<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear midPoint community,</p>
<p>MidPoint ditched workflow engine. Scandal! How dare they? IDM
without a workflow engine? Blasphemy! Abomination!</p>
<p>Workflow had been a holly cow of provisioning for almost 20
years. Hordes of IDM systems were born (and died) with integrated
workflow engine. From the cumbersome proprietary workflow engine
of Waveset Lighthouse to the open source BPMN engine of Apache
Syncope, workflow was a natural part of identity management.
Except one pesky little detail: it does not make sense.</p>
<p>Workflow engines are designed to govern flow of work among
humans. It made a lot of sense to integrate workflow engine in IDM
solutions in early 2000s. Lots of IDM tasks were manual at that
time. And customers usually did not have a company-wide workflow
system where IDM could simply be integrated. And even if they did,
the infighting of software vendors made integration with workflow
engines a complete nightmare. Therefore, any practical IDM
solution was supposed to bring its own workflow engine. Otherwise
it could not be deployed in a reasonable time. Fortunately, those
times are over.</p>
<p>Character of IDM deployments was changing during 2000s and early
2010s. There was more automation and less manual work. And even if
there was a manual work, it was largely limited to two areas:
approvals and manual provisioning. Workflow engines were still in
use as those were often the only places where behavior of an IDM
system could be customized. However, the job of the workflow
engine was no longer focused on interaction with humans. Workflow
engines were (ab)used to run quite complex provisioning
algorithms, evaluate policies and so on. But they were never
designed to do that. It was a major pain to set up these
processes. And it was even harder to maintain them. If you want to
scare old IDM engineer, just whisper a word “upgrade” into his
ears.</p>
<p>MidPoint was born in 2011. It was designed by engineers who went
through the first age of IDM deployments in 2000s. Therefore,
workflow engine had to be part of midPoint. Other products had it.
Analysts wanted it. So we integrated workflow into midPoint
without a huge amount of thinking. But we have realized quite soon
that the workflow engine was reduced to do just a single job:
approvals. The engine was not even processing the request and
selecting the approvers. MidPoint did all of that. The engine just
executed the approvals. That was pretty boring job for one big
engine. It was an overkill. Therefore, we have jettisoned the
workflow engine in midPoint 4.0. That was one of the best
decisions that have ever made.</p>
<p>Now, approvals and manual provisioning are not the only things in
IDM that require manual interaction, are they? Of course, there is
a lot of things that cannot be automatized. However, many of those
things are not really <i>processes</i>. They cannot be described
by an algorithm, they do not have a prescribed flow of actors,
forks and joins. These things tend to be “cases”. Something that
needs to be solved, but for which an algorithmic solution is not
available. It still needs human interaction, but that interaction
is not constrained by a process. It is more like an improvised
dance. Like a semi-structured teamwork. Workflow engine is not
going to help with that.</p>
<p>But we cannot get rid of <i>processes</i> completely, can we?
There is still few of them left. Maybe there is an enrolment
process for a new employee. Maybe that employee needs to get
company badge, keys to the office, attend health&safety
training and so on. We may need an algorithmic process which is
full of human interaction. That is still a very valid requirement.
Process is needed. The point is that it does not make any sense to
drive that process in the workflow engine which is integrated into
an IDM system. There is usually a company-wide workflow system
these days. Company physical security staff will not enjoy logging
into the IDM system to work with employee enrolment process and
then log into another workflow system to request a time off and do
all the other stuff. It does not make sense. Workflow engine
embedded in an IDM system is a bad idea.</p>
<p>What makes sense is the ability for an IDM system to integrate
with existing company-wide workflow engine. IDM system should be
able to forward process to the workflow system and continue the
process when workflow engine is finished. IDM should not <i>include</i>
its own workflow engine. IDM should <i>cooperate</i> with an
existing engine. That is <a
href="https://wiki.evolveum.com/display/midPoint/Workflow+Integration">the
right way to do it</a> in 2020s.</p>
<p>(Reposted from <a moz-do-not-send="true"
href="https://evolveum.com/workflowless/">Evolveum blog</a>)</p>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com</pre>
</body>
</html>