The human workflow service engine runs as a separate engine in the Oracle SOA Suite 12c service infrastructure providing human task execution functionalities to both BPEL and BPMN processes. The human workflow component consists of a number of services that handle various aspects of human interaction with a business process such as task approvals, rejections, reassignments, delegation, and so on.
An instance of the human workflow service engine can be initiated by an invocation from another service component such as the BPEL or BPMN engines. The message is routed to the engine by the SOA service infrastructure and is persisted by the workflow engine in dehydration store schema. Once an invocation transaction is committed, the instance becomes available for human interactions through a thin client such as a browser or mobile-based user interface. Each update on the instance or the runtime state through a user action is then handled by the engine in a separate transaction.
The human workflow engine allows defining to-do tasks that can be assigned to users or groups of users, giving business users more flexibility and a centralized approach for task management. Workflow tasks can be assigned to application roles and then, at runtime, real users or groups from your enterprise repository defined within your organization can be mapped to these application roles. In this section, you will learn ways to integrate your company's directory server with the service infrastructure and pull organizational users to associate them with application or logical business process roles.
An important feature of the Human Workflow Service Engine is a worklist application built on top of ADF-rich client components. The worklist application is accessible via a web browser, giving business users a common look and feel and developers a standardized approach for building user interfacing applications that are flexible and customizable. Business process users can define their own work queues and share these views with other users and groups. All human workflow data definitions and custom task views can be shared across members within an organization. Logging in to the worklist application is role based and the interface is accessible via the following URL:
http://<soahost>:<soaport>/integration/worklistapp
The human workflow engine leverages the UMS framework deployed in the infrastructure for its notification needs. The UMS engine allows process participants to customize their messaging channels and even set preferred mechanisms of being notified. These preferences, such as the mode to receive notifications (for example, e-mail and SMS), and which devices need to be used, can all be configured from the following address:
http://<soahost>:<soaport>/sdpmessaging/userprefs-ui
Administration of human task instances, workflow service engine configuration, notification setup, and fault management are performed from the Oracle Enterprise Manager Fusion Middleware Control console. It also provides a mechanism to detect and handle auto-reply messages, poisoned responses, and spam in the workflow engine.
Part of Oracle SOA Suite 12c's design is to allow for as much flexibility and agility as possible by enabling runtime changes to various components, such as business rules, domain value maps, and certain aspects of human workflow task configurations. However, business users may still not be prepared to modify these configurations at runtime. For on-demand, human-task-related configuration changes, the onus is then on administrators to edit task assignment and routing policies, modify approval group settings, change business rules responsible for dynamic task allocation, and so on, to enable a change. Human task runtime configuration changes post deployment of composites can be done by following the steps provided here:
http://<soahost>:<soaport>/soa/composer
.The following screenshot demonstrates the task configuration page:
A human task component in a composite has an associated user-defined task details interface executing on the worklist application. Configuration of the human task service component task detail application URI, say by editing, adding, or removing it can be performed from the Oracle Enterprise Manager Fusion Middleware Control console. This configuration page is different for each human workflow component. Access this by navigating to a specific composite and selecting the human task service component under the Components table. Click on the Administration tab and then on the Add URI button to create an accessible endpoint for the task by providing the Host Name, HTTP Port, or HTTPS Port values for the URI.
The primary reasons why this information (depicted in Figure 7.34) needs to be configured at the task level are as follows:
The following screenshot shows the URI being updated:
When human task flow components are created at design time, they are simply mapped to logical or application roles. Upon deployment to the human workflow service engine, you need to assign real human users to participate and act on workflow tasks. Participants can act on tasks during runtime from the worklist application, such as to approve/reject a sales order, delegate approvals, provide feedback on a help desk request, and so on. To engage real users, it is necessary to integrate a directory service to maintain your organization's users and groups, like an LDAP server with the infrastructure running your composites.
