Managing Tickets

DirX Identity’s internal ticket system supports a two-tier ticket structure:

The following figure shows the two-tier ticket structure and the relationship between object actions and ticket structure.

As shown in the table, the first four columns represent the four possible actions that can be performed on a complex object (for example, a user or a privilege):

The internal ticket system creates a master ticket and one or more sub-tickets depending on the combination of these actions (marked with an X in the corresponding columns). The table shows only a maximum of two sub-tickets. More are possible.

Some interesting cases are:

1 - Attribute change without approval: only creates a master ticket that is resolved at the due date.

6 - Attribute change with approval combined with an assignment without approval: the master ticket contains the assignment that is applied at the due date. The sub-ticket contains the attribute change that is to be approved first before it can be applied to the object.

7 - Attribute change with approval combined with an assignment with approval: in this case, an empty (or so called info) master ticket is created. It connects the two sub-tickets that each contains one of the required approvals.

10 - Assignment with approval: in this case, the sub-ticket is merged with the master ticket. This is only possible if there are no changes that need no approval and if there is only one sub-ticket available. Case 5 represents the same situation, but for an attribute approval.

As mentioned earlier in this section, a complex object change can consist of four possible actions, as shown in the following figure:

The master ticket contains all changes without approval. The sub-tickets contain either an attribute change or an assignment to approve.

If changes without approval do not exist and there is only one potential sub-ticket, the resulting structure is a simple ticket with only one action to approve. The following figure illustrates this structure:

As shown in the figure, the sub-ticket is merged with the master ticket, which results in a simpler ticket structure.

Internal tickets are organized into the following folder structure in DirX Identity Provisioning’s Tickets tree view:

Here is an example:

Tickets → Internal → Users → 2011-09-05

DirX Identity’s internal tickets are organized into master tickets and sub-tickets, as described in "Understanding Internal Ticket Structure".

DirX Identity names a master ticket according to the following scheme:

Here is an example of master ticket naming:

Tinker Boris 13:45:12 (Input.Completed)

Tinker Boris 13:45:12 -1 (Input.Completed)

Master tickets can contain sub-tickets. DirX Identity names a sub-ticket according to the following scheme:

The two-tier naming scheme allows the master ticket to represent the subject, while the resources that are to approve are visible below it.

Here is an example of a sub-ticket name:

ADD Analyst Reports

Administrators create tickets by supplying a Due Date value for the change in Web Center or DirX Identity Manager. DirX Identity processes - for example, request workflow activities - can also create tickets as required. You can find more information about how to create tickets at the user level in the following locations:

DirX Identity’s Services layer creates a ticket automatically if a change order contains a due date. Internal tickets can be created for three operation types:

The scheduled Process Internal Tickets workflow regularly checks the state and due date of all tickets and processes tickets that are ready to process. You can find more information about this workflow in the following locations:

A ticket is marked for deletion when a DirX Identity process sets its DELETED state and provides an expiration date. The DirX Identity Services layer uses the Cleanup Objects workflow to remove all tickets that are in state DELETED, that have an empty history and whose expiration dates have been reached or are blank. The Cleanup Workflow is a Tcl workflow that uses the Policy Agent to run consistency rules for object cleanup. It can be called explicitly or periodically by the scheduler. You can find more information about this workflow in the section "Cleanup Objects Workflow" in the chapter "Using the Maintenance Workflows" in the DirX Identity Application Development Guide.

The following figure shows the possible ticket states and the state change flow.

The ticket states are:

(None) - the service layer (or any service that uses it) creates a ticket either in Input.Completed or InApproval status. Input.Completed is used if no approval is necessary before the ticket is applied. InApproval is used if an approval is necessary. In this case, the ticket is linked with the corresponding approval workflow.

Input.Completed - the ticket is ready to be processed by the Process Internal Tickets service.

InApproval - the ticket requires the corresponding approval workflow to complete. If the approval is successful, the ApplyChange activity runs. This activity sets the ticket state to Approval.Accepted if the approval is successful (accepted). If the activity doesn’t work correctly or the approval is not successful (rejected), the activity does not propagate this situation. During the next run of the Process Internal Tickets service, the situation is detected and the state is set appropriately.

Approval.Accepted - the ticket state after an accepted approval. This ticket is processed again at the due date by the Process Internal Tickets service.

Approval.Rejected - the ticket state after a rejected approval. This is an end state.

Approval.Error - the ticket state after a failed approval workflow. This is an end state.

ApplyChange.Completed - the ticket state after successful ticket processing by the Process Internal Tickets service at the due date. All completed orders for attributes and assignments are resolved. This is an end state.

ApplyChange.Error - the ticket state after unsuccessful processing by the Process Internal Tickets service at the due date. This is an end state.

Use the default query folders provided for internal tickets in the Tickets → Internal → _Queries subtree (see "Working with Internal Ticket Objects" for details) to explore tickets of a specific state, especially tickets in the ApplyChange.Error state. Check the reason and then try to solve the problem.

When you log into DirX Identity Provisioning and select Tickets from the view bar, DirX Identity displays a hierarchical tree of tickets that you are allowed to manage in the left-hand pane. The following figure shows the Tickets view.

As shown in the figure:

To view the properties of a ticket, click its entry in the tree.DirX Identity also provides a search dialog that you can use to select and display a subset of these objects.For more information, see the Core Components" section of the DirX Identity Manager online help.

When you select a ticket object, DirX Identity displays the ticket state in the property dialog heading and a set of tabs that you can use to view (and edit) the ticket’s properties.Click the tabs in the property dialog to move between the different property categories.See the context-sensitive help for information about internal ticket property dialogs and attributes.

To change the value or one or more of the properties displayed in a tab, click Edit.Manager keeps the changes you make to the object in its internal cache until you click Save.As long as you do not use Save, you can use the Manager’s Reset function to restore the settings to their old values (the values that are stored in the Identity Store (Provisioning Configuration)).