Schedulable Tasks
The scheduling service provides you with the opportunity to create scheduled tasks that automatically execute an action at the specified time in accordance with the specified conditions. With scheduled tasks you can perform such automatically triggered actions as sending e-mail, generating text files, and changing data card information. You can define the task type and when to run it with the Schedulable task editor.
As you open the Schedulable tasks view, the Edit Schedulable Tasks Table lists the tasks set up, if any. Scheduled tasks have a green icon. Tasks that have never been run, have a red icon.
The Schedulable tasks view lets you delete idle tasks by clicking the trashcan icon. To edit an existing task, click its name. You can also create new tasks by clicking the Add a new task button.
Creation of Schedulable Tasks
To access the Schedulable task editor, open the Schedulable tasks section of the administration user interface and click Schedulable Tasks. At the top left of the Edit schedulable tasks view, click Add a new task. Select the type of task. The Schedulable task editor opens in the working area.
All schedulable tasks need to have the following information specified:
- Description – Enter a description for the task, which is displayed in the Edit schedulable tasks view. You can specify the use of the task and differentiate tasks based on the same task type.
- User – Select the user whose permissions the task is running with.
Scheduling – Activate the task by setting the Scheduling on. If you leave the scheduling off, ESM saves the task but does not execute it. - Run – Define when the task is executed.
- Every day: Select every x minutes or hours the task is executed. Starting from lets you decide the starting time and also schedule different tasks to be run on different times so that they don’t overlap or at least mostly are run on a different time if you wish.
- Every week: Select which weekdays the task is executed on. The time (@hh:mm) lets you decide the starting time and also schedule different tasks to be run on different times so that they don’t overlap or at least mostly are run on a different time if you wish.
- Every month: Select the day of the month the task is executed on. The time (@hh:mm) lets you decide the starting time and also schedule different tasks to be run on different times so that they don’t overlap or at least mostly are run on a different time if you wish.
- Every quarter: Select which months of the quarter (1,2,3) and which day of that month the month the task is executed on. The time (@hh:mm) lets you decide the starting time and also schedule different tasks to be run on different times so that they don’t overlap or at least mostly are run on a different time if you wish.
- Task-specific properties is also required.
The task specific Task properties are shown in the working area below the scheduling. Each task has different set of task properties.
Define the task specific properties based on the selected task type. Required properties are shown immediately when the view is opened. Optional properties can be added using the add property button. In practice, each property consists of a name–value pair that refines or alters the task behavior. Some properties have a user interface, which helps you to select the value from a dropdown menu or by clicking a radio button.
The question mark icon opens help text for the property. Deleting a property is done by clicking the delete icon (x) on the right side of the property.
Manually added property names and values are case-sensitive and must be precise. The setting names, for instance, must be denoted exactly as indicated in the help text.
The task types are described below.
CSVImportTask (CSV connector)
CSV connector for importing data from external systems. CSV file can be fetched from a local disk or from an SFTP server. The file must be compliant with RFC 4180 standard. Supports SFTP with public key authentication and password authentication. The file to be imported must have .csv as the file name extension.
ChatIntegration Scheduled Task
Use this tasks in combination with Efecte Multi-Room Chat powered by Giosg Live platform. All chat conversation records can be fetched from the Giosg Live platform to Efecte Service Management for reporting and audit purposes. This scheduled task in Efecte Service Management takes care of requesting and storing the data. Select the time interval of fetching the information to be once per day, preferably during the early morning such as 04.00 to 06.00. Fetching the information from the previous business day will take some time to be imported and therefore running it more often will impact performance of the overall solution negatively.
Note:
The template chat_session must be present for this scheduled task to work.
DateCheckerTask
With the DateCheckerTask task, you can get scheduled e-mail reports or files concerning data cards whose date fields match the criteria set. To function as intended, the task needs the properties described in required properties below. Optional properties are described in the optional properties table.
Required DateCheckerTask properties:
Required DateCheckerTask properties | ||
Name |
Value |
Description |
checked.attribute.code |
[attribute_code] |
Attribute code of the attribute(s) whose value ESM checks for triggering of the task. The attribute data type has to be date or date and time. If you enter more than one code, separate the codes with commas. |
checked.template.code |
[template_code] |
The template code for the template(s) whose value ESM checks for triggering of the task. If you enter more than one code, separate the codes with commas. |
trigger.date |
[now+5d] |
A now-date macro for triggering the action. The macro’s syntax is as follows: now±<n>d, where
|
mail.subject |
[Subject text] |
A subject for the mail. |
mail.recipient |
[E-mail address] |
Recipient's e-mail address for ESM to use in the To field of the message. If you enter more than one address, separate the addresses with commas. |
mail.from |
[E-mail address] |
Sender's e-mail address for ESM to use in the From field of the message. |
mail.header |
[Dear Mr.] |
Header for the message body. |
mail.footer |
[Regards, ] |
Footer for the message body. |
mail.report |
[$entity_name$ on the $template$ has been changed.] |
A report message in which you can use the following attribute placeholders:
In the report, placeholders are be replaced with the actual attribute values: “Data card $entity_name$ from the $template$ has been changed. The new $attribute_name$ value is $value$” “Data card Volkswagen Passat 1.6 Firstline on the template Car has been changed. The new Owner is JOHN SMITH.” |
Optional DateCheckerTask properties:
Optional DateCheckerTask properties | ||
Name |
Value |
Description |
report.method |
file or mail or onlyStore |
A method for delivering a report. The default method is mail. If set to onlyStore, the found data cards will be stored to trigger listeners and attribute handlers attached to the template. |
trigger.date.strict |
[true / false] |
If set to true, only cards from the triggering date are found. Otherwise also cards with a trigger.date value dating before the triggering date are found. |
included.datacards |
[all / visible / hidden] |
Defines which data cards are included, with regard to their hidden status. The default value is "visible". |
file.path |
[c:\temp] |
If you use the file method, ESM requires a path for the directory on the data disk in which to save the file. “uploads” is the default folder. If the directory referred to does not exist, the operation fails and the log shows an error. |
file.name |
[report.txt] |
If you use the file method, ESM requires a name for a file. ”report.txt” is the default name. |
EventTask
To manage the execution of data card events, such as Mail and Save events, you can enable or disable event execution through this task's configuration settings. The EventTask requires a user (whose permissions are used for running the task) and scheduling rules.
