Achieve Tomorrow, Today

Oracle BPM 11g (11.1.1.4.0) Exposing Identity Service XPath Functions

When working with Oracle BPM 11g you may find that there is an overwhelming amount of functionality that is available.  Learning every trick and every secret is a constant effort that will never end due to new patches, patch sets, and product releases coming down the pipe.  In any case, I have a nice little trick of exposing the existing Identity Service XPath functions within the BPM Expression Builder editor for JDeveloper version 11g 11.1.1.4.0 (PS3).  The Identity Service XPath functions are not automatically exposed in this version of JDeveloper.  I believe that in JDeveloper version 11.1.1.5.0 PS4 the services are available without having to do anything but I will let you confirm whether or not the functions are actually there.

The Identity Service XPath functions will allow you to access LDAP information (internal Weblogic or 3rd party LDAP configured for your Weblogic domain) such as existing groups/roles, users assigned to groups/roles, user profile properties, etc.  See the following documentation to understand all of the documented functionality that the Identity Service provides: 

http://download.oracle.com/docs/cd/E12839_01/integration.1111/e10224/bp_workflow.htm#BABGJDEE

 In the upcoming example I will explain the following:

  1. How to update the existing BPM XPath function configuration for JDeveloper
  2. The new list of functions
  3. How to get an email address using a new Identity Service XPath function

Example:

  1. Download the new BPM XPath function configuration file:
    http://www.avioconsulting.com/sites/default/files/bpm-xpath-functions-config.xml_.txt
  2. Copy the downloaded file to the following locaction of your JDeveloper installation: <jdevhome>\jdeveloper\integration\seed\soa\configuration  
  3. Close JDeveloper if you have it open
  4. Rename the existing configuration file from "bpm-xpath-functions-config.xml"  to another name or cut and paste the existing file to a different directory.  DO NOT delete the file.  In the chance that something goes wrong and you need the original file, you should keep it available to undo any changes.
  5. Rename the new configuration file from "bpm-xpath-functions-config.xml_.txt" to "bpm-xpath-functions-config.xml"
  6. Start JDeveloper
  7. Create a BPM process model or open an existing application that contains a BPM process model.  This example will reference an existing BPM application that I have created.
  8. The new Identity Service XPath functions will be available in any associations mapping of any BPM activity.  For this example, I am opening an Interactive Activity (a green activity) to use one of the new functions.

    Function Options

    New Identity Service Functions:
    Identity Service Functions
     

  9. I am going to take the user id of the user who executes this activity (or more correctly the human task associated to the BPM instance of this activity) and I will use the user id with one of the newly exposed Identity Service XPath functions to get the email address of the user.

    Get Email Address Of User
     

  10. You may wonder how I have access to the user Id of the user who executed the activity.  There is a tiny bit of information available within the "execData" field that is returned upon execution of any BPM Interactive Activity.  The following segment of code: 

"bpmn:getDataOutput('execData')/ns:systemAttributes/ns:updatedBy/ns:id" 

   used within the XPath function:

"id1:getUserProperty(bpmn:getDataOutput('execData')/ns:systemAttributes/ns:updatedBy/ns:id, 'mail')"

   will give you the email address of the user.

 

Now that you have the steps for exposing and using the Identity Service XPath functions you can save yourself the trouble of adding external service references, LDAP api's, etc. to your SOA composites in order to get the identity information that you need.

Comments

Submitted by VikramInside (not verified) on

Thanks for revealing the secret. Is there way to add delete modify integrated/external LDAP data via Oracle 11g BPM identity services? I wish to change those via BPM to automate LDAP functionality. Just something similar to LDAP editor on BPM.

I cannot see the functions even if the user is a privileged weblogic administrator/soa role.

If not the only way I think of is implementing using a AD/LDAP WSDL.

Regards,

VikramInside

Submitted by VikramInside (not verified) on

This works as documented in this page. I am able to retrieve mail id of the participant who is executing the process and output was successfully written to an xml and same is being confirmed.

<?xml version="1.0" encoding="UTF-8" ?><LoanDetails xmlns="http://xmlns.oracle.com/bpm/bpmobject/Loan/LoanDetails">
   <name>vikaminside@xyz.com</name>
   <address>jazn.com</address>
   <salary>99999</salary>
   <maritalStatus>m</maritalStatus>
   <reason>48.2</reason>
</LoanDetails>

I used weblogic security realms to modify the email is there any other way?

What are the extended user properties that is available in BPM workspace administrator? Will it override security realms of weblogic?

Why is the default realm name is "jazn.com" returned in BPM XPath while it is "myrealm" in weblogic console?

Regards,

VikramInside

Submitted by sjhon (not verified) on

QDC is the best engineering consultant in the field of Engineering, Construction, Piping Design, and Procurement & Construction Projects. Our Services Piping engineering Consultant Engineering Consultant in Qatar. QATAR DESIGN CONSORTIUM (QDC) is a leading Consultancy firm offering high quality services in Engineering, Project Management, Construction Management / Supervision, Environmental Engineering,Management Consultancy and Energy & Utility Engineering.

Submitted by SHOAIB R KHAN (not verified) on

Hi,

Excellent article on accessing user information in human task with graphical representation.

Though I am not able to figure out how to get Extended User Properties using ids:getUserProperty() function.

I'm trying something like this:
"ids:getUserProperty(bpmn:getDataOutput('execData')/ns:systemAttributes/ns:updatedBy/ns:id, 'MyPropName')"

But It seems the function getUserProperty only supports extracting of user properties listed in this post.
Do you have any idea how to retreive Extended User Properties using XPath Expression?

Regards,
Shoaib R Khan

 

Hi Shoaib,

The function only gets the values in the list displayed in the last image of the post.  I believe jazn.com realm and the xpath function are limited to the information that is available in the embeded LDAP of SOA suite (system-jazn-data.xml or OPSS if you have set it up). 

I do not believe the function is smart enough to cross over to the weblogic secuirity realm and authentication provider information for the external LDAP user info.  You would need to use a different mechanism to access such LDAP data for the user.  Wish I had a better answer for you. 

VikramInside,

Sorry for the delayed reply to your comments, I believe there may have been some site/blog issues at some point where our comments notification system wasn't working too well.

Anyhow, the realm jazn.com will point you towards the internal LDAP embeded with SOA suite.  This is separate from the Weblogic Securiy Realm "myrealm".  The system-jazn-data.xml is where the Xpath function will be fetching information from.  You are getting a glimpse under the covers of how SOA Suite works. 

SOA Suite leverages the embeded LDAP quite a bit and I'm not sure why it was designed in such a fashion.  Accessin the LDAP information from the "myrealm" may still be possible but I have yet to do it myself.  It may be possible to edit user information that is created strictly in Weblogic's Security Realm but I do not think you will be able to edit any information in the realm fetched via an Authentication Provider from an exteranal LDAP (Active Directory).  That information is basically off limits since Weblogic is not the system of record. 

So in short you would need to rethink your ideas of programatically managing user and property information programatically as the info could be stored in 3 different sources. 

1) the embedded LDAP (system-jazn-data.xml),

2) strictly in the Weblogic Security Reaml (created via weblogic only), 

3) an external LDAP like Active Directory.

 

I hope this inof helps give you some ideas :)

 

-Carlo

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.