Building Workflow Templates

Create and manage Workflows from the Workflows page. Click Workflow in the left navigation panel. The Workflow Template is displayed.

workflownav

Create a Workflow

Use this procedure to create the Workflow Templates necessary to support your organization’s use cases. You must have the System Administrator Role to perform this procedure, and you must have already connected ALM to your Secrets Vault.

  • Click Create Template in the upper right hand corner to bring up the Workflow Template Wizard

    workflowstep1

  1. Template Setup

    1. Give the Template a name and select the Account Type from the drop-down menu. The Account Type should correspond to the directory service that will be used for this Template.

    2. Select an End of Lifecycle Action. Later in the wizard, you will choose the time interval for these actions to take effect.

      1. Review- a notification will be sent to the User reminding them that the Service Account is active. ALM will not change the Service Account at this point. Users are given the following options

        • Renew- extends the account's lifecycle until the next Review date. The renewal period starts at UTC 00:00.
        • Disable- deactivates the account in ALM and AD. The User can re-enable the account.
        • Delete Account and Secret- removes the Service Account.

      2. Disable- the Service Account will be automatically disabled unless it is Renewed by the Account Owner. Users are given the following options

        • Renew- extends the account's lifecycle until the next Review date. The renewal period starts at UTC 00:00.
        • Disable- deactivates the account in ALM and AD. The User can re-enable the account.
        • Delete Account and Secret- removes the Service Account.

      3. Expire- the Service Account will be automatically deactivated, but it can still be reactivated be repeating the Approval process. Users are given the following options

        • Submit for Approval to Renew- the Account is submitted again to the Approvers. If approved, the account is renewed. If denied, the account will expire.
        • Disable- deactivates the account in ALM and AD. The User can re-enable the account.
        • Delete Account and Secret- removes the Service Account.

      4. Delete- the Service Account is disabled, and cannot be renewed. Users are given the following options

        • Disable- deactivates the account in ALM and AD.
        • Delete Account and Secret- removes the Service Account.
        • Clone as New Request- generates a new request identical to the provisioned account. The User then completes the new request and submits for approval.

    3. The Terms of Service should reflect your organization's guidelines for the use of new Service Accounts. The Requestor of the new account must agree to the terms you set before the account is provisioned.

    4. Enter the Purpose for the Workflow. The purpose will be provided to Users when they request a new account, so they know which template to choose for their request.

    5. Click Save + Next.

  2. Secrets Vault

    workflowstep2

    1. For System, choose the Secrets Vault to use for Accounts on this Template. The Type of Vault should populate automatically based on your selection.
    2. For Template, choose the directory type associated with the workflow.
    3. Click Select Folders and choose where the secrets for this workflow will be stored. Checking Allow Folder Override will let the requestor choose folders within the selected index to store the account's secrets.
    4. Click Save + Next.

  3. Active Directory

    workflowstep3

    1. Choosing a Name Prefix is optional, but it is highly recommended that you use a prefix if your organization has a large number of Service Accounts. Using prefixes will make organizing large numbers of accounts easier.
    2. Defining Name Regex is also optional. Setting regex will force Requestors to follow specific naming conventions when using this Template. You can input any limiting pattern using .NET native regex.
    3. Select the Active Directory Server that Service Accounts on the template will use.
    4. For OU Distinguished Name, click select and choose the Organization Unit(s) that Service Accounts will belong to. Click add.
    5. Toggling Allow Choosing Sub-OUs to Yes will allow the Requester to choose a sub-ou within the folder you have designated. Toggling to No will restrict the Requester to only the OU you have designated.
    6. Use the drop-down menu to select the Attributes for the Service Accounts. You have the option to Require each attribute or mark it as Read-only. Click the plus to add the attribute. Edit the attribute using the pencil icon, or remove it by clicking the red X.
    7. Selecting Groups will limit access to this template to Users in the selected Group. Use the drop-down menu to find the Group and click the plus. You may add multiple Groups.

  4. Ownership Configuration

    workflowstep4

    1. Toggling Allow Group Ownership to Yes will allow the newly created account to be shared among multiple owners without restrictions.
    2. Toggling Allow Group Ownership to No will bring up additional ownership options.
      • Toggling Requester Only Owner to Yes will restrict ownership of new accounts to only the Requester. Toggling to No will allow other users to have ownership of the account.
      • Set the number of Minimum Owners and Maximum Owners for new accounts using this template.

  5. Account Lifecycle

    workflowstep5

    1. The Review/Expire Period Options section shows the lifecycle length options that will be available to the Requestor when they request a new account. You can customize the options by editing the number field and selecting Day(s) or Year(s). Click the plus to add the option.
    2. Enable re-approval before end of lifecycle will allow the Account Owner to request a renewal of the account before the chosen date of Review/Expiration. Use the arrows to set the re-approval time period.
    3. Check Send notification when renewal is available to automatically notify the Account Owner when re-approval is available.
    4. You can have the renewal notification resent at intervals. Check send reminder to owner and use the arrows to set the interval that ALM will send notifications.
    5. You can also have more frequent reminders sent. Check Send urgent notifications and use the arrows to set an hourly interval to send reminders and the number of days before the end-of-lifecycle to begin sending the hourly reminders.
    6. Check Include system administrators to have ALM send the reminder to the Account Owner and the System Admin.
    7. To stop reminders automatically, check Stop sending notifications and use the arrows to select the number of days after the start of notifications to stop sending.

  6. Approval Flow

    workflowstep5

    1. Toggling Hide Approver Names From Requesters to Yes will restrict users requesting a new account from seeing who in the organization can approve their request.
    2. The Approval Flow will dictate which approvals are required before the account is provisioned.
    3. Click Add to add a step to the Approval Flow.
    4. From the Actions drop-down list, select a User or Group of Users that can Approve new Accounts using this template.
    5. In the Require at least box, use the arrows to change the number of approvers needed from the list of Users/Groups.
    6. You can add another step to change the number of approvals needed from separate Groups or Users by clicking Add Step from the Actions drop-down.
    7. Click Publish to finish creating the template. Once a Template is Published, it cannot be edited further without first being unpublished.

Requiring approval from one, specific individual can create a bottleneck. To avoid creating a bottleneck, Delinea recommends choosing a Group of managers and requiring two approvers.