Starting with ESM 2023.3, if there are errors in searching for the event target (which determines which events the EventTask will execute), usually due to configuration issues, these errors will not hinder the task from locating and executing events that are correctly configured. In such scenarios, the event will be marked as "partially succeeded" and a notification will be displayed in the EventTask user interface:
For executing the message queue’s message sending. If there are any messages in the queue, this task triggers sending of the messages. More information in the message queue section.
MessageQueueTask
For executing the message queue’s message sending. If there are any messages in the queue, this task triggers sending of the messages. More information in the message queue section.
LicenseMonitoringTask
A software asset management task for tracking free and used software licenses of a company.
It sends an e-mail report of software license violations, i.e., installed software without license and software with more installations than license permits. Required properties are described in the table below.
Required LicenseMonitoringTask properties | ||
Name |
Value |
Description |
no.licenses.header |
[Text] |
Header for software without licenses. |
too.many.installations.header |
[Text] |
Header for software installed more times than number of licenses. |
mail.subject |
[Subject text] |
Subject of the mail. |
mail.sender |
[E-mail address] |
Mail sender address. |
mail.receiver |
[E-mail address] |
Mail receiver address. |
Technical details
LicenseMonitoringTask generates a report of all the Monitored Software Installations that do not have a License Pool. A Monitored Software Installation data card does not have a License Pool, if the data card’s attribute LicenseManagementLicenseReference does not refer to a License Pool. The report also states which the computer that has this software installed is.
The generated report also informs which of the License Pools have too many installations. This is done by finding the License Pools that have more Monitored Software Installations referring to them than the value of attribute LicenseManagementLicenseAmount.
MailTask
MailTask is meant for creating data cards from e-mail messages. It reads email from an inbox, which has to be based on an email account (shared mailboxes are not supported), imports the email into ESM, attaches the email and attachments to a data card and then deletes the message from the mailbox.
The following tables describe the MailTask properties.
Required MailTask properties | ||
Name |
Value |
Description |
group.id |
[group ID] |
The ID of the folder where the data card that is generated from the mail is created. |
template.code |
[template_code] |
Template code of the template on which ESM is to base the data card generated from the mail. |
reply.message |
[Message text] |
The reply message ESM delivers to the sender. |
Optional MailTask properties | ||
|---|---|---|
Name |
Value |
Description |
template.code.fall.back |
[template_code] |
Template code of a fall-back template. ESM bases the data card on the fall-back template if it does not find the tracking number in the primary template. |
reply.disabled |
any |
If the property has any value, ESM will not send a reply to the original e-mail message automatically. |
reply.sender |
[e-mail address] |
The sender's address ESM uses in the From field of the reply message. If this is not set, the mail recipient’s address is used. |
attribute.code.body |
[attribute_code] |
Attribute code of the attribute that gets a value from the e‑mail message’s Body field. |
attribute.code.from |
[attribute_code] |
Attribute code of the attribute that gets a value from the e‑mail message’s From field. Value can be comma separated list for multivalues. |
attribute.code.subject |
[attribute_code] |
Attribute code of the attribute that gets a value from the e‑mail message’s Subject field. |
attribute.code.recipient |
[attribute_code] |
Attribute code of the attribute that gets a value from the e‑mail message’s both To and Cc fields. |
attribute.code.to |
[attribute_code] |
Attribute code of the attribute that gets a value from the e‑mail message’s To field. |
attribute.code.cc |
[attribute_code] |
Attribute code of the attribute that gets a value from the e‑mail message’s Cc field. |
attribute.code.timestamp |
[attribute_code] |
Attribute code of the attribute that gets a value corresponding to the e‑mail message’s reception time. |
group.map.attribute.code |
[attribute_code] |
Used for making a sender‑based decision on the folder where the data cards generated from the mail are created. Here you supply the code of the attribute in the template that describes the mail sender – e.g., the Client template. You also have to have a reference field as the attribute.code.from value. The folders among which the selection is done must have mapToGroupAttributeValue metadata defined and a value matching the attribute field values. |
attribute.code.mail.tracking |
[attribute_code] |
Attribute code of the attribute whose value serves as an ID for e‑mail tracking. |
attribute.code.message.as.link |
[attribute_code] |
Code for the attribute to which the mail messages are linked. This attribute requires the EntityStateMail handler for handling the messages and external reference data type. |
attribute.code.attachment.as.link |
[attribute_code] |
Code for the attribute to which any possible mail attachments are linked. The attribute data type needs to be external reference. |
