APIM manage workflow with multiple roles
- Introduction
When API is configured for workflow, only a set of users(users with admin role) can manage the tasks. But there can be use cases to manage some tasks by different user types or roles. As an example, if multiple departments manage APIs in a single tenant and workflow need to be managed within that department. In such cases, each workflow task only needs to be visible to admin users of that logical department.
By default, this cannot be achieved without customization. Hence this document explains how to achieve subscription management in such a deployment. So the following tasks are discussed in this document.
- Workflow executor
- Customize the BPEL process
- Customize HumanTask
- Prerequisites
- WSO2 API Manager 3.0.0
- WSO2 Enterprise Integrator 6.5.0
- Configure API Manager for subscription workflow according to the official document
- Workflow executor
Workflow executor needs to be customized to send additional information to the Business process engine. This customization is done to include role information to the web service call to the BPS. By default, the required role of the users, which use to limit access and manage pending tasks, is set to “admin” at the BPS engine. If we can include the admin role of the current department that can be used to limit workflow management at BPS.
The following code includes this information to the web service call. We include “deptAdminRole” property to hold the admin role name. In this sample, we have a hardcoded role name as “hr_admin_role” assuming it is the admin role for the HR department. But these value can be derived as follows
- Using API name/User name pattern
- Using user roles/permissions
- Using Properties define to the API
- Workflow executor Implementation
- Create a new maven project and include the following dependency
<dependency> <groupId>org.wso2.carbon.apimgt</groupId> <artifactId>org.wso2.carbon.apimgt.impl</artifactId> <version>6.5.349</version> </dependency> - Add a new java class that extends the “SubscriptionCreationWSWorkflowExecutor”
- Override the method “execute” with the following content.
public WorkflowResponse execute(WorkflowDTO workflowDTO) throws WorkflowException { try { String action = WorkflowConstants.CREATE_SUBSCRIPTION_WS_ACTION; ServiceClient client = getClient(action); String payload = "<wor:SubscriptionApprovalWorkFlowProcessRequest " + " xmlns:wor=\"http://workflow.subscription.apimgt.carbon.wso2.org\">\n" + " <wor:apiName>$1</wor:apiName>\n" + " <wor:apiVersion>$2</wor:apiVersion>\n" + " <wor:apiContext>$3</wor:apiContext>\n" + " <wor:apiProvider>$4</wor:apiProvider>\n" + " <wor:subscriber>$5</wor:subscriber>\n" + " <wor:applicationName>$6</wor:applicationName>\n" + " <wor:tierName>$7</wor:tierName>\n" + " <wor:workflowExternalRef>$8</wor:workflowExternalRef>\n" + " <wor:callBackURL>$9</wor:callBackURL>\n" + " <wor:deptAdminRole>$deptAdminRole</wor:deptAdminRole>\n" + " </wor:SubscriptionApprovalWorkFlowProcessRequest>"; SubscriptionWorkflowDTO subsWorkflowDTO = (SubscriptionWorkflowDTO) workflowDTO; String callBackURL = subsWorkflowDTO.getCallbackUrl(); payload = payload.replace("$1", subsWorkflowDTO.getApiName()); payload = payload.replace("$2", subsWorkflowDTO.getApiVersion()); payload = payload.replace("$3", subsWorkflowDTO.getApiContext()); payload = payload.replace("$4", subsWorkflowDTO.getApiProvider()); payload = payload.replace("$5", subsWorkflowDTO.getSubscriber()); payload = payload.replace("$6", subsWorkflowDTO.getApplicationName()); payload = payload.replace("$7", subsWorkflowDTO.getTierName()); payload = payload.replace("$8", subsWorkflowDTO.getExternalWorkflowReference()); payload = payload.replace("$9", callBackURL != null ? callBackURL : "?"); payload = payload.replace("$deptAdminRole", "hr_admin_role"); client.fireAndForget(AXIOMUtil.stringToOM(payload)); ApiMgtDAO apiMgtDAO = ApiMgtDAO.getInstance(); apiMgtDAO.addWorkflowEntry(workflowDTO); publishEvents(workflowDTO); } catch (AxisFault axisFault) { log.error("Error sending out message", axisFault); throw new WorkflowException("Error sending out message", axisFault); } catch (XMLStreamException e) { log.error("Error converting String to OMElement", e); throw new WorkflowException("Error converting String to OMElement", e); } catch (APIManagementException e) { throw new WorkflowException("Error while persisting workflow", e); } return new GeneralWorkflowResponse(); }
- Create a new maven project and include the following dependency
- Customize the BPEL process
- BPEL process data need to customize include this new attribute name. For that, you can use the bpel/SubscriptionApprovalWorkFlowProcess_1.0.0/SubscriptionApprovalWorkFlowProcess.bpel define in the <APIM_HOME>/business-processes/subscription-creation/BPEL/SubscriptionApprovalWorkFlowProcess_1.0.0.zip as follows.
