fixed condition evaluation

defaults/main.yaml

@@ -1,27 +1,45 @@
 ---
 workflows:
-   - create-user-add-to-vre
-   - group_deleted
-   - user-group_created
-   - user-group-role_created
-   - group_created
-   - invitation-accepted
-   - user-group_deleted
-   - user-group-role_deleted
-   - delete-user-account
-   - role_deleted
-   - role_created
-   - add_role_policy_permission 
-   - add_all_member_roles
-   - create_system_service
-   - add_all_system_services_to_vre
+   # - create-user-add-to-vre
+   # - group_deleted
+   # - user-group_created
+   # - user-group-role_created
+   # - group_created
+   # - invitation-accepted
+   # - user-group_deleted
+   # - user-group-role_deleted
+   # - delete-user-account
+   # - keycloak_delete_account
+   # - role_deleted
+   # - role_created
+   # - add_role_policy_permission 
+   # - add_all_member_roles
+   # - create_system_service
+   # - delete_system_service
+   # - add_all_system_services_to_vre
+   # - create_workspace_client
+   - add_workspace_client_to_context
+   # - enable_workspace_clients_for_context
+   # - add_workspace_client_to_contexts
+   # - ghn_client_add_to_context
+   # - ghn_client_add_to_contexts
+   # - ghn_client_create
+   # - ghn_client_delete
+   # - ghn_client_remove_from_contexts
+   # - ghn_client_remove_from_context
+   # - jupyterhub_add_serveroptions_to_context
+   # - record_context_to_is
+   # - create_vre_folder_for_context
+   # - create_vre
+
 keycloak_host: "https://accounts.dev.d4science.org/auth"
 keycloak: "{{ keycloak_host }}/realms"
 keycloak_realm: "d4science"
 keycloak_admin: "{{ keycloak_host }}/admin/realms"
 keycloak_auth: "c93501bd-abeb-4228-bc28-afac38877338"
 keycloak_auth_master: "7a64deb5-e8ea-4add-ba8d-26b339994cc9"
-liferay: "https://next.d4science.org/api/jsonws"
+liferay: "https://next.dev.d4science.org/api/jsonws"
 liferay_auth: "bm90aWZpY2F0aW9uc0BkNHNjaWVuY2Uub3JnOmdjdWJlcmFuZG9tMzIx"
 root_vo: "%2Fgcube"
-ic_proxy: "https://node10-d-d4s.d4science.org" 
+ic_proxy: "https://node10-d-d4s.d4science.org"
+is_url: "https://url.gcube.d4science.org" 

templates/add_all_member_roles.json.j2

@@ -8,13 +8,14 @@
 	"inputParameters" : ["context","client"],
 	"tasks" : [
     	{
-			"name": "LAMBDA_TASK",
+			"name": "INLINE_TASK",
 			"taskReferenceName": "init",
-			"type": "LAMBDA",
+			"type": "INLINE",
 			"inputParameters": {
 				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-				"scriptExpression": "1 == 1"
+				"evaluatorType" : "javascript",
+				"expression": "1 == 1"
 			}
 		},
 		{

templates/add_all_system_services_to_vre.json.j2

@@ -8,13 +8,14 @@
 	"inputParameters" : ["client_resource_id"],
 	"tasks" : [
     	{
-			"name": "LAMBDA_TASK",
+			"name": "INLINE_TASK",
 			"taskReferenceName": "init",
-			"type": "LAMBDA",
+			"type": "INLINE",
 			"inputParameters": {
 				  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 				  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
 				  "iC_proxy" : "{{ ic_proxy }}",
+				  "evaluatorType" : "javascript",
 				  "scriptExpression": "1 == 1"
 			}
 		},
@@ -105,13 +106,14 @@
 	  		}
 		},
 		{
-		  "name": "LAMBDA_TASK",
+		  "name": "INLINE_TASK",
 		  "taskReferenceName": "build_get_system_services_tasks",
-		  "type": "LAMBDA",
+		  "type": "INLINE",
 		  "inputParameters": {
 		    "url" : "${init.input.keycloak_admin}/clients?search=true&clientId=",
 		    "services" : "${extract_system_service_names.output.result}",
-		    "scriptExpression": "inputs = {}, tasks = [];for (var i = 0; i < $.services.length; i++){s = $.services[i];tasks.push({name: 'pyrest',type: 'SIMPLE',taskReferenceName: 'get_system_service' + i});inputs['get_system_service' + i] = {url: $.url + s,method: 'GET',headers: {Authorization: 'Bearer ${authorize.output.body.access_token}', Accept: 'application/json'}}};return {tasks: Java.to(tasks, 'java.util.Map[]'),inputs: inputs};"
+		    "evaluatorType" : "javascript",
+			"expression": "inputs = {}, tasks = [];function f(){for (var i = 0; i < $.services.length; i++){s = $.services[i];tasks.push({name: 'pyrest',type: 'SIMPLE',taskReferenceName: 'get_system_service' + i});inputs['get_system_service' + i] = {url: $.url + s,method: 'GET',headers: {Authorization: 'Bearer ${authorize.output.body.access_token}', Accept: 'application/json'}}};return {tasks: Java.to(tasks, 'java.util.Map[]'),inputs: inputs};} f()"
 		  }
 		},
 		{
@@ -131,13 +133,14 @@
 		    "taskReferenceName" : "join_parallel_get_system_services_tasks"
 		},
 		{
-		  "name": "LAMBDA_TASK",
+		  "name": "INLINE_TASK",
 		  "taskReferenceName": "build_get_system_services_useraccount_tasks",
-		  "type": "LAMBDA",
+		  "type": "INLINE",
 		  "inputParameters": {
+		  	"evaluatorType" : "javascript",
 		    "url" : "${init.input.keycloak_admin}/clients",
 		    "services" : "${join_parallel_get_system_services_tasks.output..body.*.id}",
-		    "scriptExpression": "inputs = {}, tasks = [];for (var i = 0; i < $.services.length; i++){s = $.services[i];tasks.push({name: 'pyrest',type: 'SIMPLE',taskReferenceName: 'get_system_service_useraccount' + i});inputs['get_system_service_useraccount' + i] = {url: $.url + '/' + s + '/service-account-user',method: 'GET',headers: {Authorization: 'Bearer ${authorize.output.body.access_token}', Accept: 'application/json'}}};return {tasks: Java.to(tasks, 'java.util.Map[]'),inputs: inputs};"
+		    "scriptExpression": "inputs = {}, tasks = [];function f(){for (var i = 0; i < $.services.length; i++){s = $.services[i];tasks.push({name: 'pyrest',type: 'SIMPLE',taskReferenceName: 'get_system_service_useraccount' + i});inputs['get_system_service_useraccount' + i] = {url: $.url + '/' + s + '/service-account-user',method: 'GET',headers: {Authorization: 'Bearer ${authorize.output.body.access_token}', Accept: 'application/json'}}};return {tasks: Java.to(tasks, 'java.util.Map[]'),inputs: inputs};"
 		  }
 		},
 		{
@@ -163,7 +166,8 @@
 		  "inputParameters": {
 		    "context" : "${get_vre.output.body}",
 		    "service_ids" : "${join_parallel_get_system_services_useraccount_tasks.output..body.id}",
-		    "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.service_ids.length;i++)c=$.context,tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'call_add_all_member_roles_'+i, subWorkflowParam:{ name:'add_all_member_roles'}}),inputs['call_add_all_member_roles_'+i]={context:c, client:$.service_ids[i]};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
+		    "evaluatorType" : "javascript",
+			"expression": "inputs={},tasks=[];for(var i=0;i<$.service_ids.length;i++)c=$.context,tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'call_add_all_member_roles_'+i, subWorkflowParam:{ name:'add_all_member_roles'}}),inputs['call_add_all_member_roles_'+i]={context:c, client:$.service_ids[i]};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
 		  }
 		},
 		{

templates/add_role_policy_permission.json.j2

@@ -8,13 +8,14 @@
 	"inputParameters" : ["role"],
 	"tasks" : [
     {
-		  "name": "LAMBDA_TASK",
+		  "name": "INLINE_TASK",
 		  "taskReferenceName": "init",
-		  "type": "LAMBDA",
+		  "type": "INLINE",
 		  "inputParameters": {
 			  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 			  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-			  "scriptExpression": "1 == 1"
+			  "evaluatorType" : "javascript",
+        "expression": "1 == 1"
 		  }
 		},
 		{
@@ -44,6 +45,7 @@
               "name" : "pyrest",
               "type" : "SIMPLE",
               "taskReferenceName": "add_policy",
+              "retryCount" : 1,
               "inputParameters" : {
                 "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/policy/role",
                 "method" :"POST",
@@ -52,7 +54,6 @@
                   "Content-Type" : "application/json",
                   "Accept" : "application/json"
                 },
-                "expect" : [201, 409],
                 "body" : {
                   "name":"${workflow.input.role.name}_policy",
                   "description" : "Policy for having ${workflow.input.role.name} role",
@@ -69,6 +70,7 @@
             "name" : "pyrest",
             "type" : "SIMPLE",
             "taskReferenceName": "retrieve_default_permission",
+            "retryCount" : 1,
             "inputParameters" : {
               "url" : "${init.input.keycloak_admin}/clients/${workflow.input.role.containerId}/authz/resource-server/permission?name=Default Permission",
               "method" :"GET",
@@ -101,15 +103,30 @@
         "joinOn" : ["retrieve_default_permission_policies","add_policy"]
     },
     {
-      "name": "LAMBDA_TASK",
+      "name": "INLINE_TASK",
       "taskReferenceName": "to_policy_array",
-      "type": "LAMBDA",
+      "type": "INLINE",
       "inputParameters": {
         "newpolicy": "${add_policy.output.body}",
+        "evaluatorType" : "javascript",
         "prevpolicies" : "${retrieve_default_permission_policies.output.body}",
-        "scriptExpression": "return Java.to(Java.from($.prevpolicies).concat($.newpolicy),'java.util.Map[]')"
+        "expression": "Java.from($.prevpolicies).concat($.newpolicy)"
       }
     },
+    {
+      "name": "INLINE_TASK",
+      "taskReferenceName": "count_check",
+      "inputParameters": {
+        "tocount": "${to_policy_array.output.result[*].id}",
+        "tocompare": "${retrieve_default_permission_policies.output.body}",
+        "evaluatorType": "javascript",
+        "expression": "if($.tocount.length < $.tocompare.length) throw 'Unexpected low value'; else $.tocount.length < $.tocompare.length"
+      },
+      "type": "INLINE",
+      "startDelay": 0,
+      "optional": false,
+      "asyncComplete": false
+    },
     {
 		  "name" : "pyrest",
 		  "taskReferenceName" : "finalize_permission",

templates/add_workspace_client_to_context.json.j2

@@ -0,0 +1,235 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "add_workspace_client_to_context",
+	"createBy" : "Marco Lettere",
+	"description": "A workspace client is made Member of a context and it's workspace folder is linked to context's shared folder",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id", "context"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				"root_vo": "{{ root_vo }}",
+				"storagehub" : "{{ storagehub }}",
+				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+				"id" : "${workflow.input.client_id}",
+				"ctx" : "${workflow.input.context}",
+				"evaluatorType": "javascript",
+				"expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id) || e($.ctx)) throw('Client ID and Context must not be empty'); else return { encoded_root_vo : encodeURI($.root_vo), encoded_context : $.ctx.replaceAll('/', '%2F')}} f()"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth_master }}",
+					"grant_type" : "client_credentials"
+				}
+			}
+		},
+		{
+			"name" : "fork_join",
+			"taskReferenceName" : "fork1",
+			"type" : "FORK_JOIN",
+			"forkTasks" : [
+				[
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "lookup_client",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients",
+							"params" : { "clientId" : "${workflow.input.client_id}"},
+							"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+						}
+					},
+					{
+						"name": "INLINE_TASK",
+						"taskReferenceName": "extract_ws_client",
+						"type": "INLINE",
+						"inputParameters": {
+							"client" : "${lookup_client.output.body}",
+							"evaluatorType" : "javascript",
+							"expression": "function e(v){ return (v.length === 0)}; function f(){if(e($.client)) throw('Workspace client not found'); else return { client : $.client[0], id : $.client[0].id}} f()"
+						}
+					},
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "get_service_account_user",
+				  		"type" : "SIMPLE",
+				  		"inputParameters" : {
+					  		"url" : "${init.input.keycloak_admin}/clients/${extract_ws_client.output.result.id}/service-account-user",
+					  		"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+				  		}
+					}
+				],
+				[
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "lookup_context",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients",
+							"params" : { "clientId" : "${init.output.result.encoded_context}"},
+							"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+						}
+					},
+                    {
+						"name": "switch_task",
+						"taskReferenceName": "check_for_exactly_one__context",
+						"inputParameters": {
+						  "inp": "${lookup_context.output.body}"
+						},
+						"type": "SWITCH",
+						"decisionCases": {
+						  "fail": [
+						    {
+						      "name": "terminate_on_wrong_context_number_1",
+						      "taskReferenceName": "terminate_on_wrong_context_number_1",
+						      "inputParameters": {
+						        "terminationStatus": "COMPLETED"
+						      },
+						      "type": "TERMINATE",
+						      "startDelay": 0,
+						      "optional": false,
+						      "asyncComplete": false,
+						      "permissive": false
+						    }
+						  ]
+						},
+						"startDelay": 0,
+						"optional": false,
+						"asyncComplete": false,
+						"evaluatorType": "javascript",
+						"expression": "$.inp.length !== 1 ? 'fail' : 'success'",
+						"permissive": false
+				   },
+				   {
+						"name": "INLINE_TASK",
+						"taskReferenceName": "extract_context",
+						"type": "INLINE",
+						"inputParameters": {
+							"client" : "${lookup_context.output.body}",
+							"evaluatorType" : "javascript",
+							"expression": "function e(v){ return (v.length === 0)}; function f(){if(e($.client)) throw('Workspace client not found'); else return { client : $.client[0], id: $.client[0].id }} f()"
+						}
+					},
+					{
+						"name" : "pyrest",
+						"type" : "SIMPLE",
+						"taskReferenceName": "retrieve_member_role",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients/${extract_context.output.result.id}/roles/Member",
+							"method" :"GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+						  	}
+						}
+					},
+					{
+						"name": "jq_1",
+						"taskReferenceName": "roles_to_assign",
+						"type": "JSON_JQ_TRANSFORM",
+						"inputParameters": {
+							"role": "${retrieve_member_role.output.body}",
+						    "queryExpression" : ".role"
+						}
+					},
+					{
+						"name": "INLINE_TASK",
+						"taskReferenceName": "shubify_context_name",
+						"type": "INLINE",
+						"inputParameters": {
+							"context_name" : "${extract_context.output.result.client.name}",
+							"evaluatorType" : "javascript",
+							"expression": "var s = $.context_name; function f(){return { shubified_context_name : (s[0] === '/' ? s.replace('/', '') : s).split('/').join('-')}} f()"
+						}
+					}
+				]
+			]
+		},
+		{
+		    "name": "join",
+		    "taskReferenceName": "join1",
+		    "type": "JOIN",
+		    "joinOn": [
+		      "get_service_account_user",
+		      "shubify_context_name"
+		    ]
+		},
+		{
+			"name" : "pyrest",
+			"type" : "SIMPLE",
+			"taskReferenceName": "assign_member_role",
+			"inputParameters" : {
+			  "url" : "${init.input.keycloak_admin}/users/${get_service_account_user.output.body.id}/role-mappings/clients/${retrieve_member_role.output.body.containerId}",
+			  "method" :"POST",
+			  "headers" : {
+				"Authorization" : "Bearer ${authorize.output.body.access_token}",
+				"Content-Type" : "application/json",
+				"Accept":"application/json"
+			  },
+			  "body" : "${roles_to_assign.output.resultList}"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize_with_uma_rpt",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "{{ keycloak }}/{{ keycloak_realm }}/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"audience" : "${init.input.root_vo}",
+					"grant_type" : "urn:ietf:params:oauth:grant-type:uma-ticket",
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth }}"
+				}
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "workspace_to_vre_folder",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.storagehub}/workspace/groups/${shubify_context_name.output.result.shubified_context_name}/users",
+				"method" : "PUT",
+				"expect" : [200, 400, 500],
+				"body" :{
+					"userId" : "${get_service_account_user.output.body.username}"
+				},
+				"headers" : {
+					"Authorization" : "Bearer ${authorize_with_uma_rpt.output.body.access_token}"
+				}
+			}
+		}
+	]
+}

