Update Resources Activity
The Update Resources activity is the "bread and butter" activity of WAL. It is used to update MIM / FIM resources as well as read MIM / FIM resources to populate WorkflowData dictionary. This activity completely eliminates the need for the out-of-box Function Evaluator activity. The activity can update a collection of resources in a single expression.
The activity intelligently aggregates multiple updates into a single request per resource. It also issues update request(s) for a resource / attribute only when the resource / attribute is actually modified. If the target of any update is a collection of resources, all will get updated.
Optional. Name of the activity to be displayed on the MIM / FIM workflow designer.
Optional. If this setting is selected, the activity can be configured to query resources which can be used in the update definitions as source value expressions or targets as well as in the activity execution condition and iteration. See Query Resources wiki for more information.
Required when "Query Resources" setting is selected. Specify one or more XPath queries which should be run by the activity. e.g.
| Key | XPath Filter |
|---|---|
| Terminations | /Person[EmployeeStatus = 'T'] |
Optional. The condition which must be satisfied for execution of this activity's core task (i.e. make updates to the specified targets). This can be any WAL function expression resolving to a boolean value. See Activity Execution Condition wiki for more information.
Optional. This is a lookup or function expression returning a collection of values to iterate over. e.g. [//Delta/MembersToAdd/Added]. The instance value can be referenced in update definitions using lookup with the [//Value/..] grammar. e.g. [//Value/Manager]. See Iteration wiki for more information.
Required. The user under whose context all the child requests (updates) are submitted. Service Account (FIMService) is the default actor. See Request Actor wiki for more information.
Optional. When this setting is selected, the child update requests will be subjected to any authorization MPRs configured. See Apply Authorization Policy wiki for more information.
Required. Specify the updates to be performed by the activity. Lookups are used in the value expressions and are also used to represent target resources and attributes. Variables may also be specified as a target and then used in the value expression for subsequent update definitions. The "Allow Null" option enforces the deletion of target values when the source value expression resolves to a null value.
The Update Resources activity intelligently groups requests into the fewest possible number of new update requests. For instance, instructing Update Resources activity to update four attributes on the same target object will create a single update request in contrast to the four separate requests the four Function Evaluator activities would generate. This intelligent request optimization saves processing and execution time by grouping multiple updates against the same object within a single request. If there are multiple attributes on multiple objects being updated as part of a single Update Resources activity, the WAL will create a single request per resource as expected. Due to this optimization, the updates to a target attribute are not immediately available in subsequent update definitions. For example, consider the following update definitions:
| Updates | ||
| Value Expression | Target | Allow Null |
| "jsmith" | [//Target/AccountName] | |
| [//Target/AccountName] | [//Target/MailNickname] | |
Also consider that before the activity executes the AccountName and MailNickname were both "johnsmith". In this case, since all the updates happen are effected at the end as a single update request per resource, the MailNickname attribute of the target will not be updated with the new AccountName of "jsmith", but with the old value of the AccountName attribute. Now here another optimization feature of the Update Resources activity comes into play. Since the old value of MailNickname is the same as new value proposed, this update definition will not be part of the issued request.
An elegant solution to solve this issue is using Variables, as depicted in the revised update definitions below:
| Updates | ||
| Value Expression | Target | Allow Null |
| "jsmith" | $NewAccountName | |
| $NewAccountName | [//Target/AccountName] | |
| $NewAccountName | [//Target/MailNickname] | |
To delete an existing target value, "Allow Null" check box must be checked.
When the Target of an update definition is a collection of objects, e.g. a [//Target/xDirectReports] lookup, all objects will be updated with the result of the source value expression specified in that definition.
If you have an action workflow that is triggered on the deletion of a resource, care must be taken not to access any attributes of the deleted resource. For a detailed implementation guidance please check MIMWAL Issue #102.
Do not use this activity simply to do the job that could be done with coding classic management agent rules extensions. Running workflows to do attribute transformations is orders of magnitude slower than executing rules extensions code.
If you think you could avoid developing your own custom activity if a feature were added to WAL, please submit your feature suggestion using New Issue button.
When developing your own additional custom activity when you must, simplify the development by focusing on the business task at hand and let the Update Resources activity do all the FIM plumbing such as the grammar resolutions and resource lookups, prepare the input data for your activity and make any MIM / FIM resource updates for you. Use WorkflowData dictionary as a mechanism to get data into and out of your activity. See Custom Activity Development Wiki for more information.
The following Update Resources activity strips a permanent leaver [//Target] of membership of all static groups:
| Activity Display Name | Remove Permanent Leaver from All Static Groups | |
| Queries | ||
| Key | XPath Filter | |
| Groups | /Group[MembershipLocked = False and ExplicitMember = '[//Target]'] | |
| Updates | ||
| Value Expression | Target | Allow Null |
| RemoveValues([//Target]) | [//Queries/Groups/ExplicitMember] | |
The following Update Resources activity submits an automated request to extend end-date for contractors by 6 months (which then triggers an authorization policy for seeking approval from manager):
| Activity Display Name | Extend Contractor End-date | |
| Request Actor | Search by Account Name | |
| Actor Account Name | fim.automation.agent | |
| Apply Authorization Policy | True | |
| Value Expression | Target | Allow Null |
| DateTimeAdd(DateTimeNow(), "180.00:00:00.0") | [//Target/EmployeeEndDate] | |