mail.store.host |
[server_IP or network_name] |
Hostname of the mail server from which the mail is read. Overrides the value in framework.properties. |
mail.store.port |
[port_number] |
Port of the mail server. Overrides the value in framework.properties. |
mail.store.user |
[user_name] |
User used to authenticate the mail server connection. Overrides the value in framework.properties. |
mail.store.password |
[password] |
Password used to authenticate the mail server connection. Overrides the value in framework.properties. |
mail.transport.host |
[hostname] |
Hostname of the mail relay server. Overrides the value in framework.properties. |
mail.transport.port |
[port_number] |
Port number of the mail relay server. Overrides the value in framework.properties. |
mail.transport.user |
[user_name] |
User used to authenticate the mail relay server connection. Overrides the value in framework.properties. |
mail.transport.password |
[password] |
Password used to authenticate the mail relay server connection. Overrides the value in framework.properties. |
mail.folder.name |
[folder_name] |
Name of the mailbox folder from which the mail is read. Overrides the value in framework.properties. |
any attribute code |
[attribute_code] |
Any fixed attribute field value can be given here, and it is then placed in the data card that is generated from the mail. |
update:attribute code:current value |
New value |
By configuring a property whose name is like "update:YYY:ZZZ" and YYY matches with attribute code and ZZZ matches with attribute's current value, attribute's value will be replaced by property value. For example property key may be "update:status:On hold" and value may be "In progress". This means that when a new mail is attached to a datacard whose current status is "On hold" it will be updated to "In progress" If property key ends with $EMPTY$ the value will be set if current value is blank. If property key ends with $ALWAYS$ the value will updated always. Only the following datatypes are supported: string, static string and text. The value is set before handlers or listeners are triggered. |
autoUpdateMapping:tag |
[attribute_code] |
By configuring this property values from specially formatted email can be set as attribute value. For example "autoUpdateMapping:issue" with value "description": Attribute with code 'description' in ESM will be updated using value from email. The email is searched for tag '[issue]:'. Everything following the tag on the same line is considered as value. If mail contains multiple lines for the same tag (eg. [issue]:), only the latest value is applied. Existing value in data card is replaced always. N.B The exact format of tag depends on configuration. N.B. Supported data types are: String, Text, Date, Date and time, Reference, Backreference, External reference, Number and Decimal number. This setting can have multiple configurations for different tags. |
static.autoUpdateMapping:tag.value |
[attribute_code].[static value] |
This setting can be used when several different values of an external system needs to be mapped to a single static value in ESM. For example "static.autoUpdateMapping:newStatus.:new,untouched" with value "status.New": Static attribute with code 'status' in ESM will be updated to value 'New' if value of tag in email is 'new' or 'untouched'.The email is searched for tag '[newStatus]:'.
N.B. The exact format of tag depends on configuration.
With hierarchic static values use convention ‘parent value/Child value’ |
autoUpdateStartTag |
tag start string |
Format for start tag used to mark special values in email.
For example '$NAME$'. String 'NAME' is used as a place holder for tag names. Default value is '[NAME]:'.
If setting autoUpdateEndTag is not defined everything following start tag on the same line is considered as value.
This setting is single value.
NOTE! Tags are searched only from the body of the email. Email subject is not included. |
autoUpdateEndTag |
tag start string |
Format for end tag used to mark special values in email.
For example '$/NAME$'. String 'NAME' is used as a place holder for tag names. No default value. If this setting is defined everything between start tag and corresponding end tag will be considered as value.
This setting is single value. NOTE! Tags are searched only from the body of the email. Email subject is not included. |
AutoUpdateMapping Examples
This section contains a few configuration examples for autoUpdate settings.
Example 1: In this example there’s first the configuration, then the imported mail, and at the bottom there’s a screenshot image of the created data card:
Example 2:
Example 3:
Example4:
Example 5:
ReportExportTask
ReportExportTask can be used to export a selected report into a file in a desired format. Detailed reports with table output are supported as well as graphical reports.
Note:
ReportExportTask supports now only reports in Efecte ITSM release 6 format. Views created and saved in the current Workspace UI are not supported yet.
The output file format for detailed reports with table output can be configured with an XSLT file. By default, CSV and HTML exports are built-in, but several other file formats are possible as well. Other modes (minimal, referrers, full) for detailed reports are not supported.
Graphical reports produce a file containing a PNG-image.
Note:
With on-premises installations ensure that user account running the Tomcat process has write-permissions to folder defined in target.file.name.