templates/add_workspace_client_to_contexts.json.j2

@@ -0,0 +1,52 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "add_workspace_client_to_contexts",
+	"createBy" : "Marco Lettere",
+	"description": "A workspace client is made Member of all the contexts passed as input by calling the add_workspace_client_to_context sub-workflow",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id", "context_list"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				"root_vo": "{{ root_vo }}",
+				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				"id" : "${workflow.input.client_id}",
+				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+				"evaluatorType" : "javascript",
+				"expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id)) throw('Client ID must not be empty'); return { }} f()"
+			}
+		},
+		{
+		  "name": "INLINE_TASK",
+		  "taskReferenceName": "build_tasks_to_add_ws_client_to_all_contexts",
+		  "type": "INLINE",
+		  "inputParameters": {
+		    "context_list" : "${workflow.input.context_list}",
+		    "client_id" : "${workflow.input.client_id}",
+		    "evaluatorType" : "javascript",
+			"expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.context_list.length;i++)c=$.context_list[i],tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'add_workspace_client_to_context_'+i, subWorkflowParam:{ name:'add_workspace_client_to_context'}}),inputs['add_workspace_client_to_context_'+i]={client_id : $.client_id, context: c};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		  }
+		},
+		{
+		  "name" : "fork_dynamic",
+		  "type" : "FORK_JOIN_DYNAMIC",
+		  "taskReferenceName" : "parallel_build_tasks_to_add_ws_client_to_all_contexts",
+		  "inputParameters" : {
+		      "tasks" : "${build_tasks_to_add_ws_client_to_all_contexts.output.result.tasks}",
+		      "inputs" : "${build_tasks_to_add_ws_client_to_all_contexts.output.result.inputs}"
+		  },
+		  "dynamicForkTasksParam": "tasks",
+		  "dynamicForkTasksInputParamName": "inputs"
+		},
+		{
+		  "name" : "join",
+		  "type" : "JOIN",
+		  "taskReferenceName" : "join_build_tasks_to_add_ws_client_to_all_contexts"
+		}
+	]
+}
+	

templates/create-user-add-to-vre.json.j2

@@ -8,14 +8,15 @@
 	"inputParameters" : ["user", "first-name", "last-name", "email", "password", "group"],
 	"tasks" : [
 		{
-		"name": "LAMBDA_TASK",
+		"name": "INLINE_TASK",
 		"taskReferenceName": "init",
-		"type": "LAMBDA",
+		"type": "INLINE",
 		"inputParameters": {
 			"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 			"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-			"group" : "${workflow.input.group}", 
-            "scriptExpression": "var path = $.group.split('%2F').slice(1); return { 'tree' : Java.to(path, 'java.lang.Object[]'), 'name' : path.slice(path.length-1)[0]}"
+			"group" : "${workflow.input.group}",
+			"evaluatorType" : "javascript", 
+            "expression": "function f(){var path = $.group.split('%2F').slice(1); return { 'tree' : Java.to(path, 'java.lang.Object[]'), 'name' : path.slice(path.length-1)[0]}} f()"
 			}
 		},
 		{
@@ -79,15 +80,16 @@
 			}
 		},
 		{
-      			"name": "LAMBDA_TASK",
-      			"taskReferenceName": "select_user",
-      			"inputParameters": {
-        			"foundusers": "${lookup_user.output.body}",
-        			"username": "${workflow.input.user}",
-        			"scriptExpression": "for(var i=0; i < $.foundusers.length;i++){if($.foundusers[i]['username'] == $.username) return Java.to([$.foundusers[i]], 'java.lang.Object[]')}"
-      			},
-      			"type": "LAMBDA"
-    		},
+			"name": "INLINE_TASK",
+			"taskReferenceName": "select_user",
+			"inputParameters": {
+				"foundusers": "${lookup_user.output.body}",
+				"username": "${workflow.input.user}",
+				"evaluatorType" : "javascript",
+				"expression": "function f(){for(var i=0; i < $.foundusers.length;i++){if($.foundusers[i]['username'] == $.username) return $.foundusers[i]}} f()"
+			},
+			"type": "INLINE"
+		},
 		{
 			"name" : "pyrest",
 			"taskReferenceName" : "lookup_client",
@@ -119,21 +121,23 @@
 		{
 			"name" : "check_role_existance",
 			"taskReferenceName" : "check_role_existance",
-			"type" : "DECISION",
+			"type" : "SWITCH",
 			"inputParameters" :{
 				"previous_outcome" : "${get_client_roles.output.status}"
 			},
-			"caseValueParam" : "previous_outcome",
+			"evaluatorType" : "value-param",
+			"expression" : "previous_outcome",
 			"decisionCases" : {
 				"200" : [
 					{
-					"name": "LAMBDA_TASK",
+					"name": "INLINE_TASK",
 					"taskReferenceName": "select_role",
-					"type": "LAMBDA",
+					"type": "INLINE",
 					"inputParameters": {
+						"evaluatorType" : "javascript",
 						"role": "${workflow.input.role}",
 						"roles" : "${get_client_roles.output.body}",
-						"scriptExpression": "for(var i=0; i < $.roles.length;i++){if($.roles[i]['name'] == 'Member') return Java.to([$.roles[i]], 'java.lang.Object[]')}"
+						"expression": "function f(){for(var i=0; i < $.roles.length;i++){if($.roles[i]['name'] == 'Member') return $.roles[i]}} f()"
 						}
 					},
 					{
@@ -149,24 +153,26 @@
                         }
                     },
                     {
-					"name": "LAMBDA_TASK",
+					"name": "INLINE_TASK",
 					"taskReferenceName": "extract_groups",
-					"type": "LAMBDA",
+					"type": "INLINE",
 					"inputParameters": {
+						"evaluatorType" : "javascript",
 						"tree" : "${init.output.result.tree}",
                         "groups" : "${look_up_groups.output.body}",
-                        "scriptExpression": "function selectByPath(groups, path, level, acc){ for (var i=0; i < groups.length; i++) {if (groups[i].name === path[level]) {acc.push(groups[i]); if (level === path.length - 1) return acc;return selectByPath(groups[i].subGroups, path, level+1, acc)}} return []; } return { 'groups' : Java.to(selectByPath($.groups, $.tree, 0, []),'java.util.Map[]')}"
+                        "expression": "function selectByPath(groups, path, level, acc){ for (var i=0; i < groups.length; i++) {if (groups[i].name === path[level]) {acc.push(groups[i]); if (level === path.length - 1) return acc;return selectByPath(groups[i].subGroups, path, level+1, acc)}} return []; } function f(){ return { 'groups' : Java.to(selectByPath($.groups, $.tree, 0, []),'java.util.Map[]')}} f()"
 						}
 					},
 					{
-					"name": "LAMBDA_TASK",
+					"name": "INLINE_TASK",
 					"taskReferenceName": "build_add_to_all_groups_tasks",
-					"type": "LAMBDA",
+					"type": "INLINE",
 					"inputParameters": {
+						"evaluatorType" : "javascript",
 						"groups" : "${extract_groups.output.result.groups}",
 						"auth" : "Bearer ${authorize.output.body.access_token}",
-						"kc_user_url" : "${init.input.keycloak_admin}/users/${select_user.output.result[0].id}/groups/",
-                        "scriptExpression": "inputs={};tasks=[];for(var i=0;i<$.groups.length;i++)group=$.groups[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'user_to_group_'+i}),inputs['user_to_group_'+i]={ url : $.kc_user_url + group.id, method : 'PUT', headers: { Authorization : $.auth} };return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
+						"kc_user_url" : "${init.input.keycloak_admin}/users/${select_user.output.result.id}/groups/",
+                        "expression": "inputs={};tasks=[];function f(){for(var i=0;i<$.groups.length;i++)group=$.groups[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'user_to_group_'+i}),inputs['user_to_group_'+i]={ url : $.kc_user_url + group.id, method : 'PUT', headers: { Authorization : $.auth} };return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f();"
 						}
 					},
 					{

templates/create_system_service.json.j2

@@ -5,16 +5,20 @@
 	"description": "Create a confidential client for software procedures that need to be members of each VO and VRE",
 	"version" : 1,
 	"ownerEmail" : "marco.lettere@nubisware.com",
-	"inputParameters" : ["client_id"],
+	"inputParameters" : ["client_id", "client_secret", "description"],
 	"tasks" : [
     	{
-			"name": "LAMBDA_TASK",
+			"name": "INLINE_TASK",
 			"taskReferenceName": "init",
-			"type": "LAMBDA",
+			"type": "INLINE",
 			"inputParameters": {
 				  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 				  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-				  "scriptExpression": "1 == 1"
+				  "id" : "${workflow.input.client_id}",
+				  "secret" : "${workflow.input.client_secret}",
+				  "description" : "${workflow.input.description}",
+				  "evaluatorType" : "javascript",
+				  "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){ if(e($.id)) throw('Client ID must not be empty'); return { client : { clientId : $.id, description : ($.description ? $.description : $.id), secret : ($.secret ? $.secret : Java.type('java.util.UUID').randomUUID().toString()), rootUrl : '', enabled : true, serviceAccountsEnabled : true, standardFlowEnabled : true, authorizationServicesEnabled : false, publicClient : false, fullScopeAllowed : true, protocol : 'openid-connect'}}}; f()"
 			}
 		},
 		{
@@ -22,37 +26,25 @@
 			"taskReferenceName" : "authorize",
 			"type" : "SIMPLE",
 			"inputParameters" : {
-				"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+				"url" : "${init.input.keycloak}/protocol/openid-connect/token",
 				"method" : "POST",
 				"headers" : {
 					"Accept" : "application/json"
 				},
 				"body" : {
 					"client_id" : "orchestrator", 
-					"client_secret" : "{{ keycloak_auth_master }}",
+					"client_secret" : "{{ keycloak_auth }}",
 					"grant_type" : "client_credentials"
 				}
 			}
-		},
+		},	
 		{
 			"name" : "pyrest",
 		    "taskReferenceName" : "create_client",
 		    "type" : "SIMPLE",
 		    "inputParameters" : {
 			    "url" : "${init.input.keycloak_admin}/clients",
-			    "body" : { 
-				    "clientId": "${workflow.input.client_id}",
-				    "name": "${workflow.input.client_id}",
-				    "description": "${workflow.input.client_id}",
-					    "rootUrl": "",
-					    "enabled": true,
-					    "serviceAccountsEnabled": true,
-					    "standardFlowEnabled": true,
-					    "authorizationServicesEnabled": false,
-					    "publicClient": false,
-					    "fullScopeAllowed" : true,
-					    "protocol": "openid-connect"
-			    },
+			    "body" : "${init.output.result.client}",
 			    "method" : "POST",
 			    "headers" : {
 				    "Authorization" : "Bearer ${authorize.output.body.access_token}",
@@ -61,12 +53,13 @@
 		    }
 		},
 		{
-		    "name": "LAMBDA_TASK",
+		    "name": "INLINE_TASK",
 		    "taskReferenceName": "extract_client_id",
-		    "type": "LAMBDA",
+		    "type": "INLINE",
 		    "inputParameters": {
-		            "client_location" : "${create_client.output.headers.location}",
-		            "scriptExpression": "var client_id = $.client_location.split('/').pop(); return {'client_id' : client_id}"
+		        "evaluatorType" : "javascript",    
+				"client_location" : "${create_client.output.headers.location}",
+				"expression": "var client_id = $.client_location.split('/').pop(); function f(){return {'client_id' : client_id}}; f()"
 		    }
 		},
 		{
@@ -84,42 +77,40 @@
 		},
 		{
 			"name" : "pyrest",
-			"taskReferenceName" : "get_all_contexts",
-	  		"type" : "SIMPLE",
-	  		"inputParameters" : {
-		  		"url" : "${init.input.keycloak_admin}/clients?clientId=%252F&search=true",
-		  		"method" : "GET",
+			"type" : "SIMPLE",
+			"taskReferenceName": "retrieve_infra_member_role",
+			"inputParameters" : {
+				"url" : "${init.input.keycloak_admin}/roles/Infrastructure-Member",
+				"method" :"GET",
 				"headers" : {
 					"Authorization" : "Bearer ${authorize.output.body.access_token}",
 					"Accept" : "application/json"
-				}
-	  		}
+			  	}
+			}
 		},
 		{
-		  "name": "LAMBDA_TASK",
-		  "taskReferenceName": "build_member_roles_assignment_tasks",
-		  "type": "LAMBDA",
-		  "inputParameters": {
-		    "contexts" : "${get_all_contexts.output.body}",
-		    "id" : "${get_service_account_user.output.body.id}",
-		    "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.contexts.length;i++)c=$.contexts[i],tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'call_add_all_member_roles_'+i, subWorkflowParam:{ name:'add_all_member_roles'}}),inputs['call_add_all_member_roles_'+i]={context:c, client:$.id};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
-		  }
-		},
+    		"name": "jq_1",
+    		"taskReferenceName": "to_array",
+    		"type": "JSON_JQ_TRANSFORM",
+    		"inputParameters": {
+    			"role": "${retrieve_infra_member_role.output.body}",
+                "queryExpression" : ".role"
+            }
+        },
 		{
-		  "name" : "fork_dynamic",
-		  "type" : "FORK_JOIN_DYNAMIC",
-		  "taskReferenceName" : "parallel_build_member_roles_assignment_tasks",
-		  "inputParameters" : {
-		      "tasks" : "${build_member_roles_assignment_tasks.output.result.tasks}",
-		      "inputs" : "${build_member_roles_assignment_tasks.output.result.inputs}"
-		  },
-		  "dynamicForkTasksParam": "tasks",
-		  "dynamicForkTasksInputParamName": "inputs"
-		},
-		{
-		    "name" : "join",
-		    "type" : "JOIN",
-		    "taskReferenceName" : "join_parallel_build_member_roles_assignment_tasks"
+			"name" : "pyrest",
+			"type" : "SIMPLE",
+			"taskReferenceName": "assign_infra_member_role",
+			"inputParameters" : {
+			  "url" : "${init.input.keycloak_admin}/users/${get_service_account_user.output.body.id}/role-mappings/realm",
+			  "method" :"POST",
+			  "headers" : {
+				"Authorization" : "Bearer ${authorize.output.body.access_token}",
+				"Content-Type" : "application/json",
+				"Accept":"application/json"
+			  },
+			  "body" : "${to_array.output.resultList}"
+			}
 		}
 	]
 }

