For each workflow, you can set 3 options:
-
Language settings specify a custom name and description for the selected workflow on the Password Manager Self-Service Site or Helpdesk Site, either in the default language, or in additional languages.
-
Availability settings specify if the workflow must appear on the Password Manager Self-Service Site or in the Helpdesk Site.
-
Customization settings specify a custom icon for the workflow and a possible grouping key.
NOTE: You can specify custom names and descriptions only for the languages for which localization is available on the Password Manager Self-Service Site and Helpdesk Site.
To set the language settings
-
On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of the management policy you want to configure.
-
On the page of the configured workflow, click Workflow settings.
-
Under Workflow Settings > Languages, edit the workflow name and the workflow descriptions in the default language, then click OK.
-
To edit the workflow name and the workflow description in other languages, click Add new language, select a language, then enter the workflow name and workflow descriptions in the selected language.
-
To apply your changes, click OK.
To set the availability settings
-
On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of the management policy you want to configure.
-
On the page of the configured workflow, click Workflow settings.
-
Under Workflow Settings > Availability > Enable the workflow, select the availability option of your workflow:
-
Always: The workflow is always enabled for users on the Password Manager Self-Service Site or for operators on the Helpdesk Site.
-
Never: The workflow is always disabled on the Password Manager Self-Service Site or Helpdesk Site.
-
Depending on the current user status: The availability of the configured workflow depends on the user status.
The default criteria for enabling or disabling workflows on the Password Manager Self-Service Site are the following:
-
For unregistered users, only the Register workflow is enabled.
-
For registered users, the Forgot My Password and Manage My Passwords workflows are enabled.
-
Both for registered and unregistered users, the I Have a Passcode workflow is enabled only if a helpdesk user performs an Assign Passcode workflow for them.
-
For registered users with a locked account, only the Forgot My Password and Unlock My Account workflows are enabled.
-
For users with a locked Q&A profile, no workflows are enabled on the Password Manager Self-Service Site. Users must contact the helpdesk in this case.
The default criteria for enabling or disabling workflows on the Password Manager Helpdesk Site are the following:
-
For unregistered users, the Reset Password, Unlock Account and Assign Passcode workflows are enabled.
-
For registered users with a locked Q&A profile, all Helpdesk workflows are enabled.
IMPORTANT: If an unregistered user registers the first time, and enters an incorrect password beyond the specified limit, their profile will be locked. The user then must wait for the duration configured with the Reset lockout account setting.
-
Under Show the workflow, specify the visibility of the configured workflow on the Password Manager Self-Service Site or Helpdesk Site for users:
-
Always: The workflow is always visible, regardless of whether it is enabled or disabled for the current user.
-
Never: The workflow is always hidden, regardless of whether it is enabled or disabled for the current user.
-
Only if the workflow is enabled: The workflow appears only if it is enabled for the current user.
-
To apply your changes, click OK.
NOTE: Custom workflows appear on the Password Manager Self-Service Site for users even if the Enable the workflow setting is set to Depending on the current user status and the Show the workflow setting is set to Only if the workflow is enabled.
To force these settings for custom workflows
-
Stop the Password Manager Service.
-
Open the C:\ProgramData\One Identity\Password Manager\Shared.storage file.
-
Replace the <DisabledReasons /> line with the following entry:
<disabledReasons>
<reason name="userRegistered" value="DisableIfFalse" />
</disabledReasons>
-
Save the file, then restart the Password Manager Service.
To set the customization settings
-
On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of a management policy you want to configure.
-
On the page of the configured workflow, click Workflow settings.
-
Under Workflow Settings > Customization > Choose an icon for the workflow, select the desired icon for your workflow.
-
Under Workflow group name, specify a group name that acts as a grouping key for workflows.
NOTE: Workflows that have the same group name will be grouped together in the Password Manager Self-Service site. Leave Workflow group name empty if no grouping is desired for the current workflow.
If no translation is defined for the current language, Workflow group name will appear as entered in the Password Manager Self-Service site.