Required ReportExportTask properties | ||
Name |
Value |
Description |
report.id |
[report ID] |
The id of the report that is transformed and exported by this task. (The id is the bookmarkID parameter in a link URL.) For multiple reports you must configure multiple tasks. |
target.file.dir |
[text] |
Path to the target directory for the transformed file. With on-premises installations ensure that user account running the Tomcat process has write-permissions to folder defined in target.file.name. |
target.file.name |
[text] |
Name of the target file. May contain a $now$ date macro which will be replaced with the current date. The format of the date is yyyy-mm-dd. If a file with the same name already exists in the target location, it is overwritten. |
Optional ReportExportTask properties | ||
Name |
Value |
Description |
target.file.encoding |
[text] |
The encoding of the target file. Default value is UTF-8. |
transform.file |
[text, filename] |
The XSLT file that is used to transform the report result xml to the final format. To export file in CSV format, simply enter CSV in this field. To export file in HTML table format, enter HTML in this field To export file in some other format as configured in an XSLT file, enter a path to the XSLT file. If left empty, the result xml is exported as is. |
xslt.[parameter] |
[xslt parameter value] |
All parameters that are prefixed with xslt. are passed to the XSLT transformation with the prefix stripped off (e.g., an xslt.some.parameter will be passed to the XSLT by name some.parameter). For further information, please see the Technical details section below. |
css.file |
[text, file name] |
The CSS file that is appended to text reports. Supported built-in value is DEFAULT. If left blank, no file will be added. Value is reasonable when using transform.file = HTML. |
header.include |
[true/false/name] |
If set to 'true', a header row will be included in the result xml. Header row includes the codes of the attributes which were selected in the report. If set to ‘name’, headers are attribute names. Default value is 'false'. |
date.convert |
[true, false] |
If set to true, all date attributes will be converted according to PlatformSettings date.output.pattern and datetime.output.pattern. If set to false, value will be as Java Virtual Machine returns them. Default is false. |
image.width |
[number] |
If configured report produces a graphical report, this defines width of the image in pixels. Default is 640, max is 1920. |
image.height |
[number] |
If configured report produces a graphical report, this defines width of the image in pixels. Default is 640, max is 1080. |
Technical Details:
XSLT transform can be used to export ESM result xml into any text based file format – for example, CSV, different xml, or html. XSLT transform supports XSLT 1.0 and XPath 1.0.
Besides normal properties, ReportExportTask can also be used to define parameters for XSLT transform. When the parameters are passed to the XSLT transform file, the xslt. prefix is stripped off from the parameter names (e.g., xslt.some.parameter will become some.parameter in XSLT transform). The parameters supported depend entirely on the XSLT used.
Data from multivalue references will be grouped on a single xml multivalue-element or in a single column in csv-file. The original reference cannot be identified.
The CSV transform implemented by ESM supports the following parameters:
CSV transform papameters | ||
Name |
Value |
Description |
xslt.csv.separator.value |
[any character] |
Separator between columns. Defaults to ‘,’. |
xslt.csv.separator.multivalue |
[any character] |
Separator between multivalues. Defaults to ’|’. |
xslt.csv.quote.values |
[true/false] |
Defines whether to enclose all values in double quotes. Defaults to ’true’. |
TIP! The format used for CSV files is described in detail in RFC 4180, http://www.rfc-editor.org/rfc/rfc4180.txt
Note:
The parameters for the XSLT transform can also be given with ESM platform settings to make them affect all ReportExportTasks; however, parameters given in a ReportExportTask override the platform setting parameters. The format for XSLT transform parameters in platform settings is report.export.xslt.[parameter].
For example, to define a global separator value for the CSV transformation, add a platform setting with name result.export.xslt.csv.separator.value .
Diagram of search result XML schema used in ReportExportTask:
ReportMailTask
ReportMailTask can be used to generate an email which contains multiple reports created through old Efecte Report Wizard (not recommended to be used anymore). Mail server configurations are defined by Platform Settings. Sender, receiver(s), subject and mail content are configured by task properties.
- ReportMailTask supports only reports in Efecte ITSM 6 format.
- Detailed reports with table output are supported as well as graphical reports.
- The output file format for detailed reports with table output can be configured with an XSLT file. By default, CSV and HTML exports are built-in, but several other file formats are possible as well. Other modes (minimal, referrers, full) for detailed reports are not supported.
- Graphical reports produce PNG-images.
- Group by –reports are not supported.
- Following properties are not configurable for ReportMailTask: report.id, target.file.dir, target.file.name
Configuration is very similar to ReportExportTask. Following tables contains only additional options.
Required ReportMailTask properties | ||
Name |
Value |
Description |
mail.from |
[email address] |
Valid email address. |
mail.recipient |
[email address[es]] |
Valid email address for receivers in to-field. Can be separated with comma or semicolon. Receivers in CC or BCC fields are not supported. |
mail.subject |
[text] |
Subject for the email. |
Optional ReportMailTask properties | ||
|---|---|---|
Name |
Value |
Description |
mail.message[.ORDINAL] |
[text] |
Optional message before reports. May contain html-tags like <br/> for line breaks. One line can contain 450 characters. Multiple lines with unique ordinal number can be defined. |
mail.report.[ ORDINAL].[ID] |
[text] |
Similar to ReportExportTask report.id. The report with that id is sent with a mail. (The id is the bookmarkID parameter in a link URL.) For multiple reports in a single mail, you can configure multiple values with unique ordinal number. Value of the property depends on the value of the property named mail.attachment.disposition. If that is inline, the value of this property is a short description shown in mail before the report. If value of property mail.attachment.disposition is attachment, this property means file name of a generated attachment. Take care for file name extension. It must match with settings mail.attachment.text.content.type and transform.file. Some mail clients use file name extension to choose previewer or helper program to open attachments. Some mail clients uses attachment’s content type. |
mail.attachment.disposition |
[attachment, inline] |
Property defines how reports are added to the mail. Possible values are attachment (reports are as attachments) and inline (reports are part of mail body). Default is inline |
mail.attachment.text.content.type |
[text] |
If property mail.attachment.disposition is set to attachment, this setting defines content type for text reports. This must match with setting transform.file. Some mail clients use this property to choose previewer or helper program to open the attachment. Some mail clients use file name extension only. Example values: text/plain, text/html (default). |
Note:
Common properties for ReportExportTask and ReportMailTask include: target.file.encoding, transform.file, css.file, header.include, date.convert, image.width, image.height. See detailed description on ReportExportTask
DataCardsArchiverTask
DataCardsArchiverTask is meant for exporting data cards to the file system or directly to an external system by using https request method. Both methods (file and https request) use Efecte ESM standard XML-format, which might need to be converted to the target system data model format.