templates/create_vre.json.j2

@@ -0,0 +1,656 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "create_vre",
+	"createBy" : "Marco Lettere",
+	"description": "Handle workflow related to Portal event group_created",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["context", "folder_owner", "folder_admins"],
+	"tasks" : [
+		{
+		  "name": "INLINE_TASK",
+		  "taskReferenceName": "init",
+		  "type": "INLINE",
+		  "inputParameters": {
+			  "root_vo": "{{ root_vo }}",
+			  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+			  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+			  "group" : "${workflow.input.context}",
+			  "evaluatorType" : "javascript",
+			  "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.group)) throw('Group must not be empty'); var tree = $.group.startsWith('%2F') ? $.group.split('%2F') : [$.group]; return { 'tree' : tree, 'child': tree[tree.length-1], 'append' : tree.slice(0,-1).join('/'), 'name' : tree.join('/'), encoded_root_vo : encodeURI($.root_vo)}} f()"
+		  }
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth_master }}",
+					"grant_type" : "client_credentials"
+				}
+			}
+		},
+		{
+        "name" : "fork_join",
+        "taskReferenceName" : "preliminary_fork",
+        "type" : "FORK_JOIN",
+        "forkTasks" : [
+          [
+		        {
+			        "name" : "pyrest",
+			        "taskReferenceName" : "create_client",
+			        "type" : "SIMPLE",
+			        "inputParameters" : {
+				        "url" : "${init.input.keycloak_admin}/clients",
+				        "body" : { 
+					        "clientId": "${init.input.group}",
+					        "name": "${init.output.result.name}",
+					        "description": "Client representation for ${init.output.result.name} context",
+					        "rootUrl": "http://localhost${init.output.result.name}",
+					        "enabled": true,
+					        "serviceAccountsEnabled": true,
+					        "standardFlowEnabled": true,
+					        "authorizationServicesEnabled": true,
+					        "publicClient": false,
+					        "fullScopeAllowed" : false,
+					        "protocol": "openid-connect"
+				        },
+				        "method" : "POST",
+				        "headers" : {
+					        "Authorization" : "Bearer ${authorize.output.body.access_token}",
+					        "Content-Type" : "application/json"
+				        }
+			        }
+		        },
+            {
+                "name": "INLINE_TASK",
+                "taskReferenceName": "extract_client_id",
+                "type": "INLINE",
+                "inputParameters": {
+					"client_location" : "${create_client.output.headers.location}",
+					"evaluatorType" : "javascript",
+					"expression": "var client_id = $.client_location.split('/').pop(); function f(){return {'client_id' : client_id}} f()"
+                }
+            },
+		    {
+			  "name" : "pyrest",
+				"taskReferenceName" : "list_kc_groups",
+				"type" : "SIMPLE",
+				"inputParameters" : {
+					"url" : "${init.input.keycloak_admin}/groups",
+					"method" : "GET",
+					"headers" : {
+						"Authorization" : "Bearer ${authorize.output.body.access_token}",
+						"Accept" : "application/json"
+					}
+				}
+			},
+			{
+				"name": "INLINE_TASK",
+				"taskReferenceName": "prepare",
+				"type": "INLINE",
+				"inputParameters": {
+					"append": "${init.output.result.append}",
+		  			"groups": "${list_kc_groups.output.body}",
+		  			"evaluatorType" : "javascript",
+					"expression": "function recurse(inp){for(var i=0;i<inp.length;i++){if(inp[i]['path'] === $.append) return inp[i]; else{var subr = recurse(inp[i].subGroups); if(subr != null) return subr;}} return null}; function f(){return {'group' : $.append == '' ? '' : recurse($.groups)}} f()"
+				}
+			},
+			{
+				"name": "decide_task",
+				"taskReferenceName": "decide1",
+				"inputParameters": {
+					"groupid": "${prepare.output.result.group}"
+				},
+				"type": "SWITCH",
+				"evaluatorType" : "value-param",
+				"expression": "groupid",
+				"decisionCases": {
+					"": [
+						{
+							"name": "INLINE_TASK",
+							"taskReferenceName": "dummy",
+							"type": "INLINE",
+							"inputParameters": {
+								"evaluatorType" : "javascript",
+								"expression": "1"
+							}
+						}
+					]
+				},
+				"defaultCase": [
+					{
+						"name": "pyrest",
+						"taskReferenceName": "create_kc_group",
+						"inputParameters": {
+						  "url": "${init.input.keycloak_admin}/groups/${prepare.output.result.group.id}/children",
+						  "body": {
+							"name": "${init.output.result.child}"
+						  },
+						  "method": "POST",
+						  "headers": {
+							"Authorization": "Bearer ${authorize.output.body.access_token}",
+							"Content-Type": "application/json"
+						  }
+						},
+						"type": "SIMPLE"
+					},
+					{
+						"name": "INLINE_TASK",
+						"type": "INLINE",
+						"taskReferenceName": "prepare2",
+						"inputParameters": {
+							"location": "${create_kc_group.output.headers.location}",
+							"client_location": "${create_client.output.headers.location}",
+							"evaluatorType" : "javascript",
+							"expression": "var newid=$.location.split('/').pop(); var client_id = $.client_location.split('/').pop(); function f(){return {'newid' : newid, 'client_id' : client_id}} f()"
+						}
+					}
+				]
+			},
+		    {
+                "name" : "pyrest",
+                "taskReferenceName" : "get_default_policies",
+                "type" : "SIMPLE",
+                "inputParameters" : {
+                        "url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy",
+                        "method" : "GET",
+                        "headers" : {
+                                "Authorization" : "Bearer ${authorize.output.body.access_token}",
+                                "Accept" : "application/json"
+                        }
+                }
+            },
+            {
+                "name" : "pyrest",
+                "taskReferenceName" : "get_default_resource",
+                "type" : "SIMPLE",
+                "inputParameters" : {
+                        "url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/resource",
+                        "method" : "GET",
+                        "headers" : {
+                                "Authorization" : "Bearer ${authorize.output.body.access_token}",
+                                "Accept" : "application/json"
+                        }
+                }
+            },
+		        {
+                "name" : "pyrest",
+                "taskReferenceName" : "delete_default_policy1",
+                "type" : "SIMPLE",
+                "inputParameters" : {
+                        "url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/${get_default_policies.output.body[0].id}",
+                        "method" : "DELETE",
+                        "headers" : {
+                                "Authorization" : "Bearer ${authorize.output.body.access_token}",
+                                "Accept" : "application/json"
+                        }
+                }
+            },
+		        {
+                "name" : "pyrest",
+                "taskReferenceName" : "delete_default_policy2",
+                "type" : "SIMPLE",
+                "inputParameters" : {
+                        "url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/${get_default_policies.output.body[1].id}",
+                        "method" : "DELETE",
+                        "headers" : {
+                                "Authorization" : "Bearer ${authorize.output.body.access_token}",
+                                "Accept" : "application/json"
+                        }
+                }
+            },
+            {
+		          "name" : "pyrest",
+		          "taskReferenceName" : "create_permission",
+		          "type" : "SIMPLE",
+		          "inputParameters" : {
+			          "url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/permission/resource",
+			          "body" : {
+                   "name": "Default Permission",
+                   "description": "",
+                   "type" : "resource",
+                   "logic": "POSITIVE",
+                   "decisionStrategy": "AFFIRMATIVE",
+                   "resources" : ["${get_default_resource.output.body[0]._id}"]
+                },
+			          "method" : "POST",
+			          "headers" : {
+				          "Authorization" : "Bearer ${authorize.output.body.access_token}",
+				          "Content-Type" : "application/json",
+					        "Accept" : "application/json"
+			          }
+		          }
+	          }
+        ],
+        [
+          {
+              "name" : "pyrest",
+              "taskReferenceName" : "get_rootvo",
+              "type" : "SIMPLE",
+              "inputParameters" : {
+                  "url" : "${init.input.keycloak_admin}/clients?clientId=${init.output.result.encoded_root_vo}",
+                  "method" : "GET",
+                  "headers" : {
+                      "Authorization" : "Bearer ${authorize.output.body.access_token}",
+                      "Accept" : "application/json"
+                  }
+              }
+          },
+          {
+              "name" : "pyrest",
+              "taskReferenceName" : "get_rootvo_roles",
+              "type" : "SIMPLE",
+              "inputParameters" : {
+                  "url" : "${init.input.keycloak_admin}/clients/${get_rootvo.output.body[0].id}/roles",
+                  "method" : "GET",
+                  "headers" : {
+                      "Authorization" : "Bearer ${authorize.output.body.access_token}",
+                      "Accept" : "application/json"
+                  }
+              }
+          }
+        ]
+      ]
+    },
+    {
+      "name" : "join",
+      "type" : "JOIN",
+      "taskReferenceName" : "preliminary_fork_join",
+      "joinOn": [ "create_permission", "get_rootvo_roles"]
+    },
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize1",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "create_role_member",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "${create_client.output.headers.location}/roles",
+			"body" : { 
+				"clientRole" : true, "name" : "Member", "description" : "Simple membership for ${init.output.result.name}"
+			},
+			"method" : "POST",
+			"headers" : {
+				"Authorization" : "Bearer ${authorize1.output.body.access_token}",
+				"Content-Type" : "application/json"
+			}
+		}
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "get_back_role_member",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "${create_role_member.output.headers.location}",
+			"method" : "GET",
+			"headers" : {
+				"Authorization" : "Bearer ${authorize1.output.body.access_token}",
+				"Accept" : "application/json"
+			}
+		}
+	},
+	{
+		"name": "jq_1",
+		"taskReferenceName": "to_array",
+		"type": "JSON_JQ_TRANSFORM",
+		"inputParameters": {
+			"role": "${get_back_role_member.output.body}",
+	        "queryExpression" : ".role"
+	    }
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "add_role_member_as_component_of_infrastructure_member",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "${init.input.keycloak_admin}/roles/Infrastructure-Member/composites",
+			"method" : "POST",
+			"headers" : {
+				"Authorization" : "Bearer ${authorize1.output.body.access_token}",
+				"Content-Type" : "application/json"
+			},
+			"body" : "${to_array.output.resultList}"
+		}
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "create_role_policy_member",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+	  		"url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role",
+		  	"body" : {
+	 			"name": "Member_policy",
+			 	"description": "",
+			 	"type" : "role",
+			 	"logic": "POSITIVE",
+			 	"decisionStrategy": "UNANIMOUS",
+				 "roles" : [
+					{
+					  "id" : "${get_back_role_member.output.body.id}",
+					  "required" : true
+					}
+				 ]
+		  	},
+		  	"method" : "POST",
+		  	"headers" : {
+			  "Authorization" : "Bearer ${authorize1.output.body.access_token}",
+			  "Content-Type" : "application/json",
+			  "Accept" : "application/json"
+		  	}
+		}
+	},
+	{
+		"name": "decide_task",
+		"taskReferenceName": "decide2",
+		"inputParameters": {
+			"groupid": "${prepare.output.result.group}"
+		},
+		"type": "SWITCH",
+		"evaluatorType" : "value-param",
+		"expression": "groupid",
+		"decisionCases": {
+			"": [
+				{
+					"name": "INLINE_TASK",
+					"taskReferenceName": "dummy2",
+					"type": "INLINE",
+					"inputParameters": {
+						"evaluatorType" : "javascript",
+						"expression": "1"
+					}
+				}
+			]
+		},
+		"defaultCase": [
+			{
+			  "name" : "pyrest",
+				"taskReferenceName" : "assign_client_member_role_to_kc_group",
+				"type" : "SIMPLE",
+				"inputParameters" : {
+					"url" : "${init.input.keycloak_admin}/groups/${prepare2.output.result.newid}/role-mappings/clients/${prepare2.output.result.client_id}",
+					"method" : "POST",
+					"body" : ["${get_back_role_member.output.body}"],
+					"headers" : {
+						"Authorization" : "Bearer ${authorize1.output.body.access_token}",
+						"Accept" : "application/json",
+						"Content-Type" : "application/json"
+					}
+				}
+			}
+		]
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize2",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
+	{
+		"name": "INLINE_TASK",
+		"taskReferenceName": "build_add_role_tasks",
+		"type": "INLINE",
+		"inputParameters": {
+		  "roles" : "${get_rootvo_roles.output.body}",
+		  "evaluatorType" : "javascript",
+		  "expression": "inputs={},tasks=[];function add(r, k){ if(r.name != 'uma_protection' && r.name != 'Member'){ tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_'+k}); inputs['create_'+k]={url:'${create_client.output.headers.location}/roles',body:{clientRole:true,name:r.name,description:r.description},method:'POST',headers:{Authorization:'Bearer ${authorize2.output.body.access_token}','Content-Type':'application/json'}}}};for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name, add(r, k); function f(){return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		}
+	},
+	{
+		"name" : "fork_dynamic",
+		"type" : "FORK_JOIN_DYNAMIC",
+		"taskReferenceName" : "parallel_add_role",
+		"inputParameters" : {
+			"tasks" : "${build_add_role_tasks.output.result.tasks}",
+			"inputs" : "${build_add_role_tasks.output.result.inputs}"
+		},
+		"dynamicForkTasksParam": "tasks",
+		"dynamicForkTasksInputParamName": "inputs"
+	},
+	{
+	  "name" : "join",
+	  "type" : "JOIN",
+	  "taskReferenceName" : "join_parallel_role_addition"
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize3",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
+	{
+		"name": "INLINE_TASK",
+		"taskReferenceName": "build_get_back_role_tasks",
+		"type": "INLINE",
+		"inputParameters": {
+		  "roleurls" : "${join_parallel_role_addition.output[*]..location}",
+		  "evaluatorType" : "javascript",
+		  "expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.roleurls.length;i++)u=$.roleurls[i],k='add-'+i,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'get_back_'+k}),inputs['get_back_'+k]={url:u,method:'GET',headers:{Authorization:'Bearer ${authorize3.output.body.access_token}',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		}
+	},
+	{
+		"name" : "fork_dynamic",
+		"type" : "FORK_JOIN_DYNAMIC",
+		"taskReferenceName" : "parallel_get_back_role",
+		"inputParameters" : {
+			"tasks" : "${build_get_back_role_tasks.output.result.tasks}",
+			"inputs" : "${build_get_back_role_tasks.output.result.inputs}"
+		},
+		"dynamicForkTasksParam": "tasks",
+		"dynamicForkTasksInputParamName": "inputs"
+	},
+	{
+	  "name" : "join",
+	  "type" : "JOIN",
+	  "taskReferenceName" : "join_parallel_getting_back"
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize4",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
+	{
+		"name": "INLINE_TASK",
+		"taskReferenceName": "build_add_policy_tasks",
+		"type": "INLINE",
+		"inputParameters": {
+		  "roles" : "${join_parallel_getting_back.output[*].body}",
+		  "evaluatorType" : "javascript",
+		  "expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_policy_'+k}),inputs['create_role_policy_'+k]={url:'${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role',body:{name:r.name+'_policy',description:'',type:'role',logic:'POSITIVE',decisionStrategy:'UNANIMOUS',roles:Java.to([{id:r.id,required:true}], 'java.util.Map[]')},method:'POST',headers:{Authorization:'Bearer ${authorize4.output.body.access_token}', Accept: 'application/json', 'Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		}
+	},
+	{
+		"name" : "fork_dynamic",
+		"type" : "FORK_JOIN_DYNAMIC",
+		"taskReferenceName" : "parallel_add_policy_role",
+		"inputParameters" : {
+			"tasks" : "${build_add_policy_tasks.output.result.tasks}",
+			"inputs" : "${build_add_policy_tasks.output.result.inputs}"
+		},
+		"dynamicForkTasksParam": "tasks",
+		"dynamicForkTasksInputParamName": "inputs"
+	},
+	{
+	  "name" : "join",
+	  "type" : "JOIN",
+	  "taskReferenceName" : "join_parallel_policy_addition"
+	},
+	{
+		"name": "INLINE_TASK",
+	  	"taskReferenceName": "policy_list",
+		"type": "INLINE",
+ 		"inputParameters": {
+			"memberpolicy" : "${create_role_policy_member.output.body.id}",
+			"otherpolicies" : "${join_parallel_policy_addition.output[*].body.id}",
+			"evaluatorType" : "javascript",
+			"expression": "function f(){return Java.to(Java.from($.otherpolicies).concat($.memberpolicy), 'java.lang.String[]')} f()"
+		  }
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize5",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "finalize_permission",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/permission/resource/${create_permission.output.body.id}",
+			"body" : {
+				"name": "Default Permission",
+				"description": "",
+				"type" : "resource",
+				"logic": "POSITIVE",
+				"decisionStrategy": "AFFIRMATIVE",
+				"policies" : "${policy_list.output.result}"
+			},
+	  		"method" : "PUT",
+			"headers" : {
+			  "Authorization" : "Bearer ${authorize5.output.body.access_token}",
+			  "Content-Type" : "application/json"
+			}
+  		}
+	},
+	{
+        "name" : "fork_subworkflows",
+        "type" : "FORK_JOIN",
+        "taskReferenceName" : "parallel_call_subworkflows",
+        "forkTasks" : [
+        	[
+    			{
+				  "name": "sub_workflow_task",
+				  "taskReferenceName": "call_enable_workspace_clients_for_context",
+				  "subWorkflowParam": {
+					"name": "enable_workspace_clients_for_context"
+				  },
+				  "inputParameters": {
+		  			"context" : "${workflow.input.context}"
+				  },
+				  "type": "SUB_WORKFLOW"
+			   }
+        	],
+        	[
+				{
+				  "name": "sub_workflow_task",
+				  "taskReferenceName": "call_jupyterhub_add_serveroptions_to_context",
+				  "subWorkflowParam": {
+					"name": "jupyterhub_add_serveroptions_to_context"
+				  },
+				  "inputParameters": {
+		  			"context" : "${workflow.input.context}"
+				  },
+				  "type": "SUB_WORKFLOW"
+			   }        		
+        	],
+			[
+				{
+				  "name": "sub_workflow_task",
+				  "taskReferenceName": "call_record_context_to_is",
+				  "subWorkflowParam": {
+					"name": "record_context_to_is"
+				  },
+				  "inputParameters": {
+		  			"context" : "${workflow.input.context}"
+				  },
+				  "type": "SUB_WORKFLOW"
+				}
+			],
+			[
+				{
+				  "name": "sub_workflow_task",
+				  "taskReferenceName": "call_create_vre_folder_for_context",
+				  "subWorkflowParam": {
+					"name": "create_vre_folder_for_context"
+				  },
+				  "inputParameters": {
+		  			"context" : "${workflow.input.context}",
+					"folder_owner" : "${workflow.input.folder_owner}",
+					"folder_admins" : "${workflow.input.folder_admins}"
+				  },
+				  "type": "SUB_WORKFLOW"
+				}
+			]
+        ]
+	},
+	{
+    	  "name" : "join",
+          "type" : "JOIN",
+          "taskReferenceName" : "join_parallel_call_subworkflows",
+		  "joinOn" :[
+		  	"call_enable_workspace_clients_for_context",
+		  	"call_jupyterhub_add_serveroptions_to_context",
+			"call_record_context_to_is",
+			"call_create_vre_folder_for_context"
+		  ] 
+	}
+	]
+}

