This article includes updates for Smart ID 23.10.10 and Identity Manager 5.0.1.

This article describes how to create or edit processes in Identity Manager Admin using the BPMN editor.

Prerequisites

Before setting up a process, make sure that the following things apply:

Installed Identity Manager
Log in to Identity Manager Admin as an admin user.

Add process

In Identity Manager Admin, go to Home > Processes.
To add a new process:
1. Click +New.
2. Enter a Name, for example Create Employee, and a Description.
3. Click Save+Edit.
  The Process Design panel is shown.
To edit an existing process, double-click on its name.
Optionally, enter a Help text.

Add, remove, or edit process tasks

Add, remove, or edit process tasks as needed.

Navigate to the Task List tab.
By default, a startElement is automatically generated. You can configure a form as an attribute for it (not mandatory).
In the BPMN Editor tab, tasks, events, gateways, and more can be incorporated using the drag-and-drop functionality from the panel located on the left side. Alternatively, you can click on existing elements to add new ones. Upon selection, a smaller action panel appears, providing specific actions tailored to the selected elements, such as appending another task, adding a gateway, configuring task types, etc.
In summary, tasks are added in the BPMN Editor tab, while they are configured in the Task List tab.
When a task is selected, click on the wrench symbol and choose a task type. Refer to the available task types and attributes in the table below. To use standard service tasks, select "Service task" as the type.
Once an element is selected, a panel on the right side will open where various attributes like Name, Description, and required attributes for the selected task type can be configured. For example, for a "Save Data" task, a data pool is needed to specify where to save the data. This can be added in the Task List tab.
Previously, when a service task was added in the BPMN Editor tab and selected, clicking "Implementation" in the panel on the right side allowed for editing. A similar result can be achieved in the Task List tab by selecting a service task and clicking the pen symbol to edit.
To use a standard service task:
1. Select "Delegate Expression."
2. Enter expression with the name of the standard service task in the text field, for example ${createRelationJavaDelegate}.
3. In the Task List tab, enter values for the given parameters.
For information on the available standard service tasks and parameters, see Standard service tasks in Identity Manager.
To let a step be done in parallel to the previous step, check Branching.
Click Preview to see a graphic representation of the current process.
Click Save.

Set permissions

Add permissions for users and roles for all operation types:

Go to the Permissions tab.
For each operation type, Delete, Update, Start process, and so on, click the operation name. Repeat steps 3-4 to add permissions for users and roles.
To add permissions for a specific user, click Add user and select the user in the drop-down list.
To add permissions for a role, click Add role and select the role in the drop-down list.
Click Save.

Task types and attributes

Task name	Description	Attributes

Task name	Description	Attributes
Assign New Number	A number from a number range is assigned to a data pool field.	Number range Data pool and field name
Card Operation	An action on a card (e.g. Set PIN/Change PIN) is executed. See also Structure of an encoding description in Identity Manager for more information.	Form Card action
Change State	The state of an object is changed in the local Identity Manager database to a particular state, e.g. from "Active" to "Inactive".	Data pool Target state
Change State in CA	The state of a certificate is changed in the CA to a particular state. The state is then also changed in the local database.	Target state
Check Task	This task checks the relationship between a data pool object and a particular identity object. The relationship must be a "one-to-one" relationship. If this is not the case, an activity error occurs.	Data pool Identity template
Choose Mapping	Copy data from one data pool to another while applying a pre-configured mapping. See Set up mapping in Identity Manager for more information.	Mapping
Delete Data	This task deletes one core object from its data source. The core object is identified by the configured data pool and the variable <datapool>_Id within the process map. Restrictions: It is not possible to delete core objects that are based on an external data source, with the exception of SCIM based core objects which can be deleted.	Data pool
Export Task	Data is exported according to an export definition.	Export definition
HTTP Client	Send an HTTP request from a process and make the response available in the process map.	HTTP Client
Mail Task	An email is sent, for example, a confirmation of a receipt.	Email template You can also enter an Expression ${...} that gets resolved from the DataMap.
Modify Roles Automatically	Roles are automatically assigned to or withdrawn from particular objects.	Data pool Role (selected via drag and drop or resolved via expression that contains a comma-separated list of roles in the process map (Role1,Role2,...).
Modify Roles Manually	The user can assign or withdraw roles to or from particular objects manually.	Data pool Role
Print Report	A document with the indicated template can be printed.	Form Report template
Production	A card or token is produced. This task is for server side production only. If you configure multiple printers, see Set up printers in Identity Manager. The process variable processVarCardSdkPrinterUrl can be used to fill with the symbolic name of a printer to find the connection to the CardSDK. If the variable is not in the process, the defaultPrinter is used.	Card template For Nexus GO Cards (CaaS) production: Field Name: Field that holds the request id returned by Nexus GO Cards (CaaS). For Nexus GO Cards (CaaS) production: Production ID: Field that holds the idempotency key used to avoid duplicate orders. This can be a previously generated GUID. When empty, the orderRequest is being hashed and used instead.
Production with Preview	Before a card is produced a preview of the card is displayed on the user interface. There are two variations: one for client-side and one for server-side production. These differ by the following forms: clientSideProductionPreviewTask.jsp serverSideProductionPreviewTask.jsp If you configure multiple printers, see Set up printers in Identity Manager. The process variable processVarCardSdkPrinterUrl can be used to fill with the symbolic name of a printer to find the connection to the CardSDK. If the variable is not in the process, the defaultPrinter is used.	Form Card template
Request Softtoken	A softtoken is required by the CA and sent to the recipient by email.	Certificate type Email template
Return Number	A number from a number range is released again.	Number range Data pool and field name
Save Data	The process data are saved in the data pool indicated. If a suitable ID is found, an update is run, otherwise a new data record is created. Restrictions: It is not possible to update and create core objects that are based on an external data source.	Data pool
Script Task	This task contains a scripting engine for script languages such as JUEL, BeanShell, JavaScript and Groovy.	Script to be executed
Service Task	A JAVA class that is executed during the process runtime is added to the process. A set of standard service tasks is available. For more information, see Standard service tasks in Identity Manager.	Java Class For standard service task: Relevant parameters for the selected task
User Task	A user dialog (user task) is used in order to model the interaction of a user. It is a form in which entries have to be made.	Form Buttons can be configured

Single user process

Single user process means that when a user starts a BPMN process, it remains the owner of this BPMN instance as long as it has the user role or authorization. You access it via the BPMN process editor of Identity Manager Admin. The ownership is not transferred to sub processes in all cases.

If the checkbox for single user process is activated (default):
The starting user remains the owner of this BPMN instance as long as he has the roles or permission for user task(s) in BPMN.

If the checkbox for single user process is not activated:
The open BPMN processes are displayed for all users with the corresponding permissions or roles. If restrictions are needed, the assignee must be set for each user task.

This setting is enabled for all existing process configurations during Identity Manager database update from a version without single-user process support.

If this behavior is not intended, you need to adjust the process configuration. Already running processes and open tasks remain unaffected.

Nexus Documentation

Set up process in Identity Manager