Only Efecte Administrators can save list views to the Archive section of the working space. List reports that are saved to the Archive section can be archived by using the DataCardsArchiverTask scheduled task.
Note:
This task is designed to only include data from the current template, and not any data that comes via references.
Only admins can save, view or even see the archive tab in their views.
The archiver task does not archive file attachments or emails that are linked to the archived data cards. Even if the data cards are deleted, the files (emails and file attachments) of the deleted data cards will remain in the file system unless they are deleted with another scheduled task: CleanRemovedFilesTask. Please note also that the file archiving nor the https request method do not send file attachments nor emails to the defined folder structure or to the third-party system.
Required DataCardsArchiverTask properties | ||
Name |
Value |
Description |
Archive type |
[file, http request] |
Whether export to a file system (value: file) or send via https to an external system(value: https request). |
Delete data cards |
[True | False] |
Whether to delete data cards after export to a file or leave it. By default data cards are not deleted. |
Archive report |
[drop down list of reports under Archive section] |
Archive report whose data cards should be archived. This report must be saved in Archive -special section on Working space. |
Export all attributes in data cards |
[True | False] |
If set to ‘True’, all attributes of exported data cards are sent to archiving target even there would be one column selected in the list view. |
If Archive type is ‘file’, following DataCardsArchiverTask properties are required | ||
|---|---|---|
Name |
Value |
Description |
File location |
[location on server where ESM has access] |
Location where exported data cards shall be exported to a xml files when a 'Archive' property is set to 'file'. Esm should have also permission for saving files in a desired location.
Define here “/path/to/the/folder” |
If Archive type is ‘https request, following DataCardsArchiverTask properties are required | ||
|---|---|---|
Name |
Value |
Description |
External system address |
[external system URL] |
E.g. address to another ESM. In ESM case, check parameters always from named consultant. Address must start with ‘https://’ |
External system user name |
[username] |
Basic authentication username for an external system. |
External system user password |
[password] |
Basic authentication user password for an external system |
External system connection parameters |
[external system connection parameters] |
Connection parameters. Timeout unit is second. Examples are introduced below. |
External system expected response |
[200=.*, 201=.*] |
Expected responses codes from an external system separated by comma (default value: "200=.*, 201=.*"). |
External system batch size |
[batch size] |
Max number of data cards that can be send within single requests (default: 10000). |
Example when connection to another ESM
- External system address e.g. https://environment.efectecloud.com/api/itsm/dataCardImport.ws?folderCode=alerts&createDataCards=true&updateDataCards=true&createEmptyReferences=true
- External system connection parameters e.g.
- acceptSelfSignedCertificates=true ,connectionRequestTimeout=60,connectTimeout=60,socketTimeout=60
Archive type: file
When using the file in Archive type, the created ESM entity XML file is stored in the server file system. Property File location must point to the existing directory where the ESM permission has access to write a data. A filename is generated as [task_id]_[time_stamp]_[report_name].xml. Files are not deleted.
Archive type: https request
When using https request, the generated ESM entity XML file will be sent to a third-party system as https request. Please check the table (Table: Required DataCardArchiverTask properties, when Archive type is ‘https request’) of required properties when using https request archiving type.
The https request method uses MessageQueue. Once the DataCardArchiverTask is executed, the XML to third-party system is sent immediately. If the transmission of the https request fails e.g. third-party system is not responding, the request is stored in the message queue and will be executed again when MessageQueueTask is running next time. In order to make https request work correctly, Efecte admin shall configure the MessageQueueTask.
Files are deleted when export is completed successfully.
External system expected response
The property External system expected response defines the combination of expected response codes and messages from the external system.
Expected Response Code: The code indicates the responded code from the external system whether the request is accepted or declined. e.g. 200, 404.
Expected Response Message: ESM checks response message from received responses. The checking of message content is handled by regular expressions.
Used format is:
code1=message1,code2=message2 (using comma as delimiter)
Example 1: 200=,404=Nothing to be archived
Both 200 and 404 are accepted as response code. For code 200, the response message should be empty or null. For code 404, text "Nothing to be archived" should be included in the response message.
Example 2: 200=.+
Only 200 is accepted as response code. Any content in the response message is accepted.
Logging
DataCardsArchiverTask logs its activities in info and debug level to the itsm.log. For getting out more detailed communication between task and the external system you can set also log level debug for package com.efecte.queue.