-
To define translations for Workflow group name, edit the following file by adding a new key-value pair as "<workflow-group-name>":"<translated-workflow-group-name>" inside the opening and closing braces:
<PasswordManager-installation-folder>\One Identity\Password Manager\Web\SelfService\assets\i18n\<language>.json
NOTE: Workflow groups are displayed on Password Manager Self-Service site in a way that is visually slightly different from that of workflows. Also, workflow groups are ordered before the non-grouped workflows. A maximum of 4 icons from a workflow group are presented as a workflow group icon.
-
To apply your changes, click OK.
To extend and customize the functionality provided by built-in workflows for your organization, create custom workflows. Similar to the built-in workflows, you can create 2 types of custom workflows: Self-Service and Helpdesk workflows.
To create a custom workflow
-
To open the Add New Workflow dialog, in the Password Manager Administration Site, under Home > <management-policy>, click New Workflow at the heading of the management policy for which you want to configure the new workflow.
-
In the Select the workflow type drop-down list, select the site where the workflow must appear (Self-Service Site or Helpdesk Site).
-
Enter the Workflow name.
-
Enter a Workflow description.
-
To apply your changes, click Save.
TIP: Consider the following when creating a new workflow:
-
When you add a new custom workflow, it does not contain any activities. To add activities, click the workflow to open the Workflow Designer.
-
You must specify the name and description for each workflow in the default language used on the Self-Service Site or Helpdesk Site. However, in addition, you can also specify the workflow name and description in other languages, as long as localization for those languages is available in the Self-Service Site and Helpdesk Site). For more information on configuring language settings, see Workflow settings.
NOTE: Custom workflows appear on the Password Manager Self-Service Site for users even if the Enable the workflow setting is set to Depending on the current user status and the Show the workflow setting is set to Only if the workflow is enabled.
To force these settings for custom workflows
-
Stop the Password Manager Service.
-
Open the C:\ProgramData\One Identity\Password Manager\Shared.storage file.
-
Replace the <DisabledReasons /> line with the following entry:
<disabledReasons>
<reason name="userRegistered" value="DisableIfFalse" />
</disabledReasons>
-
Save the file, then restart the Password Manager Service.
To share your configured workflows among management policies, import and export the workflows between them.
Prerequisites
Importing and exporting workflows between management policies is available only if you enable extensibility features.
To enable extensibility features
-
On the Password Manager Administration Site, navigate to General Settings > Extensibility.
-
Select Extensibility on.
-
To apply your changes, click Save.
To export a workflow
-
On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of a management policy you want to export.
-
On the page of the workflow, click Export workflow. Depending on the browser settings, the workflow is then either downloaded to the default download folder, or you can specify the download location.
To import a workflow
IMpORTANT: Before importing a workflow, consider the following:
-
If you import a workflow, Password Manager will replace existing workflows with the same name. To avoid accidental overwrites, One Identity recommends backing up existing workflows by exporting them when prompted.
-
One Identity strongly recommends auditing scripts of custom activities in imported workflows before using them in a production environment. This is required because attackers could potentially access sensitive information via PowerShell scripts in a custom activity. Make sure you import workflows from a trusted source only.
-
If the imported workflow contains activities that are missing from the current configuration, import the missing activities first (from the same workflow archive file), then import the workflow.
-
On the Password Manager Administration Site, under Home > <management-policy>, navigate to the management policy for which you want to import a new workflow, then click Import Workflow.
-
To select the workflow archive file, in the Import Workflow dialog, click Upload, then click OK.
-
To perform the import, click OK. If the import procedure would overwrite an existing workflow with the same name, click the link to export the affected workflow.
There are two options to create a custom activity: you can create a custom activity from scratch or convert a built-in activity to custom.
For any custom activity, you can specify a display name, a short name (used to address the activity in scripts), a description (used on the Administration site), and add PowerShell script to the activity. When you create the custom activity from scratch, you can also select user interface elements and enter the main instruction for the page of the Self-Service or Helpdesk site that will be displayed when the activity is executed.
NOTE: You cannot specify any user interface elements for custom activities converted from built-in ones. If you want set user interface elements for your custom activity, create it from scratch.
For more information on writing PowerShell scripts for custom activities, refer to the Password Manager SDK.
IMPORTANT: You can create custom activities only after you turn on the extensibility features. You can turn on the extensibility features on the General Settings tab of the Administration site.