Expressions in Workflow Actions

Using Expressions in Workflow Actions

Several fields within workflow actions can use custom expressions. These expressions provide values from various inputs into the workflow process.

There are several valid expression prefixes, and any suffix may be appended to a prefix. The suffix should reference a valid attribute. For instance, when referencing the recipient of a resource, the request suffix should refer to a valid attribute related to the person within LDAP.

Note:

These expressions, when used as an expression for a Value Pair for the Connect and/or Connect (Advanced) Actions, must be surrounded by single quotes, e.g.          

'%{recipient.givenName}'

Valid Expression Prefixes

• recipient - Refers to the recipient user of the workflow request

• requestor/requester - Refers to the user who initiated the workflow request

• addressee - Refers to the User or Group assigned to the current approval task for the workflow

• approver - Refers to the User who responded to an approval task

• approval - Refers to a particular approval response

• resource - Refers to the Entitlement being granted/revoked

• dss - Refers to a response value received from an Advanced RapidIdentity Connect Action

• form - Refers to the form associated with the workflow request

The following items are currently available when using the 'resource' prefix:

• name - The name of the Entitlement

• description - The description of the Entitlement

• binding - The binding of the Entitlement

• icon - The icon URL for the Entitlement

• owner - The User who is the owner of the Entitlement

Form Prefix

• %{grant.form.<id>} - Refers to the form associated with the current grant request, and is only available during REVOKE workflows. <id> is the unique form id.

User/Group Prefixes may refer to any directory attribute on that target object, with support for chaining if the attribute is a DN and references another valid directory object.

• %{recipient.givenName} - Returns the value of the “givenName” attribute for the recipient of the workflow

• %{requester.mail} - Returns the value of the “mail” attribute for the User who requested the workflow

• %{recipient.manager} - Returns the value of the “manager” attribute on the recipient’s directory entry

• %{recipient.manager.fullName} - Returns the value of the “fullName” attribute on the object pointed to by the recipient’s “manager” attribute

• %{recipient} - Returns the idautoID of the recipient

• %{recipient.id} - Returns the idautoID of the recipient

• %{recipient.idautoID} - Returns the idautoID of the recipient

• %{recipient.dn} - Returns the DN of the recipient

• %{addressee.idautoID} - Returns the idautoID of the User/Group assigned to the current approval task.  Approver/Approval Prefixes can optionally have an index so that information about approval steps beyond the first can be referenced.

• %{approver.mail} - Returns the value of the “mail” attribute for the User who approved/denied the first approval task

• %{approver0.mail} - Returns the value of the “mail” attribute for the User who approved/denied the first approval task

• %{approver1.givenName} - Returns the value of the “givenName” attribute for the User who approved/denied the second approval task

• %{approval1.comments} - Returns the comments (if any) from the approver of the second approval task

‘comments’ are currently the only information available when using the ‘approval’ prefix.

Miscellaneous Expressions

• %{request.type} - Refers to the current workflow request. The only type that can be used with the request prefix is typem, and the only types are GRANT and REVOKE.