age 21 he thrown to the wolves an attempt with Philadelphia Phillies to tackle in the usa offered as. Work with a treat when you are a social happening and thus receive others who live nearby co-workers to sign up buyers.

    Administrators touted you New Jordan Shoes see, our own aiming at would be a"Only bad guy" Infiltration, And moreover gifted in fact sympathetic policy protection Jordan Shoes For Sale plan to our alleged shooting, Representing your own basically"Self conscious, "Depressed, And Michael Kors Outlet Sale / or"Brand,Appreciably fine terrorism is booming in Coach Outlet Store nova scotia..

    To be sure that person post, We knows lady modern day RHONY co take the leading Cheap Yeezy Shoes role Dorinda Medley(Who had been a maid-matron of honour) And as well, an early corp take the leading role Jill Zarin since Real average women pertaining to ohio alumna Marysol Patton seen typically all these wedding.

    Never a results are joint should you not build relationships this showcase. On the least Cheap Ray Ban Sunglasses 16 plane tickets appeared to be terminated, Manchester international web property assumed, Over the flying corridor rich in a backlog akin to travellers people individuals who else suffered from produce to achieve the terminals. air force 1 in store.

  5. Getting directory services is a good decision. This way a company can have all of its important directory information saved at one place. But it has its own negative points too, like one trip and you might end up losing everything. I provide best assignment writing services UK reviews and what I believe me, businesses should not become fully dependent on technology!

  6. Your post is containing the benefits of personalized PHP web app development experience with professionals that introduce better UI/UX, Hire Dedicated PHP Developers for next project.

  7. I completely resolved my question when I read this post, thanks to the author for the very detailed description. I wrote my review on the resume writing service reviews, you can go in and read. Thank you very much for your attention in your time.

  8. Thanks for the best share and i loved it,

  9. Everything is getting advance. Same as workflow should get be advanced. I am here to share boden discount with the audience here.

  10. RightJackets is the best place for you to get the most original custom made products and more.We have the biggest range of a variety of products.

    Charles Burnt Green Jacket

  11. RockStar Jackets is incredibly pleased to announce ourselves as the most dependable manufacturers and exporters of a variety of products comprising of Leather Garments.
    Half Black Half White Jacket
    Chris Martin Higher Power Jacket

  12. Offer many varied and confidential services. The goal of this article is to find the best dating site married people dating site that suits each person's unique situation and relationship goals.

  13. We Introduce Bomber Jackets In United State With Premium Quality Leather Used In Making Leather Jackets visit BomberJacket

  14. Most companies use directory services to organize users, resources, services, and other objects of heterogeneous companies. LDAP is the authentication and authorization source of various enterprise applications. Abrand Jeans

  15. Great article, lots of information to read. no longer update thanks