Adding an API State Change Workflow

This section explains how to add a custom workflow to control the API state changes in the API Manager. First see Workflow Extensions for more information on different types of workflow executors. For more details on API states see API Lifecycle.

Configuring the API Manager

Open <APIM_HOME>/repository/conf/api-manager.xml and set in <Enabled> to true in the <WorkflowConfigurations> section.
Change the <ServerUrl> if you have configured the BPS/EI to run on a different port offset.

Engaging the WS Workflow Executor in the API Manager

First, enable the API state change workflow.

Log in to the APIM management console (https://<Server Host>:9443/carbon) and select Browse under Resources.
Go to the /_system/governance/apimgt/applicationdata/workflow-extensions.xml resource, disable the Simple Workflow Executor and enable WS Workflow Executor.
```
<WorkFlowExtensions>
	....
	
	
	<APIStateChange executor="org.wso2.carbon.apimgt.impl.workflow.APIStateChangeWSWorkflowExecutor">
    	<Property name="processDefinitionKey">APIStateChangeApprovalProcess</Property>
    	<Property name="stateList">Created:Publish,Published:Block</Property>   	 
	</APIStateChange>
	....
</WorkFlowExtensions>
```
You have now engaged the API WS Workflow. The default configuration is set for Created to Publish and Published to Block state changes. See Advanced Configurations for information on configuring more state changes.

When enabling the workflow features, make sure you import the certificate of the API Manager into the client-truststore located inside the <BPS_HOME>/repository/resources/security directory.
Log in to the API Publisher (https://<Server Host>:9443/publisher) and publish an API. See Create and Publish an API. A message related to the publish workflow will be displayed because the workflow is enabled for Created to Publish state change.

Note that the Save & Publish button will be disabled until the workflow task is completed or deleted.
You can revoke the state change by clicking Delete Task in the Lifecycle tab.
Log in to the Admin Portal (https://<Server Host>:9443/admin) and click API State Change to see the list of tasks awaiting approval.
Click Assign to Me to approve the task. Select Approve and click Complete to resume and complete the API state change.

Advanced Configurations

Given below are the configurations that can be changed by editing <APIM_HOME>/repository/conf/api-manager.xml

<WorkflowConfigurations>
   	<Enabled>true</Enabled>
  	 <ServerUrl>https://localhost:9445/bpmn</ServerUrl>  		
  	 <ServerUser>${admin.username}</ServerUser>
  	 <ServerPassword>${admin.password}</ServerPassword>   
<WorkflowCallbackAPI>https://localhost:${mgt.transport.https.port}/api/am/publisher/v0.10/workflows/update-workflow-status</WorkflowCallbackAPI>
  	<TokenEndPoint>https://localhost:${https.nio.port}/token</TokenEndPoint>    
<DCREndPoint>https://localhost:${mgt.transport.https.port}/client-registration/v0.10/register</DCREndPoint>
   	<DCREndPointUser>${admin.username}</DCREndPointUser>
   	<DCREndPointPassword>${admin.password}</DCREndPointPassword>
</WorkflowConfigurations>

The elements of the above configuration are explained below.

Element name	Description
`Enabled`	Enables the Admin Portal to approve state change tasks.
`ServerUrl`	The URL of the BPMN server.
`ServerUser`	User accessing the BPMN REST API.
`ServerPassword`	Password of the user accessing the BPMN REST API.
`WorkflowCallbackAPI`	The REST API invoked by the BPMN to complete the workflow.
`TokenEndPoint`	The API call to generate the access token is passed to the BPMN process. Once the access token is received, it is used to call the workflow callback API.
`DCREndPoint`	Endpoint to generate OAuth application. This application is used by the BPMN process to generate the token.
`DCREndPointUser`	Endpoint user.
`DCREndPointPassword`	Endpoint password.

Setting a DCREndPointUser

Create a user with exclusive apim:apiworkflow scope permissions when setting a DCREndPointUser. Please avoid using super admin credentials. If super admin credentioals are used, the created OAuth application will have all the permissions related to scopes in the other REST APIs. Follow the steps below to create a user with apim:apiworkflow scope permissions:

Log in to APIM management console (https://<Server Host>:9443/carbon) and create a role named workflowCallbackRole. Set create and publisher or subscriber permissions to this role.
Go to Resources and click Browse. Go to /_system/config/apimgt/applicationdata/tenant-conf.json and update the role related to ‘apim:api_workflow’ scope with the newly created role.
```
...
      {
        "Name": "apim:api_workflow",
        "Roles": "workflowCallbackRole"
      }
...
```
Assign this role to a user.
Update <DCREndPointUser> and <DCREndPointPassword> with this user's credentials.

For more details on how to create users and roles see managing users and roles.

The configurations that can be changed by editing the /_system/governance/apimgt/applicationdata/workflow-extensions.xml are given below.

Simple WorkFlow

<APIStateChange executor="org.wso2.carbon.apimgt.impl.workflow.APIStateChangeSimpleWorkflowExecutor" />

WS WorkFlow

<APIStateChange executor="org.wso2.carbon.apimgt.impl.workflow.APIStateChangeWSWorkflowExecutor">
   	<Property name="processDefinitionKey">APIStateChangeApprovalProcess</Property>
   	<Property name="stateList">Created:Publish,Published:Block</Property>   	
</APIStateChange>

The elements of the above configuration are explained below.

Element Name	Mandatory/Optional	Description
`processDefinitionKey`	Mandatory	BPMN process definition id. BPMN process provided with AM as default has ‘APIStateChangeApprovalProcess’ as the id
`stateList`	Mandatory	This is a comma separated list of the current state and intended action. For example, Created:Publish,Published:Block
`serviceEndpoint`	Optional	The URL of the BPMN process engine. This overrides the global `<ServerUrl>` value from the `api-manager.xml` file. This can be used to connect a separate workflow engine for a tenant.
`username`	Optional	Username for the external BPMN process engine. This overrides `<ServerUser>` defined in the `api-manager.xml` file for the tenant.
`password`	Optional	password for the external BPMN process engine. This overrides `<ServerPassword>` defined in the `api-manager.xml` file for the tenant.