CleanRemovedFilesTask
CleanRemovedFilesTask is meant for cleaning unreferenced / orphaned files such as emails and attachments from the filesystem. If this task is not run, those resources will remain in the filesystem using up the disk space even after a data card referring to the resources is deleted.
This schedulable task is enabled and run daily by default. The task scheduling can be either rescheduled or disabled by Efecte administrator from Scheduled tasks.
Please note: This function does not delete orphan files that have been in the system before the update into ESM version 2018.3.2.
Editing and Deleting Scheduled Tasks
You can view and modify all created tasks in the Edit schedulable tasks view. To navigate to the view, open the General tab in the Maintenance view and click Schedulable Tasks. In the view, click the name of the task you wish to edit.
The Edit schedulable tasks view opens in the working area, including the Schedulable task editor and the Task properties view. Make the modification to the existing information and click Save to save the modified scheduled task.
You can delete idle tasks from the Edit schedulable tasks view. Select the Remove checkboxes next to the task(s) you want to delete and click the Remove button to complete the action.
Provisioning Tasks
Provisioning tasks are automated, schedulable tasks meant for importing user identity data into Efecte Service Management Tool using either the Lightweight Directory Access Protocol (LDAP) interface for Active Directory, OpenLDAP, IBM LDAP, FreeIPA or either Microsoft Graph API for Microsoft Azure AD. Efecte Provisioning Engine (EPE) within our IGA solution, accelerating the provisioning of users (also called fulfilment in the area of Identity and Governance Administration). EPE will work as a true parallel processing method allowing multiple scheduled and event-based access right changes.
Note! Since ESM 2023.3, the provisioning tasks are located on the IGA tab – not anymore on the Schedulable tasks tab.
The imported configurations are stored in the EPE-Master database (Efecte Provisioning Engine - Master), not in the Efecte Service Management (ESM) database. Identity Attribute Mapping and Access Rights Mapping are stored in ESM and are affected by changing templates and folders in ESM.
To connect the Efecte Service Management tool and Efecte Provisioning Engine, it is necessary to configure several settings in the Platform Settings in Administration UI.
By default, the properties which needed to connect to Efecte Provisioning Engine are fetched from consul. This is why you have to set consul.enabled property to true. Then you can make sure, that “provisioning.configuration.consul” is enabled as well.
When Consul is enabled all the needed configurations are defined for the Efecte Provisioning Engine:
Provisioning task configuration for Active Directory
The Efecte Provisioning Engine uses Lightweight Directory Access Protocol (LDAP) interface for Active Directory and OpenLDAP, IBM LDAP and Redhat LDAP (FreeIPA). Properties are named according to the directory in question. Otherwise the needed configurations are same.
General Provisioning task properties | ||
Name |
Value |
Description |
Provisioning type |
[Scheduled-based provisioning, Event-based provisioning, Authentication] |
Provisioning type can be categorized according to the need. Other properties in the provisioning task will be shown according to the selected type. |
Mappings type |
[Identity & Access Rights] |
Add the sections for both mappings. |
Name |
[Text] |
Name for the provisioning task. |
WebAPI user |
[Selection of the WebAPI user] |
WebAPI user to be used for communication between EPE and ESM |
WebAPI password |
[Text] |
WebAPI user password. Mandatory field to fill, in order to get provisioning working. |
Required Provisioning task properties | ||
Name |
Value |
Description |
LDAP uniqueIdentifierId |
[Text] |
Each import-process has a unique process id LDAP uniqueIdentifierId, which is used as a key in the provisioning engine master to separate the process specific from other import-processes in the provisioning engine master. The identifier is needed so that the subsequent changes or removals are targeted to the right item. |
LDAP host |
[IP-or-host-name] |
The target directory IP or host name. |
LDAP port |
[Port] |
The target directory port defines what port in the Active Directory the Provisioning Engine will connect to. |
LDAP username |
[Username]@[Domain] |
Username used for LDAP connection. In LDAP the username is typically username or DN of the user. |
LDAP password |
[Text] |
Password used for LDAP connection. Password is given as plain text. |
LDAP authenticationMethod |
[simple, strong, none] |
Authentication type used for LDAP connection. Following authentication types are supported: – simple – strong – none |
LDAP securityProtocol |
[simple, ssl] |
Security protocol used for LDAP connection. Following security protocols are supported: – ssl: The Provisioning engine will establish a LDAPs connection to the Active Directory – simple: The Provisioning engine will establish a LDAP connection to the Active Directory Note! SSL must be enabled in order to provision passwords and change user validity in AD. |
LDAP userBase |
[Text] |
Define the base for users. Example: CN=Users,DC=adtest,DC=local Note! When the provisioning task configuration has been set “Read OU path from the datacard” the orchestration activities show you addition property (LDAP group- /userbase), where its possible to define the attribute from which attribute this information can be read. |
LDAP userFilter |
[Text] |
Define the filter for users. Example: (objectClass=user) Note! When the provisioning task configuration has been set “Read OU path from the datacard” the orchestration activities show you addition property (LDAP group- /userbase), where its possible to define the attribute from which attribute this information can be read. |
