Implementing a user self-registration scenario using Workflow and Business rules in SAP Cloud Platform – Part 3
In this portion of the blog series, I am going cover the workflow aspects. Before you get started, I would highly recommend you to follow this blog on “Getting started with the Workflow service in the free Trial account” by Christian Loos. If you want to know more about different features which are available in the workflow service, you can check out this blog – “Model your workflow scenarios in the Cloud”
To begin with, I have created a workflow project using the wizard in SAP WebIDE.
I have created a workflow with four tasks as shown below. The Start UI (which we will build in the next blog) will trigger this workflow by passing a context. The script task “Prepare for Rules” will read the context and invoke API calls for the Rules service. The actual invocation of the Rule service API will happen in the task “Invoke Rules”. The output of the rules will be processed in the “Process Rules Output” task before the flow goes to the custom Task UI called “UI for Approval”. The last step is where an approver will get to see workflow item in My Inbox Fiori app. Let’s get into the details of each step.
Prepare for Rules
This is a script task which reads the workflow context and extracts the organization name which is the email domain. Once the vendor organization name is extracted, I am preparing an input payload which needs to be made available in the next step.
Notice that I have provided “User” as the value for the “__type_” property. This would use the User Data object created earlier in the Business Rules service.
There are a set of REST APIs available to work with SAP Cloud Platform Business Rules runtime.
You can browse through them and view the documentation and sample payloads. In the below example, the highlighted text refers to the input data objects created in the Business Rules service and the remaining properties in the payload would represent the attributes of the data object.
This is a service task which allows us to make a HTTPS call. Before we begin, we need to maintain a new destination in the SAP Cloud Platform cockpit. There is a current limitation with AppToAppSSO between Business Rules and Workflow service. Hence, look for the destination “bpmrulesruntime”. This would be already available once you activated the rules service. Copy the destination and change the authentication type to “BasicAuthentication” as shown below.
In the service task properties, there are several properties which need to be maintained.
1 – The name of the new destination created in the SAP CP cockpit
2 – Path to invoke the business rules API. Notice that it needs to have the parameter <project-name>::<rule-service-name>
3 – The HTTP method is set to POST. If we were to do the same using REST Client, we would first have to issue a GET to get the XSRF-Token and then use the token in the header when issuing a POST. I like this feature as this is simplified in the Service task and you just have to make one call.
4 – The input context which has been prepared in the earlier step
5 – The output of the REST API call will be assigned to the response variable
Process Rules Output
This task is another script task. I have used this to assign the Organization name to proper context variable and finally converted the userID (obtained) from business rules to uppercase. Remember, the recipient names in the UI Task as case-sensitive.
UI for Approval
This task is a custom task UI which will show up to an approver in My Inbox App.
In the “Display Text” tab, I have provided a subject and description. Both of these will show up in My Inbox App. Hence, to provide more context to the approver, I have reference the variable to display the user’s first name and their organization.
In the “Recipients” tab, rather than hardcoding an approver, I have populated it based on the variable populated using the REST API call.
In the “User Interface” tab, I have provided the below values
1 – Name of my HTML5 app name (You can find this in SAP CP cockpit under HTML5 Applications menu)
2 – Location of the component
3 – Name of the SAPUI5 component (without the word component)
I have used WebIDE to create a custom Task UI to support this. This is shown below. Notice that I have highlighted the objects which have been used in the above step.
I have uploaded the project into github for you to view the complete source code.
In the XML view file, I have populated all the user information which is available in the workflow context for the approver to visualize it in My Inbox App.
SAP Cloud Platform workflow service provides REST APIs which can be used by applications to interact with the service.
In the component.js file, it’s important to understand that the taskID is extracted from Start-up parameters and provided as input to a REST API call for the Workflow service. This call will fetch all the context values available against this taskID and will ultimately populate those values in the UI.
With this we have completed the build of a workflow project. Select the file and deploy it to SAP Cloud Platform. I have exported the workflow project and added it to the github project. If you wish to, you can import this into WebIDE to explore the configuration.
In the next part, I will show you how to use the Workflow monitoring tools to trigger and test workflow instances. Stay tuned!
Thank you so much for this post Murali!
thanks for the great blog series!
One question regarding the approval application: Both negative (https://github.com/murlionline/self-reg-ui/blob/master/webapp/approval/Component.js#L82) and positive action (https://github.com/murlionline/self-reg-ui/blob/master/webapp/approval/Component.js#L91) calls _refreshTask which calls createSCIUser (https://github.com/murlionline/self-reg-ui/blob/master/webapp/approval/Component.js#L168), so the user is also created on negative action?
Also do have an idea on how to prevent a DOS attack on the StartUI application?
That’s a good pick.This is just a sample application to show how to use the workflow service. Obviously, the negative action shouldn’t trigger an update of a user creation.
With regard to DoS, that is part of the SAP Cloud Platform security capabilities – https://www.sap.com/documents/2017/05/a470d0b2-b87c-0010-82c7-eda71af511fa.html#
Yes, I know about the general dos protection, but I see an additional problem here.
Since the user is only created after approval, startui needs to be accessible without authentication. So what prevents an evil user from creating (perhaps even automated with a script) a huge number of bogus requests (ie effectivly a dos attack)?
Hi Wolfgang and Murali,
that's why SCP IA provides Protecting Application Forms with Google reCAPTCHA. Maybe there is an option you can include this approach into your example Murali Shanmugham.
yes, there is definitly a need for something like this, unfortunatly the current design presented here defeats this SCP IAS protection.
But one should be able to include Google reCAPTCHA (which is free), cf. https://developers.google.com/recaptcha/docs/display . But you would then not call the workflow service directly, because you first have to do server side validation of the reCAPTCHA via https://developers.google.com/recaptcha/docs/verify .
Why is there limitation with AppToAppSSO between Business Rules and Workflow service? Do you when this will be addressed? I wouldnt want to copy the destination and change the authentication mode.
Thanks and Regards,
Hi Sunita, There is work currently being done to make the integration with Business Rules tighter. As per the roadmap for Workflow service, there would be a dedicated business rules task and it is planned for Q1/2018
Is multiple approval possible in SAP cloud platform workflow services?
Hi Raheen, You should be able to achieve multiple levels of approvals by modeliing your workflow with several "User Tasks"
How can you create a new Component within a project in the Web IDE?
When I select create a new SAPUI5 project it creates a whole new project.
If I select create new view, it just creates the vew, but not the component (no component.js is created)
I am not able to find a New-Component Option..
I dont want to have a separate project for each workflow view. I see that you have a sartui component and an approval component. How can you do that?
I need to add a Content-Type header to my HTTP request in order to access the service. Is that possible to do in the Service Task? If so, how can I do it?
Sure you can do it in the Service Task. Here is my configuration:
Path to XSRF Token:
and you should configure your destination before this step.