By default, the underlying Oracle WebLogic Server identity service uses an embedded LDAP server as the default authentication provider. Figure 7.35 shows the visual steps to change your default authentication provider in an existing security realm with an existing LDAP based directory server:
The sequence of steps to create a new LDAP authentication provider is as follows:
Here are the properties to connect to an LDAP server:
Provider-specific property |
Remarks |
---|---|
Host |
The hostname or IP address of the authenticator (for example, |
Port |
The port number on which the authenticator server is running. The default is |
Principal |
The Distinguished Name (DN) of the authentication server user that WebLogic Server should use when connecting to it. An example principal is as follows:
|
Credential |
The credential property is usually a password used to connect to the authenticator server. |
User Base DN |
The base Distinguished Name (DN) of the tree in the LDAP directory that contains users (for example, |
Group Base DN |
The base Distinguished Name (DN) of the tree in the LDAP directory that contains groups. |
Use Retrieved User Name as Principal |
Specifies whether to use the user name retrieved from the LDAP server as the principal in the subject. |
User Name Attribute |
The attribute of an LDAP user object class that specifies the name of the user (for example, UID, CN, MAIL, and so on) (for example, |
These properties are sufficient to connect to an LDAP server. Use the default setting for the rest of the fields if in case these values are not known.
weblogic
that are not typically in an LDAP directory but must still be authenticated to start the server.After the restart, under the Users and Groups tab in Security Realms, all of the organization's users and groups set up in Active Directory are listed alphabetically, as shown in the following screenshot:
By default, only usernames in human tasks are case agnostic (case insensitive). This behavior is controlled by the value of the caseSensitive
property in System MBeans Browser for users, which is set to false
by default. Group names in human tasks must be identical to what is seeded in the user directory. However, if you also want group names in human tasks to be case agnostic, you must set the caseSensitiveGroups
property to false
. To enable case-agnostic behavior for group names in human tasks, follow these steps:
false
in the form field, and click on Invoke.Every deployed component or module (both custom and out of the box) in Oracle SOA Suite 12c inherits a security model where users or groups available from an organization have to be mapped to appropriate application roles. For example, you might want to give certain users in the organization the right to access and edit human task configurations from the SOA Composer at runtime, or in case of a deployed BPM project, map users to swimlane roles. Mapping users and groups to application roles is a regular administrative activity for large scale SOA and BPM implementations in an organization. The following steps along with Figure 7.37 outline a mechanism to achieve this:
The same steps can be used to associate groups in organizations or other available Application Roles to the selected role. Take a look at the following screenshot:
When working with human workflow based composites, customers frequently have an external identity store that acts as a directory, holding the application end users and related enterprise groups. In many cases, they may also want to keep WebLogic's embedded LDAP server for administration accounts. Many large organizations also tend to have multiple user directories based on geographies, but the human workflow solution may require all users and groups to be brought together. If multiple authentication providers are configured, authentication occurs through all of them, according to the control flags set. Java Portlet Specification (JPS) however provides authorization in order of the hierarchical list of providers. An additional LDAP authentication provider can be configured for the worklist application but Oracle Platform Security Services (OPSS) by default doesn't support multiple authenticators. To overcome this challenge, Oracle SOA Suite 12c bundles a library named LibOVD
, providing virtualization capabilities over multiple LDAP authentication providers.
To configure support for multiple authentication providers, a prerequisite is to have the Control Flag
for all the providers set to SUFFICIENT
. This can be set by accessing the property from the WebLogic Server Administration Console by navigating to Security Realms | myrealm | Providers | Authentication | [Provider] | Common.
Once this property change is implemented, support for multiple authentication providers can be configured through any one of the following options:
Option 1: A configuration change through Enterprise Manager Fusion Middleware Control:
virtualize
and set its value to true
, as shown in Figure 7.38.Option
2: Modifying the jps-config.xml
file:
$DOMAIN_HOME/config/fmwconfig
directory and take a backup of the jps-config.xml
file.idstore.ldap.provider
to add the virtualization flag.Let's have a look the following configuration snippet:
<serviceInstance provider='idstore.ldap.provider' name= 'idstore.ldap'> <property value= 'oracle.security.jps.wls.internal.idstore. WlsLdapIdStoreConfigProvider' name="idstore.config.provider"/><property value='oracle.security.idm.providers.stdldap.JNDIPool' name='CONNECTION_POOL_CLASS'/><property value='true' name='virtualize'/> </serviceInstance>
Both these options require a domain level restart.
