PingOne Advanced Identity Cloud

Manage workflows

When you configure access requests, you can implement workflows, an end-to-end sequence of Identity Governance actions that result in either approving or rejecting an access request. You can configure workflows using the Advanced Identity Cloud’s workflow editor or REST APIs.

Workflows give complete flexibility over all access request types by allowing you to define custom workflow definitions. For example, when an end user requests access to an application, you can specify the actions Identity Governance takes for the access request to be approved or rejected.

These actions could include:

  • Requiring more than one approval for the request. You could require an end user’s manager and the application owner to approve the request before Identity Governance provisions access to the end user.

  • If the access request is rejected, send an email to the end user stating their access request has been denied.

Important aspects of workflows
  • Identity Governance provides default workflows for each access request type. Identity Governance also requires a workflow for each access request type; therefore, every access request type must have an associated workflow.

  • Each workflow has two states:

    • Draft — A staging state to validate a workflow before publishing. For a workflow to be live, you must publish it.

    • Published — The workflow is read-only and live.

  • You can create workflows using the following:

    • Workflow editor — An intuitive UI to easily create the workflows using nodes.

    • REST APIs — Use the REST APIs for workflow scripting.

  • Workflows are saved in JSON format.

The out-of-the-box Identity Governance workflows do not currently support the approval of custom request types, like event-based requests. In this case, you can use workflows with custom scripted nodes that can handle event-based situations, such as user create or user update. For more information, refer to Workflow use cases.

Access request types

Identity Governance provides six out-of-the-box workflows for each access request type.

The following table displays the different access request types and out-of-the-box workflows:

Access request type Workflow name Description

Grant Application

BasicApplicationGrant

Request access to an application.

Remove Application

BasicApplicationRemove

Request to remove access to an application for an end user.

Grant Entitlement

BasicEntitlementGrant

Request access to an entitlement (additional privilege inside an application).

Remove Entitlement

BasicEntitlementRemove

Request to remove access to an entitlement from an end user.

Grant Role

BasicRoleGrant

Request access to an Advanced Identity Cloud provisioning role.

Remove Role

BasicRoleRemove

Request to remove access to a role from an end user.

Create workflows using the workflow editor

To manage workflows, from the Advanced Identity Cloud admin UI, go to manage_accounts Workflows.

There is a default published workflow for each access request type.

The workflow editor canvas.
  • 1 Click Governance > Workflows on the Advanced Identity Cloud end-user UI.

  • 2 Click New Workflow.

  • 3 Click Create Duplicate to make a copy of an out-of-the-box workflow. You cannot modify an out-of-the-box workflow but can only make a duplicate.

  • 4 Every workflow has two states; draft and published. You can only modify a workflow in the draft state. When you click add New Draft, Identity Governance creates a copy of the existing published workflow.

    • View the published workflow.

    • Import a JSON file to create or override an existing draft.

    • Duplicate the out-of-the-box workflow.

  • 5 If a workflow has an existing draft, click View Draft.

  • 6 Click ellipsis () to:

    • View the published workflow.

    • Import a JSON file to create or override an existing draft.

    • Duplicate the draft.

    • If there is an existing draft, delete the draft.

Workflow editor canvas

When you click a workflow, a blank workflow canvas appears with workflow nodes in the left pane, which you can drag-and-drop onto the canvas.

The workflow editor canvas.
  • 1 Available workflow editor nodes.

  • 2 Perform orientation functions:

    zoom_in — Zoom in

    zoom_out — Zoom out

    fullscreen — Toggle fullscreen

    grid_on — Auto layout nodes on the canvas

    delete — When you select on or more nodes, the delete icon displays.

  • 3 Toggle between the draft and published states of a workflow.

  • 4 Click more_horiz (ellipsis icon) to:

    • View Details — View metadata, such as the state and workflow name.

    • Import — Upload a JSON file to create or override an existing draft.

    • Export — Download a JSON file of the workflow state.

    • Delete Draft — Only present when viewing the draft state of a workflow.

  • 5 Switch between viewing the workflow through the canvas UI or through JSON.

  • 6 Save or publish the existing workflow.

  • 7 The workflow editor canvas. Drag, drop, and connect nodes in the canvas to create your workflow.

When you click Publish in a workflow, it overrides the existing published version. Identity Governance prompts you to download Download backup. Always download a backup in case of an error.

View workflow in JSON

For technical users, Identity Governance provides the ability to view and download workflows using JSON. From the workflow editor canvas, toggle JSON. If you want to export the workflow JSON, click ellipsis (), and then Export. You can make adjustments and re-import the JSON into Identity Governance.

If you are exporting an out-of-box workflow, Identity Governance pulls the UUID of the users or roles from the environment and uses it in the JSON file. Make sure to reset or update the approver values in the Approver node in the JSON.

The Workflow JSON UI.
  • 1 Copy the JSON workflow file.

  • 2 Click to View Details, Import, and Export the JSON file.

  • 3 Toggle to enable or disable JSON view.