Hello,
I want to notify users by using the alternate email address in their person document. (there is a custom attribute as alternateMail along with the default mail attribute).
In the workflow, we need to create a participant object which is accepting DN of a person as a parameter and it looks like the mail node is using the person's mail attribute only. (If I'm not wrong)
What is the way to tell the mail node to use the alternateMail attribute instead of mail attribute of the user?

Thanks

------------------------------
Hakan Aydin
Security Engineer
Prime Therapeutics
------------------------------

It is not 100% clear to me which Verify product you are using - but based on the context I assume this is ISIM or ISVG Identity Manager (same stuff - new name :-))...

ISIM/IM does not have an extension to send mail using an alternative attribute. Basically that means we need to do some customization or some coding to bypass the ootb limitation....

Depending on your setup, resources and constraints I can see a couple of possibilities - all have their good and bad sides as any customization has... :

• Write you own mail extension - this is good solution but requires some skills in extension (Java) coding - I would do this if this is something that is going to be used in many situations (or if you are an implementer it could be a nice little gem in your toolbox)
• Code it using Java in a script node - this is relatively simple if you know Java Mail and is a quick solution as an one-off. The back side is that it requires knowledge to maintain on the longer run.
• You could try this (I have not tried this so no guarantee that is works) : Create a transient person entity in the workflow (properties) and then set the mail attribute of that person to the alternative mail and use the transient person as the participant entity on the mail extension. My guess is that this will work as the mail extension should not read the data from the ldap but use the workflow stored property data. If this works this would be my preferred solution as it is not doing anything that any workflow knowledgeable person could not maintain.

There are of course endless other possibilities to do it as you have full power of WAS/Java in your hands using whatever extension method you can dream of - but here limit yourself to the KISS principle - I always challenge my customers with the question on how to maintain the code in case of an emergency - it needs to be (self)documented and not requiring specialized skills other the the general skills of handling/maintaining the environment...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Thu July 28, 2022 05:10 PM
From: Hakan Aydin
Subject: Sending email to alternate email address in the workflow

Hello,
I want to notify users by using the alternate email address in their person document. (there is a custom attribute as alternateMail along with the default mail attribute).
In the workflow, we need to create a participant object which is accepting DN of a person as a parameter and it looks like the mail node is using the person's mail attribute only. (If I'm not wrong)
What is the way to tell the mail node to use the alternateMail attribute instead of mail attribute of the user?

Thanks

------------------------------
Hakan Aydin
Security Engineer
Prime Therapeutics
------------------------------

Hi Franz,

Thanks for your detailed explanations. Usually, my first option is using oob supported functions if it is available.
The system is ISIM 7.0.1.7 (also ISGV IM 10.0.1 is available in the test env).

The participant object constructor parameters are ParticipantType and DN. For a person it is like:
participant = new Participant( ParticipantType.USER, process.requesteeDN );

It's already tested like below but did not work:

var directoryPerson = new Person(process.requesteeDN);
var strOldMail = directoryPerson.getProperty( "mail" );
var strNewMail = directoryPerson.getProperty( "alternateemail" );
directoryPerson.setProperty( "mail", strNewMail );
participant = new Participant( ParticipantType.USER, directoryPerson.dn );
return participant;

The participant constructor is not using the person object, (what I understand) it is using the DN to access to the object from LDAP.

Is there a sample code to create a custom mail node?

Thanks

------------------------------
Hakan Aydin
Security Engineer
Prime Therapeutics
------------------------------

Original Message:
Sent: Fri July 29, 2022 03:05 AM
From: Franz Wolfhagen
Subject: Sending email to alternate email address in the workflow

It is not 100% clear to me which Verify product you are using - but based on the context I assume this is ISIM or ISVG Identity Manager (same stuff - new name :-))...

ISIM/IM does not have an extension to send mail using an alternative attribute. Basically that means we need to do some customization or some coding to bypass the ootb limitation....

Depending on your setup, resources and constraints I can see a couple of possibilities - all have their good and bad sides as any customization has... :

• Write you own mail extension - this is good solution but requires some skills in extension (Java) coding - I would do this if this is something that is going to be used in many situations (or if you are an implementer it could be a nice little gem in your toolbox)
• Code it using Java in a script node - this is relatively simple if you know Java Mail and is a quick solution as an one-off. The back side is that it requires knowledge to maintain on the longer run.
• You could try this (I have not tried this so no guarantee that is works) : Create a transient person entity in the workflow (properties) and then set the mail attribute of that person to the alternative mail and use the transient person as the participant entity on the mail extension. My guess is that this will work as the mail extension should not read the data from the ldap but use the workflow stored property data. If this works this would be my preferred solution as it is not doing anything that any workflow knowledgeable person could not maintain.

There are of course endless other possibilities to do it as you have full power of WAS/Java in your hands using whatever extension method you can dream of - but here limit yourself to the KISS principle - I always challenge my customers with the question on how to maintain the code in case of an emergency - it needs to be (self)documented and not requiring specialized skills other the the general skills of handling/maintaining the environment...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Thu July 28, 2022 05:10 PM
From: Hakan Aydin
Subject: Sending email to alternate email address in the workflow

Hello,
I want to notify users by using the alternate email address in their person document. (there is a custom attribute as alternateMail along with the default mail attribute).
In the workflow, we need to create a participant object which is accepting DN of a person as a parameter and it looks like the mail node is using the person's mail attribute only. (If I'm not wrong)
What is the way to tell the mail node to use the alternateMail attribute instead of mail attribute of the user?

Thanks

------------------------------
Hakan Aydin
Security Engineer
Prime Therapeutics
------------------------------

This was what I should have looked up - you are right - the Participant does indeed construct the data from a person DN - hence the ldap. This is not how I would have done it - but that is the way it is right now. If had designed this it would have used a property of type Person instead or as an additional option. I do not know if this would be a simple change to the underlying code - but I could fear that this is not...

There is no sample code for doing a custom mail extension in the delivered samples (documentation -> Registering extensions) - there is some on a general workflow extension. I am not Java programmer by profession so my knowledge is limited - but I would guess that you could basically reuse the current Mail extension (which IIRC is an extension of the Workorder extension) and just change what is needed.

If you have some Security Expert Labs SMEs working with you they should be able to help you with guidance or doing this for you as a payable service. 

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Fri July 29, 2022 09:07 AM
From: Hakan Aydin
Subject: Sending email to alternate email address in the workflow

Hi Franz,

Thanks for your detailed explanations. Usually, my first option is using oob supported functions if it is available.
The system is ISIM 7.0.1.7 (also ISGV IM 10.0.1 is available in the test env).

The participant object constructor parameters are ParticipantType and DN. For a person it is like:
participant = new Participant( ParticipantType.USER, process.requesteeDN );

It's already tested like below but did not work:

var directoryPerson = new Person(process.requesteeDN);
var strOldMail = directoryPerson.getProperty( "mail" );
var strNewMail = directoryPerson.getProperty( "alternateemail" );
directoryPerson.setProperty( "mail", strNewMail );
participant = new Participant( ParticipantType.USER, directoryPerson.dn );
return participant;

The participant constructor is not using the person object, (what I understand) it is using the DN to access to the object from LDAP.

Is there a sample code to create a custom mail node?

Thanks

------------------------------
Hakan Aydin
Security Engineer
Prime Therapeutics

Original Message:
Sent: Fri July 29, 2022 03:05 AM
From: Franz Wolfhagen
Subject: Sending email to alternate email address in the workflow

It is not 100% clear to me which Verify product you are using - but based on the context I assume this is ISIM or ISVG Identity Manager (same stuff - new name :-))...

ISIM/IM does not have an extension to send mail using an alternative attribute. Basically that means we need to do some customization or some coding to bypass the ootb limitation....

Depending on your setup, resources and constraints I can see a couple of possibilities - all have their good and bad sides as any customization has... :

• Write you own mail extension - this is good solution but requires some skills in extension (Java) coding - I would do this if this is something that is going to be used in many situations (or if you are an implementer it could be a nice little gem in your toolbox)
• Code it using Java in a script node - this is relatively simple if you know Java Mail and is a quick solution as an one-off. The back side is that it requires knowledge to maintain on the longer run.
• You could try this (I have not tried this so no guarantee that is works) : Create a transient person entity in the workflow (properties) and then set the mail attribute of that person to the alternative mail and use the transient person as the participant entity on the mail extension. My guess is that this will work as the mail extension should not read the data from the ldap but use the workflow stored property data. If this works this would be my preferred solution as it is not doing anything that any workflow knowledgeable person could not maintain.

There are of course endless other possibilities to do it as you have full power of WAS/Java in your hands using whatever extension method you can dream of - but here limit yourself to the KISS principle - I always challenge my customers with the question on how to maintain the code in case of an emergency - it needs to be (self)documented and not requiring specialized skills other the the general skills of handling/maintaining the environment...

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Thu July 28, 2022 05:10 PM
From: Hakan Aydin
Subject: Sending email to alternate email address in the workflow

Hello,
I want to notify users by using the alternate email address in their person document. (there is a custom attribute as alternateMail along with the default mail attribute).
In the workflow, we need to create a participant object which is accepting DN of a person as a parameter and it looks like the mail node is using the person's mail attribute only. (If I'm not wrong)
What is the way to tell the mail node to use the alternateMail attribute instead of mail attribute of the user?

Thanks

------------------------------
Hakan Aydin
Security Engineer
Prime Therapeutics
------------------------------