templates/create_vre_folder_for_context.json.j2

@@ -0,0 +1,141 @@
+{
+  "createTime": 1689260185434,
+  "updateTime": 1689259167761,
+  "name": "create_vre_folder_for_context",
+  "description": "Upon creation of a new context, create also a vre folder on the workspace",
+  "version": 1,
+  "tasks": [
+    {
+      "name": "INLINE_TASK",
+      "type": "INLINE",
+      "taskReferenceName": "init",
+      "inputParameters": {
+        "root_vo": "{{ root_vo }}",
+        "base_url": "https://url.gcube.d4science.org/",
+	      "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+	      "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+        "storagehub" : "{{ storagehub }}/workspace",
+        "ctx": "${workflow.input.context}",
+        "evaluatorType" : "javascript",
+        "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))} function f(){if(e($.ctx)) throw('Context must not be empty'); return { shubified_context_name : ($.ctx[0] === '%' ? $.ctx.replace('%2F', '') : $.ctx).split('%2F').join('-') }} f()"
+      }
+    },
+    {
+        "name" : "pyrest",
+        "taskReferenceName" : "authorize_with_uma_rpt",
+        "type" : "SIMPLE",
+        "inputParameters" : {
+            "url" : "${init.input.keycloak}/protocol/openid-connect/token",
+            "method" : "POST",
+            "headers" : {
+                "Accept" : "application/json"
+            },
+            "body" : {
+                "audience" : "${init.input.root_vo}",
+                "grant_type" : "urn:ietf:params:oauth:grant-type:uma-ticket",
+                "client_id" : "orchestrator", 
+                "client_secret" : "{{ keycloak_auth }}"
+            }
+        }
+    },
+    {
+      "name": "pyrest",
+      "taskReferenceName": "create_vre_folder",
+      "inputParameters": {
+        "url": "${init.input.storagehub}/groups",
+        "method": "POST",
+        "headers": {
+          "Authorization": "Bearer ${authorize_with_uma_rpt.output.body.access_token}",
+          "Accept": "text/plain",
+          "Content-Type": "multipart/form-data"
+        },
+        "body": {
+          "accessType": [
+            "WRITE_OWNER",
+            "application/json"
+          ],
+          "group": "${init.output.result.shubified_context_name}",
+          "folderOwner": "${workflow.input.folder_owner}"
+        }
+      },
+      "type": "SIMPLE",
+      "decisionCases": {},
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    },
+    {
+      "name": "INLINE_TASK",
+      "taskReferenceName": "build_add_vre_folder_users_tasks",
+      "type": "INLINE",
+      "inputParameters": {
+        "admins" : "${workflow.input.folder_admins}",
+        "url": "${init.input.storagehub}/groups/${init.output.result.shubified_context_name}/users",
+        "evaluatorType" : "javascript",
+        "expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.admins.length;i++)a=$.admins[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'tu_'+i}),inputs['tu_'+i]={url:$.url,body:{userId:a},method:'PUT',headers:{Authorization:'Bearer ${authorize_with_uma_rpt.output.body.access_token}', Accept: 'text/plain'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+      }
+    },
+    {
+      "name" : "fork_dynamic",
+      "type" : "FORK_JOIN_DYNAMIC",
+      "taskReferenceName" : "parallel_add_vre_folder_users",
+      "inputParameters" : {
+        "tasks" : "${build_add_vre_folder_users_tasks.output.result.tasks}",
+        "inputs" : "${build_add_vre_folder_users_tasks.output.result.inputs}"
+      },
+      "dynamicForkTasksParam": "tasks",
+      "dynamicForkTasksInputParamName": "inputs"
+    },
+    {
+      "name" : "join",
+      "type" : "JOIN",
+      "taskReferenceName" : "join_parallel_add_vre_folder_users"
+    },
+    {
+      "name": "INLINE_TASK",
+      "taskReferenceName": "build_add_vre_folder_admins_tasks",
+      "type": "INLINE",
+      "inputParameters": {
+        "admins" : "${workflow.input.folder_admins}",
+        "url": "${init.input.storagehub}/groups/${init.output.result.shubified_context_name}/admins",
+        "evaluatorType" : "javascript",
+        "expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.admins.length;i++)a=$.admins[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'ta_'+i}),inputs['ta_'+i]={url:$.url,body:{userId:a},method:'PUT',headers:{Authorization:'Bearer ${authorize_with_uma_rpt.output.body.access_token}', Accept: 'text/plain'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+      }
+    },
+    {
+      "name" : "fork_dynamic",
+      "type" : "FORK_JOIN_DYNAMIC",
+      "taskReferenceName" : "parallel_add_vre_folder_admins",
+      "inputParameters" : {
+        "tasks" : "${build_add_vre_folder_admins_tasks.output.result.tasks}",
+        "inputs" : "${build_add_vre_folder_admins_tasks.output.result.inputs}"
+      },
+      "dynamicForkTasksParam": "tasks",
+      "dynamicForkTasksInputParamName": "inputs"
+    },
+    {
+      "name" : "join",
+      "type" : "JOIN",
+      "taskReferenceName" : "join_parallel_add_vre_folder_admins"
+    }
+  ],
+  "inputParameters": [
+    "context",
+    "folder_owner",
+    "folder_admins"
+  ],
+  "outputParameters": {},
+  "schemaVersion": 2,
+  "restartable": true,
+  "workflowStatusListenerEnabled": false,
+  "ownerEmail": "example@email.com",
+  "timeoutPolicy": "ALERT_ONLY",
+  "timeoutSeconds": 0,
+  "variables": {},
+  "inputTemplate": {}
+}

templates/create_workspace_client.json.j2

@@ -0,0 +1,259 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "create_workspace_client",
+	"createBy" : "Marco Lettere",
+	"description": "Create a WorkSpace Client and hook it up to optional list ov contexts. Check or create the settings on Shub.",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id", "client_secret", "description", "context_list"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				  "root_vo": "{{ root_vo }}",
+				  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+  			      "storagehub" : "{{ storagehub }}",
+				  "id" : "${workflow.input.client_id}",
+				  "secret" : "${workflow.input.client_secret}",
+				  "description" : "${workflow.input.description}",
+				  "evaluatorType" : "javascript",
+				  "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id)) throw('Client ID must not be empty'); return { encoded_root_vo : encodeURI($.root_vo), client : { clientId : $.id, description : ($.description ? $.description : $.id), secret : ($.secret ? $.secret : Java.type('java.util.UUID').randomUUID().toString()), rootUrl : '', enabled : true, serviceAccountsEnabled : true, standardFlowEnabled : true, authorizationServicesEnabled : false, publicClient : false, fullScopeAllowed : true, protocol : 'openid-connect'}}} f()"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.keycloak}/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth }}",
+					"grant_type" : "client_credentials"
+				}
+			}
+		},	
+		{
+			"name" : "fork_join",
+			"taskReferenceName" : "fork1",
+			"type" : "FORK_JOIN",
+			"forkTasks" : [
+				[
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "create_client",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients",
+							"body" : "${init.output.result.client}",
+							"method" : "POST",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Content-Type" : "application/json"
+							}
+						}
+					},
+					{
+						"name": "INLINE_TASK",
+						"taskReferenceName": "extract_client_id",
+						"type": "INLINE",
+						"inputParameters": {
+								"client_location" : "${create_client.output.headers.location}",
+								"evaluatorType" :"javascript",
+								"expression": "var client_id = $.client_location.split('/').pop(); function f(){return {'client_resource_id' : client_id}} f()"
+						}
+					},
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "get_service_account_user",
+				  		"type" : "SIMPLE",
+				  		"inputParameters" : {
+					  		"url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_resource_id}/service-account-user",
+					  		"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+				  		}
+					}
+				],
+				[
+					{
+				        "name" : "pyrest",
+				        "taskReferenceName" : "get_rootvo",
+				        "type" : "SIMPLE",
+				        "inputParameters" : {
+				            "url" : "${init.input.keycloak_admin}/clients?clientId=${init.output.result.encoded_root_vo}",
+				            "method" : "GET",
+				            "headers" : {
+				                "Authorization" : "Bearer ${authorize.output.body.access_token}",
+				                "Accept" : "application/json"
+				            }
+				        }
+				    },
+				    {
+				        "name" : "pyrest",
+				        "taskReferenceName" : "get_rootvo_member_role",
+				        "type" : "SIMPLE",
+				        "inputParameters" : {
+				            "url" : "${init.input.keycloak_admin}/clients/${get_rootvo.output.body[0].id}/roles/Member",
+				            "method" : "GET",
+				            "expect" : [200, 404],
+				            "headers" : {
+				                "Authorization" : "Bearer ${authorize.output.body.access_token}",
+				                "Accept" : "application/json"
+				            }
+				        }
+				    }
+				]
+			]
+		},
+		{
+		    "name": "join",
+		    "taskReferenceName": "join1",
+		    "type": "JOIN",
+		    "joinOn": [
+		      "get_service_account_user",
+		      "get_rootvo_member_role"
+		    ]
+		},
+		{
+    		"name": "jq_1",
+    		"taskReferenceName": "to_array",
+    		"type": "JSON_JQ_TRANSFORM",
+    		"inputParameters": {
+    			"role": "${get_rootvo_member_role.output.body}",
+                "queryExpression" : ".role"
+            }
+        },
+		{
+			"name" : "pyrest",
+			"type" : "SIMPLE",
+			"taskReferenceName": "assign_member_role",
+			"inputParameters" : {
+			  "url" : "${init.input.keycloak_admin}/users/${get_service_account_user.output.body.id}/role-mappings/clients/${get_rootvo_member_role.output.body.containerId}",
+			  "method" :"POST",
+			  "headers" : {
+				"Authorization" : "Bearer ${authorize.output.body.access_token}",
+				"Content-Type" : "application/json",
+				"Accept":"application/json"
+			  },
+			  "body" : "${to_array.output.resultList}"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize_with_uma_rpt",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "{{ keycloak }}/{{ keycloak_realm }}/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"audience" : "${init.input.root_vo}",
+					"grant_type" : "urn:ietf:params:oauth:grant-type:uma-ticket",
+					"client_id" : "${workflow.input.client_id}",
+					"client_secret" : "${init.output.result.client.secret}"
+				}
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "check_workspace",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.storagehub}/workspace",
+				"method" : "GET",
+				"expect" : [200, 406],
+				"headers" : {
+					"Accept" : "application/json",
+					"Authorization" : "Bearer ${authorize_with_uma_rpt.output.body.access_token}"
+				}
+			}
+		},
+		{
+			"name": "decision",
+			"taskReferenceName": "check_workspace_existance",
+			"inputParameters": {
+				"status": "${check_workspace.output.status}"
+			},
+			"type": "SWITCH",
+			"evaluatorType" : "javascript",
+			"expression": "($.status === 406 ? 'create' : 'exists')",
+			"decisionCases": {
+				"create": [
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "upgrade_orchestrator_token_to_uma",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "{{ keycloak }}/{{ keycloak_realm }}/protocol/openid-connect/token",
+							"method" : "POST",
+							"headers" : {
+								"Accept" : "application/json",
+								"Authorization" : "Bearer ${authorize.output.body.access_token}"
+							},
+							"body" : {
+								"audience" : "${init.input.root_vo}",
+								"grant_type" : "urn:ietf:params:oauth:grant-type:uma-ticket"
+							}
+						}
+					},
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "create_jcr_account",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.storagehub}/workspace/users",
+							"method" : "POST",
+							"headers" : {
+								"Authorization" : "Bearer ${upgrade_orchestrator_token_to_uma.output.body.access_token}"
+							},
+							"body" : {
+								"user" : "${get_service_account_user.output.body.username}", 
+								"password" : "r3u4h-ewrqwli!_m"
+							}
+						}
+					}
+				]
+			}
+		},
+		{
+		  "name": "INLINE_TASK",
+		  "taskReferenceName": "build_tasks_to_add_ws_client_to_all_contexts",
+		  "type": "INLINE",
+		  "inputParameters": {
+		    "context_list" : "${workflow.input.context_list}",
+		    "client_id" : "${workflow.input.client_id}",
+		    "evaluatorType" : "javascript",
+			"expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.context_list.length;i++)c=$.context_list[i],tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'add_workspace_client_to_context_'+i, subWorkflowParam:{ name:'add_workspace_client_to_context'}}),inputs['add_workspace_client_to_context_'+i]={client_id : $.client_id, context: c};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		  }
+		},
+		{
+		  "name" : "fork_dynamic",
+		  "type" : "FORK_JOIN_DYNAMIC",
+		  "taskReferenceName" : "parallel_build_tasks_to_add_ws_client_to_all_contexts",
+		  "inputParameters" : {
+		      "tasks" : "${build_tasks_to_add_ws_client_to_all_contexts.output.result.tasks}",
+		      "inputs" : "${build_tasks_to_add_ws_client_to_all_contexts.output.result.inputs}"
+		  },
+		  "dynamicForkTasksParam": "tasks",
+		  "dynamicForkTasksInputParamName": "inputs"
+		},
+		{
+		  "name" : "join",
+		  "type" : "JOIN",
+		  "taskReferenceName" : "join_build_tasks_to_add_ws_client_to_all_contexts"
+		}
+	]
+}
+	