LDAP groupBase |
[Text] |
Define the base for groups. Example: CN=Group,DC=adtest,DC=local Note! When the provisioning task configuration has been set “Read OU path from the datacard” the orchestration activities show you addition property (LDAP group- /userbase), where its possible to define the attribute from which attribute this information can be read. |
LDAP groupFilter |
[Text] |
Define the filter for groups. Example: (objectClass=group) Note! When the provisioning task configuration has been set “Read OU path from the datacard” the orchestration activities show you addition property (LDAP group- /userbase), where its possible to define the attribute from which attribute this information can be read. |
Optional Provisioning task properties | ||
Name |
Value |
Description |
LDAP ignoredOusForUsers |
[Text] |
Define of <OU> elements that should be ignored while searching for users. User will be ignored if it will exist directly in one of defined <OU> and also if it will exist in subtree of one of defined <OU>. Example: OU=Sales,DC=adtest,DC=local |
LDAP ignoredOusForGroups |
[Text] |
Define of <OU> elements that should be ignored while searching for groups. Group will be ignored if it will exist directly in one of defined <OU> and also if it will exist in subtree of one of defined <OU>. Example: OU=Finance,DC=adtest,DC=local |
User prefs | ||
Name |
Value |
Description |
Password for first login |
[Text] / [workflow / template] |
This option is visible, when Provisioning type is defined “Event-based provisioning”. This password is used, when “New user creation” activity is taken into a use. There are possibilities to choose, if administrators want to define the default password to be used for first login password for the new users who are created in to the chosen user repository. Another option is to generate random password in the workflow / template. |
Identity Attribute Mapping
As a result from the provisioning task, the Efecte Service Management Tool receives user identity data from each Active Directory. This information needs to be mapped into the Efecte Service Management Tool data structures.
The Identity Attribute Mappings in the picture above, describes how the items and attributes are mapped between the Efecte Service Management Tool and the target Active Directory. Identity Attribute Mapping defines the Active Directory user object attributes and the user attributes which are mapped. The left column in the UI (the picture above) indicates the fields that the Provisioning Engine will extract from the Active Directory. The right column in the UI indicates the folder/template/attribute in ESM that the field extracted from the Active Directory which will be inserted/updated. When there is a need to fetch AD attribute which has more than one value, like 'memberOf' - that needs to be mapped to multi-valued attribute of ESM's Template as well'
Required properties are shown immediately when the view is opened. Optional properties can be added using the add property button. In practice, each property consists of a name–value pair that refines or alters the task behavior. Some properties have a user interface, which helps you to select the value from a dropdown menu or by clicking a radio button.
Deleting a property is done by clicking the delete icon (x) on the right side of the property. Manually added property names and values are case-sensitive and must be precise. The setting names, for instance, must be denoted exactly as indicated in the help text.
Note:
From the EPE version 2021.1, we allow to specify list of excluded DNs of Users when exporting data to ESM. This improvement provide possibility to exclude dedicated users of the export to ESM.
Access Rights Mapping
Access Rights in the Efecte Provisioning Engine are typically expressed as LDAP groups, in the AD typically as either a security or distribution group. As a result, from the provisioning task, the Efecte Service Management Tool receives Access Rights from each Active Directory. This information needs to be mapped into the Efecte Service Management Tool data structures. Access Rights Mapping defines specific properties for the provisioning engine task type.
“Target template code” and “Folder code” properties are shown immediately when the view is opened, also mappings at least for distinguishedName, objectGUID and datasourceid are also required and those 3 fields are shown automatically. Optional properties can be added using the add property button. In practice, each property consists of a name–value pair that refines or alters the task behavior. Some properties have a user interface, which helps you to select the value from a dropdown menu or by clicking a radio button. When there is a need to fetch AD attribute which has more than one value, like 'memberOf' - that needs to be mapped to multi-valued attribute of ESM's Template as well'
From the EPE version 2021.1, we allow to specify list of excluded DNs of Groups when exporting data to ESM. This improvement provide possibility to exclude dedicated Groups of the export to ESM.
Efecte Provisioning Engine supports several different LDAP directories, which supports LDAP user interface. The configuration view contains different names on the properties names depending of the choses directory. The required identity – or access rights mappings may differs depending on the chosen directory.
Provisioning task configuration for Azure AD
Azure AD provisioning task configuration view:
General Provisioning task properties | ||
Name |
Value |
Description |
Provisioning type |
[Scheduled-based provisioning, Event-based provisioning, Authentication] |
Provisioning type can be categorized according to the need. Other properties in the provisioning task will be shown according to the selected type.
