An identity service provides a way to look up users and groups based on a defined set of attributes. The Process Server support for an identity service is based on Lightweight Directory Access Protocol (LDAP), JDBC, or a file-based service.
You can create a process that includes identity-based activities. As a prerequisite, in the Process Console, you must provide the communication details for access to your directory service. When the process runs, the user or group specified in the process is looked up in your directory service.
Any BPEL process that implements identity-based activities imports the WSDL provided with the Process Server. The name of the WSDL is
, and in the Participants view wizards, it is a System Service named
The WSDL contains the following operations:
Returns a list of roles for the named principal. For example
is a member of
Returns a list of roles, such as
that are defined in the directory service.
Returns a list of identities for the named roles
Returns a list of identities that includes user name and email address
Specifies which roles and principals to include and exclude from the results
The query is comprised of include and exclude statements. The roles or principals listed under the include element are included in the result set while the ones listed under the exclude element are excluded.
For a given principal, make sure the user exists in the final result of the query.
You can use this operation for fault handling. It is good for checking permissions.
Same as above with response
Receive a count of the users and groups requested
Building an Identity-Based Activity
Use identities in an alert service, for example, to send email to a group when a process is suspended on an uncaught fault.
You can also use identities in a BPEL process for branching, based on a group. For example, build one branch of an activity for managers, another for customer service representatives.
Build the assign activities you need to invoke the identity service. You can generate literal contents for a variable based on the
<aeid:IdentityQuery xmlns:aeid="http://schemas.active-endpoints.com/identity/2007/01/identity.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="aeid:IdentityQuery">
Note that the
element above shows an example of looking up a user in a LDAP directory by distinguished name (DN). For JDBC, the lookup is the primary key in the database. For
, the id is the same as the user name.
Add other programming logic, as desired.
In the PDD, for the partner role, System Service is pre-selected as a custom invoke handler. The PDD entry looks similar to the following:
Deploying a Process as an Identity Service
You can deploy your process and make it available as a standard document literal service for the My Role partner link. Note that in the BPR, there are no WSDL or XSD. They are already deployed and available on the server.