Tutorials-Blue2401×1354 212 KB

In IdentityIQ, work items can sit idle in a user’s inbox. To prevent these from going stale, IIQ provides mechanisms for reminders and escalations—so your approvals don’t go unnoticed or unresolved. Despite this being available for so many years there are still many questions appearing in the community and Compass on how to configure this properly and how to customize it beyond what is available OOTB.

There are two primary ways to configure these behaviors:

• The “old” approach, where configuration is done via xml attributes directly into the Approval.

• The “new” approach, using IConfig objects (can be set up programmatically for non certification workItems).

Let’s break both down.

The “Old” Way: Attribute-Based Reminders and Escalations

This approach uses specific WorkItem attributes to define how and when reminders or escalations should happen. Here are the key attributes:

How It Works

When the right combination of attributes is set, IdentityIQ internally creates a NotificationConfig object nested in WorkItem. This is what drives the actual scheduling of reminder/escalation logic.

Important: NotificationConfig is only created when workItemHoursTillEscalation is present. Without it, reminders or escalations won’t trigger.

Let’s look at the configurations possible using these attributes.

Case 1: Escalation Only

<entry key="workItemEscalationRule" value="Acme escalation rule"/>
<entry key="workItemHoursTillEscalation" value="3"/>

• Escalation is enabled because workItemEscalationRule is defined.
• Reminders are not enabled because no reminder template is provided.
• Escalation rule will be triggered after 3 hours of workItem creation

The NotificationConfig in workItem looks like:

<NotificationConfig escalationEnabled="true" escalationMillisAfterStart="10800000">
   <EscalationRule>
      <Reference class="sailpoint.object.Rule" name="Acme escalation rule"/>
   </EscalationRule>
</NotificationConfig>

On work item expiration:

• If the escalation rule returns null, the item is expired and deleted.
• If it returns an identity, the item is reassigned, the escalation email is sent, and the process restarts.

Case 2: Reminders and Expiration

<entry key="workItemReminderTemplate" value="Work Item Reminder"/>
<entry key="workItemHoursBetweenReminders" value="4"/>
<entry key="workItemMaxReminders" value="2"/>
<entry key="workItemHoursTillEscalation" value="3"/>

• Reminders are enabled because the template is defined.
• Escalation is not enabled because workItemEscalationRule is not defined.

First reminder will be sent after 3 hours of workItem creation. After that there will be one more reminder sent after 4 hours. And finally after 4 hours after the second reminder workItem will expire and will be deleted.

Case 3: Reminders + Escalation

<entry key="workItemEscalationTemplate" value="Work Item Escalation"/>
<entry key="workItemEscalationRule" value="Acme escalation rule"/>
<entry key="workItemReminderTemplate" value="Work Item Reminder"/>
<entry key="workItemHoursBetweenReminders" value="4"/>
<entry key="workItemMaxReminders" value="2"/>
<entry key="workItemHoursTillEscalation" value="3"/>

• Reminders are enabled because the workItemReminderTemplate is defined.
• Escalation is enabled because workItemEscalationRule is defined.

This combines everything:

• Reminders begin after 3 hours and repeat every 4 hours.
• 4 hours after the 2nd reminder, escalation kicks in based on the rule.
• If the escalation rule returns null, the item is expired and deleted.
• If it returns an identity, the item is reassigned, the escalation email is sent, and the process restarts.

An interesting observation is that I was not able to configure these attributes to send reminders and avoid escalation.

The “New” Way: Code-Based NotificationConfig

Luckily there is a way to configure a fully custom combination of reminders and escalation. You can do this by omitting any of the above attributes and implementing a custom InterceptorScript.

Here is the example:

if ("openWorkItem".equals(method)) {

  WorkItem workItem = (WorkItem) item;  
  NotificationConfig notificationConfig = new NotificationConfig();
  List<NotificationConfig.IConfig> configs = new ArrayList<>();

// Reminder #1: after 2 days

  NotificationConfig.ReminderConfig config = new NotificationConfig.ReminderConfig();
  config.setEmailTemplateName("Work Item Reminder");
  config.setEnabled(true);
  config.setOnce(true);
  config.setMillis(2 * 24 * 60 * 60 * 1000L); // 2 days
  configs.add(config);

// Reminder #2: after 7 days

  NotificationConfig.ReminderConfig config2 = new NotificationConfig.ReminderConfig();
  config2.setEmailTemplateName("Work Item Reminder");
  config2.setEnabled(true);
  config2.setOnce(true);
  config2.setMillis(7 * 24 * 60 * 60 * 1000L); // 7 days
  configs.add(config2);

// Escalation: after 10 days

  NotificationConfig.EscalationConfig config3 = new  NotificationConfig.EscalationConfig();

  config3.setEmailTemplateName("Work Item Escalation");
  config3.setEscalationRuleName("Acme escalation rule");
  config3.setEnabled(true);
  config3.setMillis(10 * 24 * 60 * 60 * 1000L); // 10 days
  configs.add(config3);
  notificationConfig.setConfigs(configs);
  notificationConfig.setEnabled(true);
  workItem.setupNotificationConfig(context, null, notificationConfig);

}

What This Does

• Two reminders will be sent: after 2 and 7 days from the workItem creation.
• Escalation occurs after 10 days from the workItem creation, using the “Acme escalation rule”.

When using code you have the ability to create a desired number of reminder steps (if any) which trigger on an arbitrary moment. So you could have one reminder a day after creation, next one 5 days later and another 20 days later. You will not be constrained by the cycle.

Then you can add escalation configuration if needed, but it can be omitted.

This configuration may look very similar to Reminder configuration available for certifications because it is using same mechanism.

Feel free to experiment with the values.