Process participants working on tasks assigned to them in the worklist or the workspace application may not find the default inbox view very helpful. For instance, they may need to view additional columns required to prioritize tasks or view process indicators in the inbox. These additional columns may be added from the default available column list, or users may use a mapped attributes (flex fields) to store and display important values from the task payload. Mapped attributes in human workflow store and query custom attributes that typically come from the task payload values.
However, the problems it poses for you as an administrator, in the long run, is migrating worklist customizations across different environments. Assume that a bunch of participants create custom views and vacation rules and add mapped attributes in the test environment, which are then necessary to promote to staging and production environments. Oracle SOA Suite 12c provides a Human Workflow User Config Data Migrator that is available as a utility script wrapped with Ant.
The Data Migrator provides administrators the following operations:
The Data Migrator utility relies on two key files:
migration.properties
: This contains all required input properties in terms of key-value pairs for migration operations. It also determines what type of user configuration is to be imported or exported.ant-worklist-t2p.xml
: This is an Ant build file containing the default Ant target, runHwfMigrator
, responsible for exporting customizations from one environment and importing them to another depending upon the operation.Figure 7.39 shows a custom view configured by the weblogic
user in the worklist application for task approvals. A Priority Approvals view is configured to accommodate and show the orderDiscount field (mapped attribute) on the worklist screen. The following section will describe how to set up and execute the Data Migrator wizard to extract these customizations in an XML file and then import them into another server. Observe the following screenshot:
To move human workflow data from test to production environments, perform the following steps:
PATH
environment variable contains JAVA_HOME
(the location of the complaint JDK path) and ANT_HOME
.export JAVA_HOME=/u01/app/oracle/middleware/jdk1.7.0_15 export ANT_HOME=$MW_HOME/oracle_common/modules/org.apache.ant_1.9.2 export PATH=$PATH:$JAVA_HOME/bin:$ANT_HOME/bin
$MW_HOME/soa/bin
.migration.properties
file in the bin
directory to export user metadata for the worklist application (for example, group rules, views, mapped attribute mappings, and vacation rules) from the test environment. See here one such example of a migration.properties
that contains properties to export custom worklist views. The connection and file location properties highlighted in the following snippet need to be replaced with values corresponding to your environment:# Connection Properties soa.hostname = localhost soa.rmi.port = 8001 soa.admin.user = weblogic soa.admin.password = welcome1 realm = jazn.com # Migration File Location migration.file = /tmp/worklist_data/export_all_migration.xml map.file = /tmp/export_all_map_mapper.xml # hwfMigrator Properties operationType = EXPORT objectType = VIEW name = ALL user = weblogic group = grantPermission = true migrateAttributeLabel = true override = true skip = true migrateToActiveVersion = true
runHwfMigrator
default target. Execute the Ant command by passing ant-t2p-worklist.xml
as the file argument to export user configuration data.ant -f ant-t2p-worklist.xml -Dbea.home=$MW_HOME -Dsoa.home=$MW_HOME/soa
/tmp/worklist_date
.migration.properties
file. The export_all_migration.xml
file contains exported data for the Priority Approval View along with its view columns.The following table explains each of the properties in detail:
Property |
Definition |
---|---|
|
This specifies the directory location where task definition mapping data is exported to or imported from. |
|
This specifies the directory location where user configuration data is exported to or imported from. |
|
Flag this to specify whether to export data from the server or import into it. |
|
This property specifies the type of custom object to migrate. Possible values are either |
|
This specifies the object name if you specified |
|
This specifies the username for |
|
This specifies the group for only |
|
A |
|
A |
|
While using the |
|
If an error happens while migrating a |
|
A |
Let's have a look at the following screenshot:
However, keep the following things in mind while using the migration utility:
objectType
) can be exported or imported at a time.3.138.119.106