templates/delete-user-account.json.j2

@@ -8,17 +8,18 @@
 	"inputParameters" : [ "userid" ],
 	"tasks" : [
 	  {
-	    "name": "LAMBDA_TASK",
+	    "name": "INLINE_TASK",
 	    "taskReferenceName": "init",
-	    "type": "LAMBDA",
+	    "type": "INLINE",
 	    "inputParameters": {
-          "root_vo": "{{ root_vo }}",
-          "keycloak": "{{ keycloak }}/${workflow.input.realm}",
-	        "keycloak_admin" : "{{ keycloak_admin }}/${workflow.input.realm}",		    
-          "liferay": "{{ liferay }}",
-          "liferay_auth": "{{ liferay_auth }}",
-          "keycloak_userid" : "${workflow.input.userid}",
-          "scriptExpression": "return { 'decoded_root_vo' : $.root_vo.replace('%2F','/')}"
+            "root_vo": "{{ root_vo }}",
+            "keycloak": "{{ keycloak }}/${workflow.input.realm}",
+            "keycloak_admin" : "{{ keycloak_admin }}/${workflow.input.realm}",		    
+            "liferay": "{{ liferay }}",
+            "liferay_auth": "{{ liferay_auth }}",
+            "keycloak_userid" : "${workflow.input.userid}",
+            "evaluatorType" : "javascript",
+            "expression": "function f(){ return { 'decoded_root_vo' : $.root_vo.replace('%2F','/'), 'encoded_root_vo' : encodeURIComponent($.root_vo)}} f()"
 	    }
 		},
     {
@@ -107,13 +108,14 @@
                     }
                 },
                 {
-                    "name": "LAMBDA_TASK",
+                    "name": "INLINE_TASK",
                     "taskReferenceName": "build_delete_group_tasks",
-                    "type": "LAMBDA",
+                    "type": "INLINE",
                     "inputParameters": {
+                        "evaluatorType" : "javascript",
                         "groups" : "${lookup_lr_user_groups.output.body.*.groupId}",
                         "userId" : "${lookup_lr_user_by_screenname.output.body.userId}",
-                        "scriptExpression": "inputs = {}; tasks = []; for(var i=0;i<$.groups.length;i++){tasks.push({'name': 'pyrest','type' : 'SIMPLE','taskReferenceName' : 'del-' + i});inputs['del-'+i] = {'url' : '${init.input.liferay}/user/unset-group-users?userIds=' + $.userId + '&groupId=' + $.groups[i],'method' : 'POST','headers' : {'Authorization' : 'Basic ' + '${init.input.liferay_auth}', 'Accept' : 'application/json'}}}; return { 'tasks' : Java.to(tasks, 'java.util.Map[]'), 'inputs' : inputs};"
+                        "expression": "inputs = {}; tasks = []; function f(){ for(var i=0;i<$.groups.length;i++){tasks.push({'name': 'pyrest','type' : 'SIMPLE','taskReferenceName' : 'del-' + i});inputs['del-'+i] = {'url' : '${init.input.liferay}/user/unset-group-users?userIds=' + $.userId + '&groupId=' + $.groups[i],'method' : 'POST','headers' : {'Authorization' : 'Basic ' + '${init.input.liferay_auth}', 'Accept' : 'application/json'}}}; return { 'tasks' : Java.to(tasks, 'java.util.Map[]'), 'inputs' : inputs}} f()"
                     }
                 },
                 {
@@ -149,11 +151,12 @@
                     }
                 },
                 {
-                    "name": "LAMBDA_TASK",
+                    "name": "INLINE_TASK",
                     "taskReferenceName": "lr_final_task",
-                    "type": "LAMBDA",
+                    "type": "INLINE",
                     "inputParameters" : {
-                        "scriptExpression" : "1 == 1"
+                        "evaluatorType" : "javascript",
+                        "expression" : "1 == 1"
                     }
                 }
             ],
@@ -163,7 +166,7 @@
                 "taskReferenceName" : "get_rootvo",
                 "type" : "SIMPLE",
                 "inputParameters" : {
-                    "url" : "${init.input.keycloak_admin}/clients?clientId=${init.input.root_vo}",
+                    "url" : "${init.input.keycloak_admin}/clients?clientId=${init.output.result.encoded_root_vo}",
                     "method" : "GET",
                     "headers" : {
                         "Authorization" : "Bearer ${authorize.output.body.access_token}",
@@ -178,6 +181,7 @@
                 "inputParameters" : {
                     "url" : "${init.input.keycloak_admin}/clients/${get_rootvo.output.body[0].id}/roles",
                     "method" : "GET",
+                    "expect" : [200, 404],
                     "headers" : {
                         "Authorization" : "Bearer ${authorize.output.body.access_token}",
                         "Accept" : "application/json"
@@ -191,6 +195,7 @@
                 "inputParameters" : {
                     "url" : "${init.input.keycloak_admin}/clients/${get_rootvo.output.body[0].id}/roles/Infrastructure-Manager/users",
                     "method" : "GET",
+                    "expect" : [200, 404],
                     "headers" : {
                         "Authorization" : "Bearer ${authorize.output.body.access_token}",
                         "Accept" : "application/json"

templates/delete_system_service.json.j2

@@ -0,0 +1,76 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "delete_system_service",
+	"createBy" : "Marco Lettere",
+	"description": "Delete a system service from KC and IS",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+				"id" : "${workflow.input.client_id}",
+				"evaluatorType" : "javascript",
+				"expression" : "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id)) throw('Client ID must not be empty');} f()"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.keycloak}/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth }}",
+					"grant_type" : "client_credentials"
+				}
+			}
+		},	
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "lookup_client",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.keycloak_admin}/clients",
+				"params" : { "clientId" : "${workflow.input.client_id}"},
+				"method" : "GET",
+				"headers" : {
+					"Authorization" : "Bearer ${authorize.output.body.access_token}",
+					"Accept" : "application/json"
+				}
+			}
+		},
+		{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "check",
+			"type": "INLINE",
+			"inputParameters": {
+				"list" : "${lookup_client.output.body}",
+				"evaluatorType" : "javascript",
+				"expression" : "function f(){if($.list.length === 0 || $.list.length > 1) throw('No client found with client_id or ambiguous query returned multiple clients.')} f()"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "delete_client",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.keycloak_admin}/clients/${lookup_client.output.body[0].id}",
+				"method" : "DELETE",
+				"headers" : {
+					"Authorization" : "Bearer ${authorize.output.body.access_token}"
+				}
+			}
+		}
+	]
+}

templates/enable_workspace_clients_for_context.json.j2

@@ -0,0 +1,101 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "enable_workspace_clients_for_context",
+	"createBy" : "Marco Lettere",
+	"description": "All workspace clients registered on Information system for given context are enabled for VRE by calling add_workspace_client_to_context",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["filter", "context"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+				"ctx" : "${workflow.input.context}",
+				"filter" : "${workflow.input.filter}",
+				"evaluatorType" : "javascript",
+				"expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))} function f(){if(e($.ctx)) throw('Context must not be empty'); f=$.filter; if(e(f)) f = []; else if(typeof(f) === 'string') f=[f]; else f=Java.from(f); return { encoded_root_vo : encodeURI($.root_vo), filter : Java.to(f,'java.lang.String[]')}} f()"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize_with_uma_rpt",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "{{ keycloak }}/{{ keycloak_realm }}/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"audience" : "${workflow.input.context}",
+					"grant_type" : "urn:ietf:params:oauth:grant-type:uma-ticket",
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth }}"
+				}
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "query_workspace_clients_on_icproxy",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "{{ ic_proxy }}/icproxy/gcube/service/ServiceEndpoint/SystemWorkspaceClient",
+				"method" : "GET",
+				"headers" : {
+					"Authorization" : "Bearer ${authorize_with_uma_rpt.output.body.access_token}"
+				}
+			}
+		},
+		{
+			"name" : "pyeval",
+			"taskReferenceName" : "extract_workspace_client_names",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"code" : "exec('import xml.etree.ElementTree as ET') or list(map(lambda n: n.text, ET.fromstring(data['xmlstring']).findall('Resource/Profile/Name')))",
+				"xmlstring" : "${query_workspace_clients_on_icproxy.output.body}"
+			}
+		},
+		{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "filtered_workspace_client_names",
+			"type": "INLINE",
+			"inputParameters": {
+				"evaluatorType" : "javascript",
+				"names" : "${extract_workspace_client_names.output.result}", 
+				"filter" : "${init.output.result.filter}",
+				"expression": "names=Java.from($.names); filt=Java.from($.filter); function f(){if(filt.length === 0) output=names; else { output=[]; for(i=0;i<names.length;i++){ if(filt.indexOf(names[i]) !== -1) output.push(names[i])}} return { 'names' : Java.to(output, 'java.lang.String[]')}} f()"
+			}
+		},
+		{
+		  "name": "INLINE_TASK",
+		  "taskReferenceName": "build_add_workspace_client_to_context_tasks",
+		  "type": "INLINE",
+		  "inputParameters": {
+		    "context" : "${workflow.input.context}",
+		    "names" : "${filtered_workspace_client_names.output.result.names}",
+		    "evaluatorType" : "javascript",
+	            "expression": "inputs={};tasks=[];function f(){for(var i=0;i<$.names.length;i++){tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'call_add_ws_client_to_context_'+i, subWorkflowParam:{ name:'add_workspace_client_to_context'}});inputs['call_add_ws_client_to_context_'+i]={client_id:$.names[i], context:$.context}} return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		  }
+		},
+		{
+		  "name" : "fork_dynamic",
+		  "type" : "FORK_JOIN_DYNAMIC",
+		  "taskReferenceName" : "parallel_add_workspace_client_to_context_tasks",
+		  "inputParameters" : {
+		      "tasks" : "${build_add_workspace_client_to_context_tasks.output.result.tasks}",
+		      "inputs" : "${build_add_workspace_client_to_context_tasks.output.result.inputs}"
+		  },
+		  "dynamicForkTasksParam": "tasks",
+		  "dynamicForkTasksInputParamName": "inputs"
+		},
+		{
+		    "name" : "join",
+		    "type" : "JOIN",
+		    "taskReferenceName" : "join_parallel_add_workspace_client_to_context_tasks"
+		}
+	]
+}

templates/ghn_client_add_to_context.json.j2

@@ -0,0 +1,159 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "ghn_client_add_to_context",
+	"createBy" : "Marco Lettere",
+	"description": "A GHN client is made Member of a context and it's workspace folder is linked to context's shared folder",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id", "context"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+				"id" : "${workflow.input.client_id}",
+				"ctx" : "${workflow.input.context}",
+				"evaluatorType" : "javascript",
+				"expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id) || e($.ctx)) throw('Client ID and Context must not be empty'); else return { encoded_context : $.ctx.replaceAll('/', '%2F')}} f()"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth_master }}",
+					"grant_type" : "client_credentials"
+				}
+			}
+		},
+		{
+			"name" : "fork_join",
+			"taskReferenceName" : "fork1",
+			"type" : "FORK_JOIN",
+			"forkTasks" : [
+				[
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "lookup_client",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients",
+							"params" : { "clientId" : "${workflow.input.client_id}"},
+							"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+						}
+					},
+					{
+						"name": "INLINE_TASK",
+						"taskReferenceName": "extract_ghn_client",
+						"type": "INLINE",
+						"inputParameters": {
+							"client" : "${lookup_client.output.body}",
+							"evaluatorType" : "javascript", 
+							"expression": "function e(v){ return (v.length === 0)}; function f(){if(e($.client)) throw('GHN client not found'); else return { client : $.client[0], id : $.client[0].id}} f()"
+						}
+					},
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "get_service_account_user",
+				  		"type" : "SIMPLE",
+				  		"inputParameters" : {
+					  		"url" : "${init.input.keycloak_admin}/clients/${extract_ghn_client.output.result.id}/service-account-user",
+					  		"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+				  		}
+					}
+				],
+				[
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "lookup_context",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients",
+							"params" : { "clientId" : "${init.output.result.encoded_context}"},
+							"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+						}
+					},
+					{
+						"name": "INLINE_TASK",
+						"taskReferenceName": "extract_context",
+						"type": "INLINE",
+						"inputParameters": {
+							"client" : "${lookup_context.output.body}",
+							"evaluatorType" : "javascript",
+							"expression": "function e(v){ return (v.length === 0)}; function f(){if(e($.client)) throw('Context not found'); else return { client : $.client[0], id: $.client[0].id }} f()"
+						}
+					},
+					{
+						"name" : "pyrest",
+						"type" : "SIMPLE",
+						"taskReferenceName": "retrieve_member_role",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients/${extract_context.output.result.id}/roles/Member",
+							"method" :"GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+						  	}
+						}
+					},
+					{
+						"name": "jq_1",
+						"taskReferenceName": "roles_to_assign",
+						"type": "JSON_JQ_TRANSFORM",
+						"inputParameters": {
+							"role": "${retrieve_member_role.output.body}",
+						    "queryExpression" : ".role"
+						}
+					}
+				]
+			]
+		},
+		{
+		    "name": "join",
+		    "taskReferenceName": "join1",
+		    "type": "JOIN",
+		    "joinOn": [
+		      "get_service_account_user",
+		      "roles_to_assign"
+		    ]
+		},
+		{
+			"name" : "pyrest",
+			"type" : "SIMPLE",
+			"taskReferenceName": "assign_member_role",
+			"inputParameters" : {
+			  "url" : "${init.input.keycloak_admin}/users/${get_service_account_user.output.body.id}/role-mappings/clients/${retrieve_member_role.output.body.containerId}",
+			  "method" :"POST",
+			  "headers" : {
+				"Authorization" : "Bearer ${authorize.output.body.access_token}",
+				"Content-Type" : "application/json",
+				"Accept":"application/json"
+			  },
+			  "body" : "${roles_to_assign.output.resultList}"
+			}
+		}
+	]
+}