Note. Some configurations that related to the new authentication component might be visible in some parts of the administrative user interface. These changes don’t have any impact on existing customer environments. |
Mappings type |
[Identity & Access Rights] |
Add the sections for both mappings. |
Name |
[Text] |
Name for the provisioning task. |
WebAPI user |
[Selection of the WebAPI user] |
WebAPI user to be used for communication between EPE and ESM. |
WebAPI password |
[Text] |
WebAPI user password. Mandatory field to fill, in order to get provisioning working. |
Azure AD Provisioning task properties | ||
Name |
Value |
Description |
Azure uniqueIdentifierId |
[Text] |
Each import-process has a unique process id Azure uniqueIdentifierId, which is used as a key in the provisioning engine master to separate the process specific from other import-processes in the provisioning engine master. The identifier is needed that the subsequent changes or removals are targeted to the right item. |
Application (client) ID |
[String] |
Specifies the application ID of the service principal. |
Directory (tenant) ID |
[String] |
Specifies the ID of a tenant. Use https://login.microsoftonline.com/<tenant-id>, and replace <tenant-id> with the Directory (tenant) ID of the app registration. |
Login URL |
[Text] |
Specifies the URL of your App Service app. |
Graph API URL |
[Text] |
Specifies the URL of your Graph App Service app. |
Azure AD parameters for users and groups | ||
Name |
Value |
Description |
Import users parameter |
[Text] |
Define the filter for users. Example of the filter: $filter=startswith(givenName%2C) |
Import groups parameter |
[Text] |
Define the filter for groups. Example of the filter: $filter=startswith(displayName%2C) |
Efecte Provisioning Engine is using Microsoft Graph API to connect Microsoft Azure AD. If there is a need to fetch just a part of the users from Azure AD that can be achieved by using filters. Link to learn more of API filters can be view from Microsoft’s documentation: https://docs.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0
Connection Security | ||
Name |
Value |
Description |
Authentication method |
[Secret / Certificate] |
A Client (application) Secret, either a password or a public/private key pair (certificate). |
Secret key value |
[text] |
This value is required when Authentication method: “Secret” is chosen. Use the client secret you generated in the app registration. |
Public key alias |
[text] |
This value is required when Authentication method: “Certificate” is chosen. Provide the Public key alias to this value. |
Private key alias |
[text] |
This value is required when Authentication method: “Certificate” is chosen. Provide the Private key alias to this value. |
Private key password |
[text] |
This value is required when Authentication method: “Certificate” is chosen. Provide the Private key password to this value. |
Identity Attribute Mapping for Azure AD
As a result from the provisioning task, the Efecte Service Management Tool receives user identity data from each Azure Active Directory. This information needs to be mapped into the Efecte Service Management Tool data structures.
The Identity Attribute Mappings in the picture above, describes how the items and attributes are mapped between the Efecte Service Management Tool and the target Azure AD. Identity Attribute Mapping defines the Azure AD user or group object attributes and the user or role attributes which are mapped. The left column in the UI (the picture above) indicates the fields that the Provisioning Engine will extract from the Azure AD. The right column in the UI indicates the folder/template/attribute in ESM that the field extracted from the Azure AD which will be inserted/updated.
Required properties are shown immediately when the view is opened. Optional properties can be added using the add property button. In practice, each property consists of a name–value pair that refines or alters the task behavior. Some properties have a user interface, which helps you to select the value from a dropdown menu or by clicking a radio button.
Deleting a property is done by clicking the delete icon (x) on the right side of the property. Manually added property names and values are case-sensitive and must be precise. The setting names, for instance, must be denoted exactly as indicated in the help text.
Note:
From the EPE version 2021.1, we allow to specify list of excluded ID’s of Users when exporting data to ESM. This improvement provide possibility to exclude dedicated users of the export to ESM.
Access Rights Mapping for Azure AD
Access Rights in the Efecte Provisioning Engine are typically expressed as Azure AD groups, in the Azure typically as either a security or Office 365 (O365) group. Security Groups are used for controlling user access to in-app resources and O365 groups for facilitating user collaboration with shared Microsoft online resources. As a result, from the provisioning task, the Efecte Service Management Tool receives Access Rights from each Azure AD. This information needs to be mapped into the Efecte Service Management Tool data structures. Access Rights Mapping defines specific properties for the provisioning engine task type.
“Target template code” and “Folder code” properties are shown immediately when the view is opened, also mappings at least for id and datasourceid are also required and those 3 fields are shown automatically. Optional properties can be added using the add property button. In practice, each property consists of a name–value pair that refines or alters the task behavior. Some properties have a user interface, which helps you to select the value from a dropdown menu or by clicking a radio button.
Note:
From the EPE version 2021.1, we allow to specify list of excluded IDs of Groups when exporting data to ESM. This improvement provide possibility to exclude dedicated groups of the export to ESM.
Provisioning task status information
Administrators have visibility to Extract and Load status for all supported user repository provisioning tasks. If needed, administrators are also able to download user and group files for reviewing more information. Extract status provide information of how data were fetched from the source and Load status provide information, how EPE were able to load data to ESM. Extract/Load Status tables are not refreshed in real-time, when needed, user can click 'Update' button at the page header. This page is also updated, after you re-open it.
Importing / Exporting the Provisioning tasks
From the Efecte Provisioning version 2021.1 forward we provide possibility to Import / Export capabilities for provisioning tasks. This gives the possibility to export existing provisioning tasks. It is possible to choose which of the existing provisioning tasks will be exported.
Import / Export -buttons are shown in the left-hand side on the Scheduled tasks view.
When the user clicks the “Export” -button, they will be provided all of the potential tasks, where they can flexibly select the appropriate tasks.
When the user clicks the “Ok” -button, provisioning tasks are exported into the XML file. The exported XML file can be then use for importing provisioning tasks to chosen environment. If you want to import them to the same environment, it’s recommended to modify two properties in the XML file. For each exported task you have the two properties; “UniqueIdentifierId”, “TaskName” and if you are planning to import them to existing environment it’s recommended to change in order to avoid errors during the import.
Table of Contents