[midPoint] Blog: Workflowless

[Radovan Semancik]

Dear midPoint community,

MidPoint ditched workflow engine. Scandal! How dare they? IDM without a 
workflow engine? Blasphemy! Abomination!

Workflow had been a holly cow of provisioning for almost 20 years. 
Hordes of IDM systems were born (and died) with integrated workflow 
engine. From the cumbersome proprietary workflow engine of Waveset 
Lighthouse to the open source BPMN engine of Apache Syncope, workflow 
was a natural part of identity management. Except one pesky little 
detail: it does not make sense.

Workflow engines are designed to govern flow of work among humans. It 
made a lot of sense to integrate workflow engine in IDM solutions in 
early 2000s. Lots of IDM tasks were manual at that time. And customers 
usually did not have a company-wide workflow system where IDM could 
simply be integrated. And even if they did, the infighting of software 
vendors made integration with workflow engines a complete nightmare. 
Therefore, any practical IDM solution was supposed to bring its own 
workflow engine. Otherwise it could not be deployed in a reasonable 
time. Fortunately, those times are over.

Character of IDM deployments was changing during 2000s and early 2010s. 
There was more automation and less manual work. And even if there was a 
manual work, it was largely limited to two areas: approvals and manual 
provisioning. Workflow engines were still in use as those were often the 
only places where behavior of an IDM system could be customized. 
However, the job of the workflow engine was no longer focused on 
interaction with humans. Workflow engines were (ab)used to run quite 
complex provisioning algorithms, evaluate policies and so on. But they 
were never designed to do that. It was a major pain to set up these 
processes. And it was even harder to maintain them. If you want to scare 
old IDM engineer, just whisper a word “upgrade” into his ears.

MidPoint was born in 2011. It was designed by engineers who went through 
the first age of IDM deployments in 2000s. Therefore, workflow engine 
had to be part of midPoint. Other products had it. Analysts wanted it. 
So we integrated workflow into midPoint without a huge amount of 
thinking. But we have realized quite soon that the workflow engine was 
reduced to do just a single job: approvals. The engine was not even 
processing the request and selecting the approvers. MidPoint did all of 
that. The engine just executed the approvals. That was pretty boring job 
for one big engine. It was an overkill. Therefore, we have jettisoned 
the workflow engine in midPoint 4.0. That was one of the best decisions 
that have ever made.

Now, approvals and manual provisioning are not the only things in IDM 
that require manual interaction, are they? Of course, there is a lot of 
things that cannot be automatized. However, many of those things are not 
really /processes/. They cannot be described by an algorithm, they do 
not have a prescribed flow of actors, forks and joins. These things tend 
to be “cases”. Something that needs to be solved, but for which an 
algorithmic solution is not available. It still needs human interaction, 
but that interaction is not constrained by a process. It is more like an 
improvised dance. Like a semi-structured teamwork. Workflow engine is 
not going to help with that.

But we cannot get rid of /processes/ completely, can we? There is still 
few of them left. Maybe there is an enrolment process for a new 
employee. Maybe that employee needs to get company badge, keys to the 
office, attend health&safety training and so on. We may need an 
algorithmic process which is full of human interaction. That is still a 
very valid requirement. Process is needed. The point is that it does not 
make any sense to drive that process in the workflow engine which is 
integrated into an IDM system. There is usually a company-wide workflow 
system these days. Company physical security staff will not enjoy 
logging into the IDM system to work with employee enrolment process and 
then log into another workflow system to request a time off and do all 
the other stuff. It does not make sense. Workflow engine embedded in an 
IDM system is a bad idea.

What makes sense is the ability for an IDM system to integrate with 
existing company-wide workflow engine. IDM system should be able to 
forward process to the workflow system and continue the process when 
workflow engine is finished. IDM should not /include/ its own workflow 
engine. IDM should /cooperate/ with an existing engine. That is the 
right way to do it 
<https://wiki.evolveum.com/display/midPoint/Workflow+Integration> in 2020s.

(Reposted from Evolveum blog <https://evolveum.com/workflowless/>)


-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200124/f47dbd17/attachment.htm>