templates/ghn_client_add_to_contexts.json.j2

@@ -0,0 +1,51 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "ghn_client_add_to_contexts",
+	"createBy" : "Marco Lettere",
+	"description": "A client for a GHN is made Member of all the contexts passed as input by calling the ghn_client_add_to_context sub-workflow",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id", "context_list"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				"id" : "${workflow.input.client_id}",
+				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+				"evaluatorType" : "javascript",
+				"expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id)) throw('Client ID must not be empty'); return { }} f()"
+			}
+		},
+		{
+		  "name": "INLINE_TASK",
+		  "taskReferenceName": "build_tasks_to_add_ghn_client_to_all_contexts",
+		  "type": "INLINE",
+		  "inputParameters": {
+		    "context_list" : "${workflow.input.context_list}",
+		    "client_id" : "${workflow.input.client_id}",
+		    "evaluatorType" : "javascript",
+			"expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.context_list.length;i++)c=$.context_list[i],tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'add_ghn_client_to_context_'+i, subWorkflowParam:{ name:'ghn_client_add_to_context'}}),inputs['add_ghn_client_to_context_'+i]={client_id : $.client_id, context: c};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		  }
+		},
+		{
+		  "name" : "fork_dynamic",
+		  "type" : "FORK_JOIN_DYNAMIC",
+		  "taskReferenceName" : "parallel_build_tasks_to_add_ghn_client_to_all_contexts",
+		  "inputParameters" : {
+		      "tasks" : "${build_tasks_to_add_ghn_client_to_all_contexts.output.result.tasks}",
+		      "inputs" : "${build_tasks_to_add_ghn_client_to_all_contexts.output.result.inputs}"
+		  },
+		  "dynamicForkTasksParam": "tasks",
+		  "dynamicForkTasksInputParamName": "inputs"
+		},
+		{
+		  "name" : "join",
+		  "type" : "JOIN",
+		  "taskReferenceName" : "join_build_tasks_to_add_ghn_client_to_all_contexts"
+		}
+	]
+}
+	

templates/ghn_client_create.json.j2

@@ -0,0 +1,180 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "ghn_client_create",
+	"createBy" : "Marco Lettere",
+	"description": "Create a client on IAM to represent SmartGears based GHNodes",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id", "client_secret", "description", "context_list"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				  "root_vo": "{{ root_vo }}",
+				  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+  			      "storagehub" : "{{ storagehub }}",
+				  "id" : "${workflow.input.client_id}",
+				  "secret" : "${workflow.input.client_secret}",
+				  "description" : "${workflow.input.description}",
+				  "evaluatorType" : "javascript",
+				  "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id)) throw('Client ID must not be empty'); return { encoded_root_vo : encodeURI($.root_vo), client : { clientId : $.id, description : ($.description ? $.description : $.id), secret : ($.secret ? $.secret : Java.type('java.util.UUID').randomUUID().toString()), rootUrl : '', enabled : true, serviceAccountsEnabled : true, standardFlowEnabled : true, authorizationServicesEnabled : false, publicClient : false, fullScopeAllowed : true, protocol : 'openid-connect'}}} f()"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.keycloak}/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth }}",
+					"grant_type" : "client_credentials"
+				}
+			}
+		},	
+		{
+			"name" : "fork_join",
+			"taskReferenceName" : "fork1",
+			"type" : "FORK_JOIN",
+			"forkTasks" : [
+				[
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "create_client",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients",
+							"body" : "${init.output.result.client}",
+							"method" : "POST",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Content-Type" : "application/json"
+							}
+						}
+					},
+					{
+						"name": "INLINE_TASK",
+						"taskReferenceName": "extract_client_id",
+						"type": "INLINE",
+						"inputParameters": {
+							"client_location" : "${create_client.output.headers.location}",
+							"evaluatorType" : "javascript",
+							"expression": "var client_id = $.client_location.split('/').pop(); function f(){return {'client_resource_id' : client_id}} f()"
+						}
+					},
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "get_service_account_user",
+				  		"type" : "SIMPLE",
+				  		"inputParameters" : {
+					  		"url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_resource_id}/service-account-user",
+					  		"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+				  		}
+					}
+				],
+				[
+					{
+				        "name" : "pyrest",
+				        "taskReferenceName" : "get_rootvo",
+				        "type" : "SIMPLE",
+				        "inputParameters" : {
+				            "url" : "${init.input.keycloak_admin}/clients?clientId=${init.output.result.encoded_root_vo}",
+				            "method" : "GET",
+				            "headers" : {
+				                "Authorization" : "Bearer ${authorize.output.body.access_token}",
+				                "Accept" : "application/json"
+				            }
+				        }
+				    },
+				    {
+				        "name" : "pyrest",
+				        "taskReferenceName" : "get_rootvo_member_role",
+				        "type" : "SIMPLE",
+				        "inputParameters" : {
+				            "url" : "${init.input.keycloak_admin}/clients/${get_rootvo.output.body[0].id}/roles/Member",
+				            "method" : "GET",
+				            "expect" : [200, 404],
+				            "headers" : {
+				                "Authorization" : "Bearer ${authorize.output.body.access_token}",
+				                "Accept" : "application/json"
+				            }
+				        }
+				    }
+				]
+			]
+		},
+		{
+		    "name": "join",
+		    "taskReferenceName": "join1",
+		    "type": "JOIN",
+		    "joinOn": [
+		      "get_service_account_user",
+		      "get_rootvo_member_role"
+		    ]
+		},
+		{
+    		"name": "jq_1",
+    		"taskReferenceName": "to_array",
+    		"type": "JSON_JQ_TRANSFORM",
+    		"inputParameters": {
+    			"role": "${get_rootvo_member_role.output.body}",
+                "queryExpression" : ".role"
+            }
+        },
+		{
+			"name" : "pyrest",
+			"type" : "SIMPLE",
+			"taskReferenceName": "assign_member_role",
+			"inputParameters" : {
+			  "url" : "${init.input.keycloak_admin}/users/${get_service_account_user.output.body.id}/role-mappings/clients/${get_rootvo_member_role.output.body.containerId}",
+			  "method" :"POST",
+			  "headers" : {
+				"Authorization" : "Bearer ${authorize.output.body.access_token}",
+				"Content-Type" : "application/json",
+				"Accept":"application/json"
+			  },
+			  "body" : "${to_array.output.resultList}"
+			}
+		},
+		{
+		  "name": "INLINE_TASK",
+		  "taskReferenceName": "build_tasks_to_add_ghn_client_to_all_contexts",
+		  "type": "INLINE",
+		  "inputParameters": {
+		    "context_list" : "${workflow.input.context_list}",
+		    "client_id" : "${workflow.input.client_id}",
+			"evaluatorType" : "javascript",
+		    "expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.context_list.length;i++)c=$.context_list[i],tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'add_ghn_client_to_context_'+i, subWorkflowParam:{ name:'ghn_client_add_to_context'}}),inputs['add_ghn_client_to_context_'+i]={client_id : $.client_id, context: c};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		  }
+		},
+		{
+		  "name" : "fork_dynamic",
+		  "type" : "FORK_JOIN_DYNAMIC",
+		  "taskReferenceName" : "parallel_build_tasks_to_add_ghn_client_to_all_contexts",
+		  "inputParameters" : {
+		      "tasks" : "${build_tasks_to_add_ghn_client_to_all_contexts.output.result.tasks}",
+		      "inputs" : "${build_tasks_to_add_ghn_client_to_all_contexts.output.result.inputs}"
+		  },
+		  "dynamicForkTasksParam": "tasks",
+		  "dynamicForkTasksInputParamName": "inputs"
+		},
+		{
+		  "name" : "join",
+		  "type" : "JOIN",
+		  "taskReferenceName" : "join_build_tasks_to_add_ghn_client_to_all_contexts"
+		}
+	]
+}
+	

templates/ghn_client_delete.json.j2

@@ -0,0 +1,76 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "ghn_client_delete",
+	"createBy" : "Marco Lettere",
+	"description": "Delete a GHN client from IAM",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+				  "id" : "${workflow.input.client_id}",
+				  "evaluatorType" : "javascript",
+				  "expression" : "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id)) throw('Client ID must not be empty');} f()"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.keycloak}/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth }}",
+					"grant_type" : "client_credentials"
+				}
+			}
+		},	
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "lookup_client",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.keycloak_admin}/clients",
+				"params" : { "clientId" : "${workflow.input.client_id}"},
+				"method" : "GET",
+				"headers" : {
+					"Authorization" : "Bearer ${authorize.output.body.access_token}",
+					"Accept" : "application/json"
+				}
+			}
+		},
+		{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "check",
+			"type": "INLINE",
+			"inputParameters": {
+				"evaluatorType" : "javascript",
+				"list" : "${lookup_client.output.body}",
+				"expression" : "if($.list.length === 0 || $.list.length > 1) throw('No client found with client_id or ambiguous query returned multiple clients.')"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "delete_client",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "${init.input.keycloak_admin}/clients/${lookup_client.output.body[0].id}",
+				"method" : "DELETE",
+				"headers" : {
+					"Authorization" : "Bearer ${authorize.output.body.access_token}"
+				}
+			}
+		}
+	]
+}

templates/ghn_client_remove_from_context.json.j2

@@ -0,0 +1,159 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "ghn_client_remove_from_context",
+	"createBy" : "Marco Lettere",
+	"description": "The role Memeber of the give context is removed from a GHN client on IAM.",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id", "context"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+				"id" : "${workflow.input.client_id}",
+				"ctx" : "${workflow.input.context}",
+				"evaluatorType" : "javascript",
+				"expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id) || e($.ctx)) throw('Client ID and Context must not be empty'); else return { encoded_context : $.ctx.replaceAll('/', '%2F')}} f()"
+			}
+		},
+		{
+			"name" : "pyrest",
+			"taskReferenceName" : "authorize",
+			"type" : "SIMPLE",
+			"inputParameters" : {
+				"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+				"method" : "POST",
+				"headers" : {
+					"Accept" : "application/json"
+				},
+				"body" : {
+					"client_id" : "orchestrator", 
+					"client_secret" : "{{ keycloak_auth_master }}",
+					"grant_type" : "client_credentials"
+				}
+			}
+		},
+		{
+			"name" : "fork_join",
+			"taskReferenceName" : "fork1",
+			"type" : "FORK_JOIN",
+			"forkTasks" : [
+				[
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "lookup_client",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients",
+							"params" : { "clientId" : "${workflow.input.client_id}"},
+							"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+						}
+					},
+					{
+						"name": "INLINE_TASK",
+						"taskReferenceName": "extract_ghn_client",
+						"type": "INLINE",
+						"inputParameters": {
+							"client" : "${lookup_client.output.body}",
+							"evaluatorType" : "javascript",
+							"expression": "function e(v){ return (v.length === 0)}; function f(){if(e($.client)) throw('GHN client not found'); else return { client : $.client[0], id : $.client[0].id}} f()"
+						}
+					},
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "get_service_account_user",
+				  		"type" : "SIMPLE",
+				  		"inputParameters" : {
+					  		"url" : "${init.input.keycloak_admin}/clients/${extract_ghn_client.output.result.id}/service-account-user",
+					  		"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+				  		}
+					}
+				],
+				[
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "lookup_context",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients",
+							"params" : { "clientId" : "${init.output.result.encoded_context}"},
+							"method" : "GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+							}
+						}
+					},
+					{
+						"name": "INLINE_TASK",
+						"taskReferenceName": "extract_context",
+						"type": "INLINE",
+						"inputParameters": {
+							"client" : "${lookup_context.output.body}",
+							"evaluatorType" : "javascript",
+							"expression": "function e(v){ return (v.length === 0)}; function f(){if(e($.client)) throw('Context not found'); else return { client : $.client[0], id: $.client[0].id }} f()"
+						}
+					},
+					{
+						"name" : "pyrest",
+						"type" : "SIMPLE",
+						"taskReferenceName": "retrieve_member_role",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/clients/${extract_context.output.result.id}/roles/Member",
+							"method" :"GET",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Accept" : "application/json"
+						  	}
+						}
+					},
+					{
+						"name": "jq_1",
+						"taskReferenceName": "roles_to_remove",
+						"type": "JSON_JQ_TRANSFORM",
+						"inputParameters": {
+							"role": "${retrieve_member_role.output.body}",
+						    "queryExpression" : ".role"
+						}
+					}
+				]
+			]
+		},
+		{
+		    "name": "join",
+		    "taskReferenceName": "join1",
+		    "type": "JOIN",
+		    "joinOn": [
+		      "get_service_account_user",
+		      "roles_to_remove"
+		    ]
+		},
+		{
+			"name" : "pyrest",
+			"type" : "SIMPLE",
+			"taskReferenceName": "remove_member_role",
+			"inputParameters" : {
+			  "url" : "${init.input.keycloak_admin}/users/${get_service_account_user.output.body.id}/role-mappings/clients/${retrieve_member_role.output.body.containerId}",
+			  "method" :"DELETE",
+			  "expect" : 204,
+			  "headers" : {
+				"Authorization" : "Bearer ${authorize.output.body.access_token}",
+				"Content-Type" : "application/json"
+			  },
+			  "body" : "${roles_to_remove.output.resultList}"
+			}
+		}
+	]
+}

templates/ghn_client_remove_from_contexts.json.j2

@@ -0,0 +1,51 @@
+{
+	"ownerApp" : "Orchestrator",
+	"name" : "ghn_client_remove_from_contexts",
+	"createBy" : "Marco Lettere",
+	"description": "The role Member for of all the passed contexts is removed from a GHN client",
+	"version" : 1,
+	"ownerEmail" : "marco.lettere@nubisware.com",
+	"inputParameters" : ["client_id", "context_list"],
+	"tasks" : [
+    	{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "init",
+			"type": "INLINE",
+			"inputParameters": {
+				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+				"id" : "${workflow.input.client_id}",
+				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+				"evaluatorType" : "javascript",
+				"expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.id)) throw('Client ID must not be empty'); return { }} f()"
+			}
+		},
+		{
+		  "name": "INLINE",
+		  "taskReferenceName": "build_tasks_to_remove_ghn_client_from_all_contexts",
+		  "type": "INLINE",
+		  "inputParameters": {
+		    "context_list" : "${workflow.input.context_list}",
+		    "client_id" : "${workflow.input.client_id}",
+		    "evaluatorType" : "javascript",
+			"expression": "inputs={},tasks=[]; function f(){for(var i=0;i<$.context_list.length;i++)c=$.context_list[i],tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'remove_ghn_client_from_context_'+i, subWorkflowParam:{ name:'ghn_client_remove_from_context'}}),inputs['remove_ghn_client_from_context_'+i]={client_id : $.client_id, context: c};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		  }
+		},
+		{
+		  "name" : "fork_dynamic",
+		  "type" : "FORK_JOIN_DYNAMIC",
+		  "taskReferenceName" : "parallel_build_tasks_to_remove_ghn_client_from_all_contexts",
+		  "inputParameters" : {
+		      "tasks" : "${build_tasks_to_remove_ghn_client_from_all_contexts.output.result.tasks}",
+		      "inputs" : "${build_tasks_to_remove_ghn_client_from_all_contexts.output.result.inputs}"
+		  },
+		  "dynamicForkTasksParam": "tasks",
+		  "dynamicForkTasksInputParamName": "inputs"
+		},
+		{
+		  "name" : "join",
+		  "type" : "JOIN",
+		  "taskReferenceName" : "join_build_tasks_to_remove_ghn_client_from_all_contexts"
+		}
+	]
+}
+	

