Showing results for 
Show  only  | Search instead for 
Did you mean: 

Create a workitem from a rule

Create a workitem from a rule

In a previous discussion (Re: Can a rule or task create workitem?), I have presented an example of how to programmatically, using BeanShell, create a workitem. As the question on how to create or modify a work item is asked fairly often on the forums, I decided to write a blog post about it.


<?xml version='1.0' encoding='UTF-8'?>  
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd"> 
<Rule language="beanshell" name="Create WorkItem"> 
  <Source>import sailpoint.object.*; 
import sailpoint.persistence.Sequencer; 
Calendar expiration = Calendar.getInstance(); 
Identity targetIdentity = context.getObjectByName(Identity.class, "Amy.Cox"); 
Identity requester = context.getObjectByName(Identity.class, "Aaron.Nichols"); 
WorkItem item = new WorkItem(); 
item.setOwner(context.getObjectByName(Identity.class, "spadmin")); 
Sequencer sequencer = new Sequencer(); 
item.setName(sequencer.generateId(context, item)); 
item.setDescription("Manual Changes requested for User: "+targetIdentity.getDisplayableName()); 
Attributes attributes = new Attributes(); 
ApprovalSet approvalSet = new ApprovalSet(); 
ApprovalItem approvalItem = new ApprovalItem(); 
approvalItem.setValue("attribuut = \"value\""); 
attributes.put("approvalSet", approvalSet); 
attributes.put("identityDisplayName", targetIdentity.getDisplayableName()); 
attributes.put("identityName", targetIdentity.getName()); 
return item; 


This example is a work item for a manual action. It will show the recipient that a change has to be implemented manually. It refers back to an identity request, but does not necessarily need to. If it does refer to a valid identity request, that object will be updated once the request has been completed.


Some important attributes of a WorkItem object to be set:

  • The type, so IdentityIQ knows what its purpose is,
  • The renderer: a Java Server Faces page to present the work item,
  • The handler: a class that will handle the result of a work item being completed (and possibly a decision made),
  • The name (a sequential id),
  • Owner (recipient),
  • Requester (person who requested the action to be performed)
  • Description.


Different types of work items may have different required attributes and information. Refer to WorkItem objects in your environment, created by example scenarios to figure out what is needed.

Labels (1)

Is there any easy way to add an EmailTemplate to the work item to send initially, like using the workItemNotificationTemplate argument in the workflow step? I know there is a NotificationConfig for the work item, but that seems to be for reminders, escalations, and expiration.

HI @menno_pieters ,


how would you open a remediation workItem from a certification? my signoff  approver rule did create a workitem but I am assuming what you have is for approval workitem.

Hi @dk0200 

The example above is mostly for notification. If you need any actions attached, the surrounding process needs to open the work item and also provide a handler. So, a certification will automatically create the correct type of work item and add the correct handler to the work item, such that the certification will be opened from the work item.

If you need a form to be shown, it's better to launch a workflow with that form embedded and when the form is setup, a work item is created.

- Menno

HI Menno,

I dont need to take action from the work item really. What I am trying to do is once the decision maker revokes an item, a work item needs to be opened,  which needs to be closed by the grantor ( a custom attribute ) in the entitlement. Once the access has been removed from the target system manually, then the work item needs to be closed. 

Would I need a form to be shown here? Thank you so much for responding. 

So, you need manual provisioning. Do you always need manual provisioning, or only for certifications? In the first case, you could remove the 'PROVISION' feature from the featureString in the XML of the application definition. The provisioning engine will then automatically create workitems, but in order for the 'grantor' to get it, you may need to set up a global work item assignment rule to intercept and automatically forward.

Out of the box, you would use the 'Revoker' on the application definition for this. If that is not define, the owner is assigned the workitem.

The problem with turning the 'PROVISION' off is , my application is JDBC . Instead of dealing with CSVs , we decided to read and write from a database. So , in reality the app is delimited but because of this it is now a JDBC connector. If I turn off the 'PROVISION' feature, the global provisioning rule, which writes to the database wont be called. I could potentially turn it off and do everything I said from integration config, I think , but I thought sign off approver rule would be a more straight forward solution , at least for certifications.  Hope this makes sense. 

Also currently, access request and removal do not auto provision because we have modified the workflow to open a work item and only resume the OOTB process once the work item has been worked on. 

Version history
Revision #:
2 of 2
Last update:
‎Jul 13, 2023 05:34 PM
Updated by: