Skip to content

Keyword management in workflows

Workflow keywords can be used in workflow, step, action, and notification settings.

The general format of workflow keywords is as follows:

  • A class (e.g.: PERSON, MANAGER, STARTER, etc.)
  • A main parameter (e.g.: ATTRIBUTE, RIGHT, etc.)
  • A secondary parameter (e.g.: attribute code, etc.)

There are two main categories of keywords:

  • Keywords used to return a list of objects without taking workflow data into account. These keywords are used for filtering or as conditions for executing tasks or actions. In this case, the separator is “§”. The following keywords are available:

    • §KAD§: keyword that can only be used in workflows that are triggered by the event “Modification of an authorization rule”
      • §KAD§ATTRIBUTE§secondary_parameter§: Allows you to retrieve information about an authorization rule based on its ID, name, or description. secondary_parameter can take the following values:
        • kad_id: Authorization rule identifier.
        • kad_name: Name of the authorization rule
        • kad_description: Description of the authorization rule
      • §KAD§FILTRE§attribute_code§: Allows you to retrieve the filter values, so the code is passed in “attribute_code” on the authorization rule that triggers the workflow instance.
      • §KAD§STRUCTURE§VALUE§: Allows you to retrieve the values of the structures covered by the authorization rule that triggers the workflow instance.
      • §KAD§RIGHT§<AccountTypeCode.RightCode>§: Allows you to test whether the right whose code is specified in the “Right_Code” parameter linked to the account type whose code is specified in the “Account_Type_Code” parameter is present in the authorization rule that triggers the workflow instance.
    • §PERSON§: keyword for retrieving a filtered identity list from the parameters entered. Does not take workflow data into account but is used to filter potential workflow targets or determine actors or targets of actions or tasks in workflows.
      • §PERSON§ATTRIBUTE§attribute_code§: Allows to retrieve a list of persons according to an attribute value.
      • §PERSON§RIGHT§<AccountTypeCode.RightCode>§: Allows you to retrieve a list of persons who actually have the right whose code is indicated in the “Right_Code” parameter and which is linked to the account type whose code is indicated in the “Account_Type_Code” parameter.
    • §OBJECT§ or §RESOURCE§: keyword to retrieve a filtered list of allocations based on the parameters provided. Does not take workflow data into account but is used to filter objects in actions or tasks in workflows.
      • §OBJECT§ATTRIBUTE§attribute_code§ or §RESOURCE§ATTRIBUTE§attribute_code§: Allows you to retrieve a list of allocations based on attribute values.

  • Keywords used to return values from various objects contained in workflow instances (targets, actors, validators, request content, etc.). In this case, the separator is “#”. The following keywords are available:

    • WORKFLOW#Code_workflow#parameter_step#: Allows you to retrieve information about a workflow instance whose code is equal to “workflow_code”. Can be used in a SQL evaluation field (e.g., Execution rules, validation rules, etc.) or in a notification field (e.g., Object, e-mail body). Parameter_step can take the following values:

      • ID: Workflow instance identifier
      • STATUS: Workflow instance status
        • -2 = Failed by escalation
        • -1 = Fail
        • 0 = In progress
        • 1 = Success
        • 2 = Initialized by the user
        • 3 = Event waiting for additional information
        • 4 = On pause
        • 5 = Need for information
        • 6 = Blocked
        • 7 = Stopped
        • 8 = Successful by escalation
        • 9 = Reset
      • STARTDATE: Start date of the workflow instance
      • ENDDATE: End date of the workflow instance
      • LASTEVENTDATE: Date of the last event at the workflow instance level
      • DATA: Returns the list of rights and users concerned.

    • STEP#Step_code#parameter_step#: Allows you to retrieve information about an instance of a workflow step whose code is equal to “Step_code”. Can be used in a SQL evaluation field (e.g., Execution rules, validation rules, etc.) or in a notification field (e.g., Object, e-mail body). Parameter_step can take the following values:

      • ID: Step instance identifier
      • STATUS: Status of the instance of the “Step_code” code step in the workflow instance
        • -1 = Fail
        • 0 = In progress
        • 1 = Success
        • 4 = On pause
        • 5 = Need for information
        • 6 = Blocked
        • 7 = Stopped
      • STARTDATE: Start date of the step instance
      • ENDDATE: End date of the step instance
      • LASTEVENTDATE: Date of the last event at the step instance level

    • ACTION#Action_code#parameter_action#: Allows you to retrieve information about an instance of an action whose code is equal to “action_code”. Can be used in a SQL evaluation field (e.g., Execution rules, validation rules, etc.) or in a notification field (e.g., Subject, email body). Parameter_action can take the following values:

      • ID: Action instance identifier
      • STATUS: Status of the “Action_code” code action instance in the workflow instance
        • -1 = Fail
        • 0 = In progress
        • 1 = Success
        • 4 = On pause
        • 5 = Need for information
        • 6 = Blocked
        • 7 = Stopped
      • STARTDATE: Start date of the action instance
      • ENDDATE: End date of the action instance
      • LASTEVENTDATE: Date of the last event at the action instance level
      • DEROGATED: ID of the person to whom the action was delegated

    • TASK#Task_code#parameter_task#: Allows you to retrieve information about an instance of a task whose code is equal to “task_code”. Can be used in a SQL evaluation field (e.g., Execution rules, validation rules, etc.) or in a notification field (e.g., Subject, email body). Parameter_task can take the following values:

      • ID: Task instance identifier
      • STATUS: Status of the “Task_code” code task instance in the workflow instance
        • -1 = Fail
        • 0 = In progress
        • 1 = Success
        • 4 = On pause
        • 5 = Need for information
        • 6 = Blocked
        • 7 = Stopped
      • STARTDATE: Start date of the task instance
      • ENDDATE: End date of the task instance
      • LASTEVENTDATE: Date of the last event at the task instance level
      • DEROGATED: ID of the person to whom the task was delegated
    • It is possible to create automatic validation links in the body of an email when the notification is configured in a validation action or task: http://[DNS address]/UserRequestWorkflow.aspx? MyActionId={#ACTION#Action_or_task_code#ID#}&accept=[result]
      • DNS address to be replaced by the Identity server address
      • Action_or_task_code is to be replaced by the code of the action or task to be validated via the link
      • Result: enter 1 to validate the action or task, enter 0 to reject it.

    To configure the link in the body of the email, use the “type:inline” button where you can check the address and text that will be displayed in the email.

    Note: to validate or reject a request in a notification email, the user must log in to the interface to confirm that they have the rights to perform this operation.

    • FORM#: keyword that can only be used in “User Request” type workflows or in manual provisioning/deprovisioning tasks, in SQL evaluation rules for action and task steps, or in notifications.

      • FORM#ADDRIGHTS#CODELIST#: Allows to list the rights that the applicant has selected in the rights request form.

      • FORM#CHANGEATTRIBUTES#parameter_form#: Lists the attributes that the requester has modified in the person modification form. parameter_form can take the following values:

        • CODELIST: List of attribute codes that the applicant has modified in the person modification form.
        • CHANGEDATE: Date on which changes are taken into account in dd/MM/yyyy format

      • FORM#TYPERESOURCES#parameter_form#: Retrieves the list of resource types selected when filling out the request form. parameter_form can take the following values:

        • DATA: Id of the resources
        • DATA.CODE: Resource code
        • DATA.NAME: Name of resources

      • FORM#Validation_task_code#parameter_form#:

        • DATA: Allows you to retrieve all accounts and rights by target application in the body of the email.
        • DATA.PROVISIONINGRIGHTONLY: Allows you to condition the execution of a form validation task and/or a manual provisioning task on the fact that the targets already have an account on the repositories concerned by the request.
        • DATA.UNPROVISIONINGRIGHTONLY: Allows you to condition the execution of a form validation task and/or a manual deprovisioning task on the fact that the targets already have an account on the repositories concerned by the request.
        • DATA.PROVISIONINGACCOUNTONLY: Allows you to condition the execution of a form validation task and/or manual provisioning task on the fact that the targets do not have an account on the repositories concerned by the request.
        • DATA.UNPROVISIONINGACCOUNTONLY: Allows you to condition the execution of a form validation task and/or a manual deprovisioning task on the fact that the targets do not have an account on the repositories concerned by the request.

    • TASKFORM#: Keyword that can only be used in workflow tasks of the following types: resource assignment and manual provisioning/deprovisioning

      • TASKFORM#Task_code#fparameter_form#: allows you to retrieve data specified in “parameter_form” from either a resource or a right. This keyword must be used in the body of an email for the result to be displayed in table form. parameter_form can take the following values:

        • DATA: ID of the resources requested if the task is of the “Resource assignment” type, or ID of the rights to be provisioned or deprovisioned if the task is of the “Manual provisioning/deprovisioning” type.
        • DATA.CODE: Code for the resources requested if the task is of the “Resource assignment” type, or code for the rights to be provisioned or deprovisioned if the task is of the “Manual provisioning/deprovisioning” type.
        • DATA.NAME: Name of resources requested if the task is of the “Resource assignment” type, or Name of rights to be provisioned or deprovisioned if the task is of the “manual provisioning/deprovisioning” type.
        • DATA.FIELDS: Values of additional fields in the request form. Only valid if the task is of the “manual provisioning/deprovisioning” type.
        • DATACOMPLETEONLY: IDs of resources actually assigned in the “Resource Assignment” task type. Only valid if the task is of the “Resource Assignment” type.
        • DATACOMPLETEONLY.CODE: Code of resources actually assigned in the “Resource Assignment” task type. Only valid if the task is of the “Resource Assignment” type.
        • DATACOMPLETEONLY.NAME: Name of resources actually assigned in the “Resource Assignment” task type. Only valid if the task is of the “Resource Assignment” type.
        • DATAINCOMPLETE: IDs of resource types to which no resources have been assigned. Only valid if the task is of the “Resource Assignment” type.
        • DATAINCOMPLETE.CODE: Code of resource types to which no resources have been assigned. Only valid if the task is of the “Resource Assignment” type.
        • DATAINCOMPLETE.NAME: Name of resource types to which no resources have been assigned. Only valid if the task is of the “Resource Assignment” type.

    • MANAGER#: A workflow manager is a person who administers the workflow.

      • MANAGER#ATTRIBUTE#attribute_code#: Allows you to inject information about the action instance into an SQL evaluation field. (e.g.: Rules for execution, validation, etc.) or in an evaluated field (e.g., Recipients, subject, email body).

      • MANAGER#RIGHT#<Account_Type_Code.Right_Code>#: Allows you to verify that the manager of a workflow has the right whose code is indicated in the “Right_Code” parameter linked to the account type whose code is indicated in the “Account_Type_Code” parameter.

      • MANAGER#RIGHTHEO#<Account_Type_Code.Right_Code>#: Allows you to verify that the manager of a workflow theoretically has the right whose code is indicated in the “Right_Code” parameter linked to the account type whose code is indicated in the “Account_Type_Code” parameter.

    • POSSIBLEACTIONACTOR#: People who can act on an action

      • POSSIBLEACTIONACTOR#Action_code#attribute_code#: Allows you to retrieve the value of the attribute whose code is passed in the attribute_code parameter on the possible actors of the instance of an action or task whose code is equal to “action_code”. Can be used in a SQL evaluation field (e.g., Execution rules, validation rules, etc.) or in a notification field (e.g., Recipients, subject, email body).

    • STARTER#: Person who starts a workflow

      • STARTER#ATTRIBUTE#attribute_code#: Allows you to retrieve the value of the attribute whose code is passed in the attribute_code parameter for the person who started the workflow. Can be used in a SQL evaluation field (e.g., Execution rules, validation rules etc.) or in a notification field (e.g., Subject, email body).

      • STARTER#RIGHT#<AccountTypeCode.RightCode>#: Allows you to verify that the requester of a workflow has the right whose code is indicated in the “Right_Code” parameter linked to the account type whose code is indicated in the “Account_Type_Code” parameter.

      • STARTER#RIGHTHEO#<Account_Type_Code.Right_Code>#: Allows you to verify that the applicant for a workflow theoretically has the right whose code is indicated in the “Right_Code” parameter linked to the account type whose code is indicated in the “Account_Type_Code” parameter.

    • TARGET#: Object(s) that start a workflow instance

      • TARGET#ATTRIBUTE#attribute_code#: Allows you to retrieve the value of the attribute whose code is passed in the attribute_code parameter on the object that started the workflow. Can be used in a SQL evaluation field (e.g., Execution rules, validation rules etc.) or in a notification field (e.g., Subject, email body). This keyword can only work when the target is of type person or allocation.

      • TARGET#RIGHT#<AccountTypeCode.RightCode>#: Allows you to verify that the target(s) of a workflow has the right whose code is indicated in the “Right_Code” parameter linked to the account type whose code is indicated in the “Account_Type_Code” parameter. This keyword can only work when the target is of type person.

      • TARGET#RIGHTTHEO#<AccountTypeCode.RightCode>#: Allows you to verify that the target(s) of a workflow theoretically has the right whose code is indicated in the “Right_Code” parameter linked to the account type whose code is indicated in the “Account_Type_Code” parameter. This keyword can only work when the target is of type person.

      • TARGET#RESOURCE#DATA#: Allows you to retrieve all data (values of all attributes) from all resources linked to the targets of a workflow instance in the body of the email.

        • TARGET#RESOURCE#DATA@CodeAtt1,CodeAtt2,CodeAttN#: Allows you to retrieve the values of the attributes selected via the CodeAttN attribute code list from all resources linked to the targets of a workflow instance in the body of the email. The “name” and “code” attributes are displayed by default in the body of the email without needing to be added to the list.

        • TARGET#RESOURCE#DATA.CodeTypeResource1,CodeTypeResource2,CodeTypeResourceN#: Allows you to retrieve the values of all attributes of the resource types selected via the list of resource type codes CodeTypeResourceN linked to the targets of a workflow instance in the body of the email.

        • TARGET#RESOURCE#DATA.CodeTypeResource1,CodeTypeResourceN@CodeAtt1,CodeAtt2,CodeAttN#: Allows you to retrieve the following values in the body of the email:

          • Either all attributes of the resource types selected via the list of attribute codes CodeTypeResourceN linked to the targets of a workflow instance of resource type attributes if no attribute code is specified
          • Either the values of the attributes selected via the list of attribute codes for the resource types selected via the list of resource type codes CodeTypeResourceN linked to the targets of a workflow instance if attribute codes CodeAttN are specified.

        • TARGET#RESOURCE#DATA.CodeTypeResource1,CodeTypeResource2,CodeTypeResourceN#: Allows you to retrieve the values of all attributes of the resource types selected via the list of resource type codes CodeTypeResourceN linked to the targets of a workflow instance in the body of the email.

      • TARGET#ACCOUNT#: Keyword that can be used in event workflows related to the creation of a real account.

        • TARGET#ACCOUNT#LOGIN#: Allows you to retrieve the account login in the body of the email.

        • TARGET#ACCOUNT#PASSWORD#: Allows you to retrieve the account password (in plain text) in the body of the email.

        • TARGET#ACCOUNT#STATUS#: Allows you to retrieve the provisioning status of the account in the body of the email.

        • TARGET#ACCOUNT#DATA#: Allows you to retrieve the login, password, and status from the body of the email.

    • PRIMARYTARGET# and #SECONDARYTARGET#: keyword that can only be used in “On event” type workflows

      • PRIMARYTARGET#ATTRIBUTE#secondary_parameter# or #SECONDARYTARGET#ATTRIBUTE#secondary_parameter#: allows you to retrieve the value of an object on the primary or secondary target of a workflow instance whose property is passed in the secondary_parameter parameter. This keyword can only work when the target is of the following type:

        • Identity: in this case, the secondary parameter will be an attribute code.
        • Right: in this case, the secondary parameter can take the following values:
          • Name: name of the right
          • Description: description of the right
          • Code: code of the right
          • Applicationname: Name of the application related to the right
          • Applicationdescription: description of the application related to the right
          • Applicationcode: code of the application related to the right
          • ismanualprovisioning: Boolean indicating whether the right is part of a manual provisioning repository.

      • PRIMARYTARGET#TYPE#secondary_parameter# or #SECONDARYTARGET#TYPE#secondary_parameter#: Allows you to retrieve information about the type of object corresponding to the primary or secondary target of a workflow instance. This keyword can only work when the target is of type person or allocation. secondary_parameter can take the following values:

        • NAME: name of the type of person or allocation
        • CODE: code for the type of person or allocation
        • DESCRIPTION: description of the type of person or allocation

      • PRIMARYTARGET#ACCOUNT#secondary_parameter# or #SECONDARYTARGET#ACCOUNT#secondary_parameter#: Allows you to retrieve information about the account corresponding to the primary or secondary target of a workflow instance. This keyword can only work when the target is of type account. secondary_parameter can take the following values:

        • STATUS: status of the real account created
        • LOGIN: Login of the real account created
        • PASSWORD: Password for the real account created
        • DATA: table listing the login and password for the real account created

These two families of keywords can be used together in the same “SQL Evaluation” parameter, which checks the condition based on input parameters and returns the types “TRUE/FALSE” or “List returned by an SQL evaluation”.

Special features:

  • For all keywords for which it is possible to pass an attribute code in the parameters in order to retrieve its value, for attributes of type enumeration, person, structure, or resource, it is possible to use a format extension “.object_attribute_code” in order to retrieve an attribute value of the object instead of the ID. For attributes of type structure, person, or allocation, you must enter the code of the desired object attribute, and for enumerations, object_attribute_code can take the following values:
    • NAME: retrieves the name of the enumeration
    • CODE: retrieves the code of the enumeration
  • When keywords are not sufficient to inject information into an email body, the following syntax can be used to call a SELECT SQL query:
    • [@@@: <SQL Query>:@@@] : The SQL query must be written without the “SELECT” clause. It returns a character string.
  • To enter target information (persons involved in the workflow), it is preferable to use the keyword §PERSON§ rather than #TARGET#.