templates/group_created.json.j2

@@ -7,16 +7,17 @@
 	"ownerEmail" : "marco.lettere@nubisware.com",
 	"inputParameters" : ["user", "group"],
 	"tasks" : [
-    {
-		  "name": "LAMBDA_TASK",
+		{
+		  "name": "INLINE_TASK",
 		  "taskReferenceName": "init",
-		  "type": "LAMBDA",
+		  "type": "INLINE",
 		  "inputParameters": {
 			  "root_vo": "{{ root_vo }}",
 			  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 			  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-			  "clientId" : "${workflow.input.group}",
-			  "scriptExpression": "var tree = $.clientId.split('%2F'); return { 'tree' : tree, 'child': tree[tree.length-1], 'append' : tree.slice(0,-1).join('/'), 'name' : tree.join('/'), encoded_root_vo : encodeURI($.root_vo)}"
+			  "group" : "${workflow.input.group}",
+			  "evaluatorType" : "javascript",
+			  "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.group)) throw('Group must not be empty'); var tree = $.group.startsWith('%2F') ? $.group.split('%2F') : [$.group]; return { 'tree' : tree, 'child': tree[tree.length-1], 'append' : tree.slice(0,-1).join('/'), 'name' : tree.join('/'), encoded_root_vo : encodeURI($.root_vo)}} f()"
 		  }
 		},
 		{
@@ -36,6 +37,44 @@
 				}
 			}
 		},
+		{
+			"name" : "check_is_gateway",
+			"taskReferenceName" : "check_is_gateway",
+			"type" : "SWITCH",
+			"evaluatorType" : "javascript",
+			"inputParameters" :{
+				"group" : "${workflow.input.group}"
+			},
+			"expression": "$.group.toLowerCase().endsWith('gateway') ? 'gateway' : ''",
+			"decisionCases" : {
+				"gateway" : [
+					{
+					  "name" : "pyrest",
+						"taskReferenceName" : "create_gateway_group",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/groups",
+							"body" : { 
+								"name" : "${init.output.result.child}"
+							},
+							"method" : "POST",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Content-Type" : "application/json"
+							}
+						}
+					},
+					{
+						"name" : "terminate",
+						"taskReferenceName" : "terminate_when_gateway",
+						"type" : "TERMINATE",
+						"inputParameters" : {
+							"terminationStatus" : "COMPLETED"
+						}
+					}
+				]
+			}
+		},
 		{
         "name" : "fork_join",
         "taskReferenceName" : "preliminary_fork",
@@ -49,7 +88,7 @@
 			        "inputParameters" : {
 				        "url" : "${init.input.keycloak_admin}/clients",
 				        "body" : { 
-					        "clientId": "${init.input.clientId}",
+					        "clientId": "${init.input.group}",
 					        "name": "${init.output.result.name}",
 					        "description": "Client representation for ${init.output.result.name} context",
 					        "rootUrl": "http://localhost${init.output.result.name}",
@@ -69,15 +108,93 @@
 			        }
 		        },
             {
-                "name": "LAMBDA_TASK",
+                "name": "INLINE_TASK",
                 "taskReferenceName": "extract_client_id",
-                "type": "LAMBDA",
+                "type": "INLINE",
                 "inputParameters": {
-                        "client_location" : "${create_client.output.headers.location}",
-                        "scriptExpression": "var client_id = $.client_location.split('/').pop(); return {'client_id' : client_id}"
+					"client_location" : "${create_client.output.headers.location}",
+					"evaluatorType" : "javascript",
+					"expression": "function f(){var client_id = $.client_location.split('/').pop(); return {'client_id' : client_id}} f()"
                 }
             },
-		        {
+		    {
+			  "name" : "pyrest",
+				"taskReferenceName" : "list_kc_groups",
+				"type" : "SIMPLE",
+				"inputParameters" : {
+					"url" : "${init.input.keycloak_admin}/groups",
+					"method" : "GET",
+					"headers" : {
+						"Authorization" : "Bearer ${authorize.output.body.access_token}",
+						"Accept" : "application/json"
+					}
+				}
+			},
+			{
+				"name": "INLINE_TASK",
+				"taskReferenceName": "prepare",
+				"type": "INLINE",
+				"inputParameters": {
+					"evaluatorType" : "javascript",
+					"append": "${init.output.result.append}",
+		  			"groups": "${list_kc_groups.output.body}",
+		  			"expression": "function recurse(inp){for(var i=0;i<inp.length;i++){if(inp[i]['path'] === $.append) return inp[i]; else{var subr = recurse(inp[i].subGroups); if(subr != null) return subr;}} return null}; function f(){return {'group' : $.append == '' ? '' : recurse($.groups)}} f()"
+				}
+			},
+			{
+				"name": "decide_task",
+				"taskReferenceName": "decide1",
+				"inputParameters": {
+					"groupid": "${prepare.output.result.group}"
+				},
+				"type": "SWITCH",
+				"evaluatorType" : "value-param",
+				"expression": "groupid",
+				"decisionCases": {
+					"": [
+						{
+							"name": "INLINE_TASK",
+							"taskReferenceName": "dummy",
+							"type": "INLINE",
+							"inputParameters": {
+								"evaluatorType" :"javascript",
+								"expression": "1"
+							}
+						}
+					]
+				},
+				"defaultCase": [
+					{
+						"name": "pyrest",
+						"taskReferenceName": "create_kc_group",
+						"inputParameters": {
+						  "url": "${init.input.keycloak_admin}/groups/${prepare.output.result.group.id}/children",
+						  "body": {
+							"name": "${init.output.result.child}"
+						  },
+						  "method": "POST",
+						  "headers": {
+							"Authorization": "Bearer ${authorize.output.body.access_token}",
+							"Content-Type": "application/json"
+						  }
+						},
+						"type": "SIMPLE"
+					},
+					{
+						"name": "INLINE_TASK",
+						"taskReferenceName": "prepare2",
+						"inputParameters": {
+						  "evaluatorType" : "javascript",
+						  "location": "${create_kc_group.output.headers.location}",
+						  "client_location": "${create_client.output.headers.location}",
+
+						  "expression": "function f(){var newid=$.location.split('/').pop(); var client_id = $.client_location.split('/').pop(); return {'newid' : newid, 'client_id' : client_id}} f()"
+						},
+						"type": "INLINE"
+					}
+				]
+			},
+		    {
                 "name" : "pyrest",
                 "taskReferenceName" : "get_default_policies",
                 "type" : "SIMPLE",
@@ -188,293 +305,361 @@
       "taskReferenceName" : "preliminary_fork_join",
       "joinOn": [ "create_permission", "get_rootvo_roles"]
     },
-		{
-			"name" : "fork_join",
-			"taskReferenceName" : "fork_role_creation",
-			"type" : "FORK_JOIN",
-			"forkTasks" : [
-				[{
-					"name" : "pyrest",
-					"taskReferenceName" : "create_role_member",
-					"type" : "SIMPLE",
-					"inputParameters" : {
-						"url" : "${create_client.output.headers.location}/roles",
-						"body" : { 
-							"clientRole" : true, "name" : "Member", "description" : "Simple membership for ${init.output.result.name}"
-						},
-						"method" : "POST",
-						"headers" : {
-							"Authorization" : "Bearer ${authorize.output.body.access_token}",
-							"Content-Type" : "application/json"
-						}
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize1",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "create_role_member",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "${create_client.output.headers.location}/roles",
+			"body" : { 
+				"clientRole" : true, "name" : "Member", "description" : "Simple membership for ${init.output.result.name}"
+			},
+			"method" : "POST",
+			"headers" : {
+				"Authorization" : "Bearer ${authorize1.output.body.access_token}",
+				"Content-Type" : "application/json"
+			}
+		}
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "get_back_role_member",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "${create_role_member.output.headers.location}",
+			"method" : "GET",
+			"headers" : {
+				"Authorization" : "Bearer ${authorize1.output.body.access_token}",
+				"Accept" : "application/json"
+			}
+		}
+	},
+	{
+		"name": "jq_1",
+		"taskReferenceName": "to_array",
+		"type": "JSON_JQ_TRANSFORM",
+		"inputParameters": {
+			"role": "${get_back_role_member.output.body}",
+	        "queryExpression" : ".role"
+	    }
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "add_role_member_as_component_of_infrastructure_member",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "${init.input.keycloak_admin}/roles/Infrastructure-Member/composites",
+			"method" : "POST",
+			"headers" : {
+				"Authorization" : "Bearer ${authorize1.output.body.access_token}",
+				"Content-Type" : "application/json"
+			},
+			"body" : "${to_array.output.resultList}"
+		}
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "create_role_policy_member",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+	  		"url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role",
+		  	"body" : {
+	 			"name": "Member_policy",
+			 	"description": "",
+			 	"type" : "role",
+			 	"logic": "POSITIVE",
+			 	"decisionStrategy": "UNANIMOUS",
+				 "roles" : [
+					{
+					  "id" : "${get_back_role_member.output.body.id}",
+					  "required" : true
 					}
-				},
+				 ]
+		  	},
+		  	"method" : "POST",
+		  	"headers" : {
+			  "Authorization" : "Bearer ${authorize1.output.body.access_token}",
+			  "Content-Type" : "application/json",
+			  "Accept" : "application/json"
+		  	}
+		}
+	},
+	{
+		"name": "decide_task",
+		"taskReferenceName": "decide2",
+		"inputParameters": {
+			"groupid": "${prepare.output.result.group}"
+		},
+		"type": "SWITCH",
+		"evaluatorType" : "value-param",
+		"expression": "groupid",
+		"decisionCases": {
+			"": [
 				{
-					"name" : "pyrest",
-					"taskReferenceName" : "get_back_role_member",
-					"type" : "SIMPLE",
-					"inputParameters" : {
-						"url" : "${create_role_member.output.headers.location}",
-						"method" : "GET",
-						"headers" : {
-							"Authorization" : "Bearer ${authorize.output.body.access_token}",
-							"Accept" : "application/json"
-						}
-					}
-				},
-				{
-					  "name" : "pyrest",
-					  "taskReferenceName" : "create_role_policy_member",
-					  "type" : "SIMPLE",
-					  "inputParameters" : {
-						  "url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role",
-						  "body" : {
-                 "name": "Member_policy",
-                 "description": "",
-                 "type" : "role",
-                 "logic": "POSITIVE",
-                 "decisionStrategy": "UNANIMOUS",
-                 "roles" : [
-                    {
-                      "id" : "${get_back_role_member.output.body.id}",
-                      "required" : true
-                    }
-                 ]
-              },
-						  "method" : "POST",
-						  "headers" : {
-							  "Authorization" : "Bearer ${authorize.output.body.access_token}",
-							  "Content-Type" : "application/json",
-							  "Accept" : "application/json"
-						  }
-					  }
-			  },
-				{
-				  "name" : "pyrest",
-					"taskReferenceName" : "create_kc_group",
-					"type" : "SIMPLE",
-					"inputParameters" : {
-						"url" : "${init.input.keycloak_admin}/groups",
-						"body" : { 
-							"name" : "${init.output.result.child}"
-						},
-						"method" : "POST",
-						"headers" : {
-							"Authorization" : "Bearer ${authorize.output.body.access_token}",
-							"Content-Type" : "application/json"
-						}
-					}
-				},
-				{
-				  "name" : "pyrest",
-					"taskReferenceName" : "list_kc_groups",
-					"type" : "SIMPLE",
-					"inputParameters" : {
-						"url" : "${init.input.keycloak_admin}/groups",
-						"method" : "GET",
-						"headers" : {
-							"Authorization" : "Bearer ${authorize.output.body.access_token}",
-							"Accept" : "application/json"
-						}
-					}
-				},
-				{
-					"name": "LAMBDA_TASK",
-					"taskReferenceName": "prepare",
-					"type": "LAMBDA",
+					"name": "INLINE_TASK",
+					"taskReferenceName": "dummy2",
+					"type": "INLINE",
 					"inputParameters": {
-						"append" : "${init.output.result.append}",
-						"location" : "${create_kc_group.output.headers.location}",
-						"client_location" : "${create_client.output.headers.location}",
-						"groups" : "${list_kc_groups.output.body}",
-						"scriptExpression": "var newid=$.location.split('/').pop(); var client_id = $.client_location.split('/').pop(); function recurse(inp){for(var i=0;i<inp.length;i++){if(inp[i]['path'] === $.append) return inp[i]; else{var subr = recurse(inp[i].subGroups); if(subr != null) return subr;}} return null}; return {'group' : $.append == '' ? '' : recurse($.groups), 'newid' : newid, 'client_id' : client_id}"
-					}
-				},
-				{
-					"name": "decide_task",
-					"taskReferenceName": "decide1",
-					"inputParameters": {
-						"groupid": "${prepare.output.result.group}"
-					},
-					"type": "DECISION",
-					"caseValueParam": "groupid",
-					"decisionCases": {
-						"": [
-							{
-								"name": "LAMBDA_TASK",
-								"taskReferenceName": "dummy",
-								"type": "LAMBDA",
-								"inputParameters": {
-									"scriptExpression": "1"
-								}
-							}
-						]
-					},
-					"defaultCase": [
-						{
-							"name" : "pyrest",
-							"taskReferenceName" : "move_new_kc_group_to_parent",
-							"type" : "SIMPLE",
-							"inputParameters" : {
-								"url" : "${init.input.keycloak_admin}/groups/${prepare.output.result.group.id}/children",
-								"method" : "POST",
-								"body" : {
-									"id" : "${prepare.output.result.newid}"
-								},
-								"headers" : {
-									"Authorization" : "Bearer ${authorize.output.body.access_token}",
-									"Accept" : "application/json",
-									"Content-Type" : "application/json"
-								}
-							}
-						}
-					]
-				},
-				{
-				  "name" : "pyrest",
-					"taskReferenceName" : "assign_client_member_role_to_kc_group",
-					"type" : "SIMPLE",
-					"inputParameters" : {
-						"url" : "${init.input.keycloak_admin}/groups/${prepare.output.result.newid}/role-mappings/clients/${prepare.output.result.client_id}",
-						"method" : "POST",
-						"body" : ["${get_back_role_member.output.body}"],
-						"headers" : {
-							"Authorization" : "Bearer ${authorize.output.body.access_token}",
-							"Accept" : "application/json",
-							"Content-Type" : "application/json"
-						}
+						"evaluatorType" : "javascript",
+						"expression": "1"
 					}
 				}
-				],
-				[
-				  {
-            "name": "LAMBDA_TASK",
-            "taskReferenceName": "build_add_role_tasks",
-            "type": "LAMBDA",
-            "inputParameters": {
-              "roles" : "${get_rootvo_roles.output.body[?(@.name != \"uma_protection\" && @.name != \"Member\")]}",
-              "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_'+k}),inputs['create_'+k]={url:'${create_client.output.headers.location}/roles',body:{clientRole:true,name:r.name,description:r.description},method:'POST',headers:{Authorization:'Bearer ${authorize.output.body.access_token}','Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
-            }
-          },
-          {
-            "name" : "fork_dynamic",
-            "type" : "FORK_JOIN_DYNAMIC",
-            "taskReferenceName" : "parallel_add_role",
-            "inputParameters" : {
-                "tasks" : "${build_add_role_tasks.output.result.tasks}",
-                "inputs" : "${build_add_role_tasks.output.result.inputs}"
-            },
-            "dynamicForkTasksParam": "tasks",
-            "dynamicForkTasksInputParamName": "inputs"
-          },
-          {
-              "name" : "join",
-              "type" : "JOIN",
-              "taskReferenceName" : "join_parallel_role_addition"
-          },
-				  {
-            "name": "LAMBDA_TASK",
-            "taskReferenceName": "build_get_back_role_tasks",
-            "type": "LAMBDA",
-            "inputParameters": {
-              "roleurls" : "${join_parallel_role_addition.output[*]..location}",
-              "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roleurls.length;i++)u=$.roleurls[i],k='add-'+i,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'get_back_'+k}),inputs['get_back_'+k]={url:u,method:'GET',headers:{Authorization:'Bearer ${authorize.output.body.access_token}',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
-            }
-          },
-          {
-            "name" : "fork_dynamic",
-            "type" : "FORK_JOIN_DYNAMIC",
-            "taskReferenceName" : "parallel_get_back_role",
-            "inputParameters" : {
-                "tasks" : "${build_get_back_role_tasks.output.result.tasks}",
-                "inputs" : "${build_get_back_role_tasks.output.result.inputs}"
-            },
-            "dynamicForkTasksParam": "tasks",
-            "dynamicForkTasksInputParamName": "inputs"
-          },
-          {
-              "name" : "join",
-              "type" : "JOIN",
-              "taskReferenceName" : "join_parallel_getting_back"
-          },
-          {
-            "name": "LAMBDA_TASK",
-            "taskReferenceName": "build_add_policy_tasks",
-            "type": "LAMBDA",
-            "inputParameters": {
-              "roles" : "${join_parallel_getting_back.output[*].body}",
-              "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_policy_'+k}),inputs['create_role_policy_'+k]={url:'${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role',body:{name:r.name+'_policy',description:'',type:'role',logic:'POSITIVE',decisionStrategy:'UNANIMOUS',roles:Java.to([{id:r.id,required:true}], 'java.util.Map[]')},method:'POST',headers:{Authorization:'Bearer ${authorize.output.body.access_token}', Accept: 'application/json', 'Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
-            }
-          },
-          {
-            "name" : "fork_dynamic",
-            "type" : "FORK_JOIN_DYNAMIC",
-            "taskReferenceName" : "parallel_add_policy_role",
-            "inputParameters" : {
-                "tasks" : "${build_add_policy_tasks.output.result.tasks}",
-                "inputs" : "${build_add_policy_tasks.output.result.inputs}"
-            },
-            "dynamicForkTasksParam": "tasks",
-            "dynamicForkTasksInputParamName": "inputs"
-          },
-          {
-              "name" : "join",
-              "type" : "JOIN",
-              "taskReferenceName" : "join_parallel_policy_addition"
-          }
-        ]
 			]
 		},
-		{
-			"name" : "join",
-			"taskReferenceName" : "join_role_creation",
-			"type" : "JOIN",
-			"joinOn" : [
-			  "join_parallel_policy_addition",
-        "assign_client_member_role_to_kc_group"
-			]
-		},
-		{
-			"name": "LAMBDA_TASK",
-		  	"taskReferenceName": "policy_list",
-			"type": "LAMBDA",
-	 		"inputParameters": {
-				"memberpolicy" : "${create_role_policy_member.output.body.id}",
-				"otherpolicies" : "${join_parallel_policy_addition.output[*].body.id}",
-				"scriptExpression": "return Java.to(Java.from($.otherpolicies).concat($.memberpolicy), 'java.lang.String[]')"
-			  }
-		},
-		{
-		  "name" : "pyrest",
-		  "taskReferenceName" : "finalize_permission",
-		  "type" : "SIMPLE",
-		  "inputParameters" : {
-			  "url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/permission/resource/${create_permission.output.body.id}",
-			  "body" : {
-           "name": "Default Permission",
-           "description": "",
-           "type" : "resource",
-           "logic": "POSITIVE",
-           "decisionStrategy": "AFFIRMATIVE",
-           "policies" : "${policy_list.output.result}"
-        },
-			  "method" : "PUT",
-			  "headers" : {
-				  "Authorization" : "Bearer ${authorize.output.body.access_token}",
-				  "Content-Type" : "application/json"
-			  }
-		  }
-	  },
-	  {
-		"name": "sub_workflow_task",
-		"taskReferenceName": "call_add_all_system_services_to_new_vre",
-		"type": "SUB_WORKFLOW",
-		"inputParameters": {
-		    "client_resource_id": "${extract_client_id.output.result.client_id}"
-		},
-		"subWorkflowParam": {
-		    "name": "add_all_system_services_to_vre"
+		"defaultCase": [
+			{
+			  "name" : "pyrest",
+				"taskReferenceName" : "assign_client_member_role_to_kc_group",
+				"type" : "SIMPLE",
+				"inputParameters" : {
+					"url" : "${init.input.keycloak_admin}/groups/${prepare2.output.result.newid}/role-mappings/clients/${prepare2.output.result.client_id}",
+					"method" : "POST",
+					"body" : ["${get_back_role_member.output.body}"],
+					"headers" : {
+						"Authorization" : "Bearer ${authorize1.output.body.access_token}",
+						"Accept" : "application/json",
+						"Content-Type" : "application/json"
+					}
+				}
+			}
+		]
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize2",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
 		}
-	  }
+	},
+	{
+		"name": "INLINE_TASK",
+		"taskReferenceName": "build_add_role_tasks",
+		"type": "INLINE",
+		"inputParameters": {
+		  "evaluatorType" : "javascript",
+		  "roles" : "${get_rootvo_roles.output.body}",
+		  "expression": "inputs={},tasks=[];function add(r, k){ if(r.name != 'uma_protection' && r.name != 'Member'){ tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_'+k}); inputs['create_'+k]={url:'${create_client.output.headers.location}/roles',body:{clientRole:true,name:r.name,description:r.description},method:'POST',headers:{Authorization:'Bearer ${authorize2.output.body.access_token}','Content-Type':'application/json'}}}};for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name, add(r, k); function f(){return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		}
+	},
+	{
+		"name" : "fork_dynamic",
+		"type" : "FORK_JOIN_DYNAMIC",
+		"taskReferenceName" : "parallel_add_role",
+		"inputParameters" : {
+			"tasks" : "${build_add_role_tasks.output.result.tasks}",
+			"inputs" : "${build_add_role_tasks.output.result.inputs}"
+		},
+		"dynamicForkTasksParam": "tasks",
+		"dynamicForkTasksInputParamName": "inputs"
+	},
+	{
+	  "name" : "join",
+	  "type" : "JOIN",
+	  "taskReferenceName" : "join_parallel_role_addition"
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize3",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
+	{
+		"name": "INLINE_TASK",
+		"taskReferenceName": "build_get_back_role_tasks",
+		"type": "INLINE",
+		"inputParameters": {
+		  "evaluatorType" : "javascript",
+		  "roleurls" : "${join_parallel_role_addition.output[*]..location}",
+		  "expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.roleurls.length;i++)u=$.roleurls[i],k='add-'+i,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'get_back_'+k}),inputs['get_back_'+k]={url:u,method:'GET',headers:{Authorization:'Bearer ${authorize3.output.body.access_token}',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		}
+	},
+	{
+		"name" : "fork_dynamic",
+		"type" : "FORK_JOIN_DYNAMIC",
+		"taskReferenceName" : "parallel_get_back_role",
+		"inputParameters" : {
+			"tasks" : "${build_get_back_role_tasks.output.result.tasks}",
+			"inputs" : "${build_get_back_role_tasks.output.result.inputs}"
+		},
+		"dynamicForkTasksParam": "tasks",
+		"dynamicForkTasksInputParamName": "inputs"
+	},
+	{
+	  "name" : "join",
+	  "type" : "JOIN",
+	  "taskReferenceName" : "join_parallel_getting_back"
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize4",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
+	{
+		"name": "INLINE_TASK",
+		"taskReferenceName": "build_add_policy_tasks",
+		"type": "INLINE",
+		"inputParameters": {
+		  "evaluatorType" : "javascript",
+		  "roles" : "${join_parallel_getting_back.output[*].body}",
+		  "expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.roles.length;i++)r=$.roles[i],k='add-'+r.name,tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_policy_'+k}),inputs['create_role_policy_'+k]={url:'${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/policy/role',body:{name:r.name+'_policy',description:'',type:'role',logic:'POSITIVE',decisionStrategy:'UNANIMOUS',roles:Java.to([{id:r.id,required:true}], 'java.util.Map[]')},method:'POST',headers:{Authorization:'Bearer ${authorize4.output.body.access_token}', Accept: 'application/json', 'Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};} f()"
+		}
+	},
+	{
+		"name" : "fork_dynamic",
+		"type" : "FORK_JOIN_DYNAMIC",
+		"taskReferenceName" : "parallel_add_policy_role",
+		"inputParameters" : {
+			"tasks" : "${build_add_policy_tasks.output.result.tasks}",
+			"inputs" : "${build_add_policy_tasks.output.result.inputs}"
+		},
+		"dynamicForkTasksParam": "tasks",
+		"dynamicForkTasksInputParamName": "inputs"
+	},
+	{
+	  "name" : "join",
+	  "type" : "JOIN",
+	  "taskReferenceName" : "join_parallel_policy_addition"
+	},
+	{
+		"name": "INLINE_TASK",
+	  	"taskReferenceName": "policy_list",
+		"type": "INLINE",
+ 		"inputParameters": {
+			"evaluatorType" : "javascript",
+			"memberpolicy" : "${create_role_policy_member.output.body.id}",
+			"otherpolicies" : "${join_parallel_policy_addition.output[*].body.id}",
+			"expression": "function f(){return Java.to(Java.from($.otherpolicies).concat($.memberpolicy), 'java.lang.String[]')} f()"
+		  }
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "authorize5",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "{{ keycloak }}/master/protocol/openid-connect/token",
+			"method" : "POST",
+			"headers" : {
+				"Accept" : "application/json"
+			},
+			"body" : {
+				"client_id" : "orchestrator", 
+				"client_secret" : "{{ keycloak_auth_master }}",
+				"grant_type" : "client_credentials"
+			}
+		}
+	},
+	{
+		"name" : "pyrest",
+		"taskReferenceName" : "finalize_permission",
+		"type" : "SIMPLE",
+		"inputParameters" : {
+			"url" : "${init.input.keycloak_admin}/clients/${extract_client_id.output.result.client_id}/authz/resource-server/permission/resource/${create_permission.output.body.id}",
+			"body" : {
+				"name": "Default Permission",
+				"description": "",
+				"type" : "resource",
+				"logic": "POSITIVE",
+				"decisionStrategy": "AFFIRMATIVE",
+				"policies" : "${policy_list.output.result}"
+			},
+	  		"method" : "PUT",
+			"headers" : {
+			  "Authorization" : "Bearer ${authorize5.output.body.access_token}",
+			  "Content-Type" : "application/json"
+			}
+  		}
+	},
+	{
+        "name" : "fork_subworkflows",
+        "type" : "FORK_JOIN",
+        "taskReferenceName" : "parallel_call_subworkflows",
+        "forkTasks" : [
+        	[
+    			{
+				  "name": "sub_workflow_task",
+				  "taskReferenceName": "call_enable_workspace_clients_for_context",
+				  "subWorkflowParam": {
+					"name": "enable_workspace_clients_for_context"
+				  },
+				  "inputParameters": {
+		  			"context" : "${workflow.input.group}"
+				  },
+				  "type": "SUB_WORKFLOW"
+			   }
+        	],
+        	[
+				{
+				  "name": "sub_workflow_task",
+				  "taskReferenceName": "call_jupyterhub_add_serveroptions_to_context",
+				  "subWorkflowParam": {
+					"name": "jupyterhub_add_serveroptions_to_context"
+				  },
+				  "inputParameters": {
+		  			"context" : "${workflow.input.group}"
+				  },
+				  "type": "SUB_WORKFLOW"
+			   }        		
+        	]
+        ]
+	},
+	{
+    	  "name" : "join",
+          "type" : "JOIN",
+          "taskReferenceName" : "join_parallel_call_subworkflows",
+		  "joinOn" :[
+		  	"call_enable_workspace_clients_for_context",
+		  	"call_jupyterhub_add_serveroptions_to_context"
+		  ] 
+	}
 	]
 }