<bpel:literal> <tschema:SubscriptionApprovalData xmlns:tschema="http://workflow.subscription.apimgt.carbon.wso2.org" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><tschema:apiName>tschema:apiName</tschema:apiName> <tschema:apiVersion>tschema:apiVersion</tschema:apiVersion> <tschema:apiContext>tschema:apiContext</tschema:apiContext> <tschema:apiProvider>tschema:apiProvider</tschema:apiProvider> <tschema:subscriber>tschema:subscriber</tschema:subscriber> <tschema:applicationName>tschema:applicationName</tschema:applicationName> <tschema:tierName>tschema:tierName</tschema:tierName> <tschema:callBackURL>tschema:callBackURL</tschema:callBackURL> <tschema:workflowExternalRef>tschema:workflowExternalRef</tschema:workflowExternalRef> <tschema:deptAdminRole>tschema:deptAdminRole</tschema:deptAdminRole> </tschema:SubscriptionApprovalData> </bpel:literal>- There are multiple WSDL files in here to expose these as a web service. Hence these new attributes need to be declared in there as well.
- Customize HumanTask
- Customize HumanTask Human Task configuration needs to be updated to define the allowed users for this workflow. For that edit the SubscriptionsApprovalTask-1.0.0/SubscriptionsApprovalTask.ht in <AM_HOME>/business-processes/subscription-creation/HumanTask/SubscriptionsApprovalTask-1.0.0.zip as follows.
<htd:peopleAssignments> <htd:potentialOwners> <htd:from logicalPeopleGroup="admin"> <htd:argument name="role"> htd:getInput("SubscriptionApprovalRequest")/test10:deptAdminRole </htd:argument> </htd:from> </htd:potentialOwners> </htd:peopleAssignments>- Here also, there is a WSDL declaration to expose web service calls. Hence this needs to be updated in there as well.
- Installation
- Build the project and copy the com.rukspot.sample.apimgt.workflow.rolebase-1.0-SNAPSHOT.jar to <AM_HOME>/repository/components/lib directory and restart the servers
- Login to API Manager management console and define the subscription workflow executor as follows in the /_system/governance/apimgt/applicationdata/workflow-extensions.xml
<SubscriptionCreation executor="com.rukspot.sample.apimgt.workflow.rolebase.RoleBasedSubscriptionCreationWSWorkflowExecutor"> <Property name="serviceEndpoint">http://localhost:9765/services/SubscriptionApprovalWorkFlowProcess/</Property> <Property name="username">admin</Property> <Property name="password">admin</Property> <Property name="callbackURL">https://localhost:8243/services/WorkflowCallbackService</Property> </SubscriptionCreation> - Login to the EI management console and upload the BPEL process in RoleBasedSubscriptionApprovalWorkFlowProcess_1.0.0.zip
- Upload the human task in RoleBasedSubscriptionsApprovalTask-1.0.0.zip same way
- Testing
- Login to APIM Publisher and publish an API
- Login to APIM Dev portal and try to subscribe to an application
- Login to the APIM admin portal using “admin” user and check pending subscription tasks
- Login to the APIM admin portal using a user with “hr_admin_role” role and check pending subscription tasks.
- Code Sample
Please find the sample code from GitHub
Add Comment
Comments (0)