templates/group_deleted.json.j2

@@ -8,14 +8,15 @@
 	"inputParameters" : ["user", "group"],
 	"tasks" : [
 		{
-			"name": "LAMBDA_TASK",
+			"name": "INLINE_TASK",
 			"taskReferenceName": "init",
-			"type": "LAMBDA",
+			"type": "INLINE",
 			"inputParameters": {
 				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
 				"group" : "${workflow.input.group}",
-				"scriptExpression" : "return $.group.split('%2F').join('/')"
+				"evaluatorType" : "javascript",
+				"expression" : "function f(){return $.group.split('%2F').join('/')} f()"
 			}
 		},
 		{
@@ -75,13 +76,14 @@
 			}
 		},
 		{
-			"name": "LAMBDA_TASK",
+			"name": "INLINE_TASK",
 			"taskReferenceName": "find_group_by_path",
-			"type": "LAMBDA",
+			"type": "INLINE",
 			"inputParameters": {
+				"evaluatorType" : "javascript",
 				"path" : "${init.output.result}",
 				"groups" : "${list_kc_groups.output.body}",
-				"scriptExpression": "function recurse(inp){for(var i=0;i<inp.length;i++){if(inp[i]['path'] === $.path) return inp[i]; else{var subr = recurse(inp[i].subGroups); if(subr != null) return subr;}} return null}; return recurse($.groups)"
+				"expression": "function recurse(inp){for(var i=0;i<inp.length;i++){if(inp[i]['path'] === $.path) return inp[i]; else{var subr = recurse(inp[i].subGroups); if(subr != null) return subr;}} return null}; recurse($.groups)"
 			}
 		},
 		{

templates/invitation-accepted.json.j2

@@ -8,13 +8,14 @@
 	"inputParameters" : ["user", "first-name", "last-name", "email", "password"],
 	"tasks" : [
 		{
-		"name": "LAMBDA_TASK",
+		"name": "INLINE_TASK",
 		"taskReferenceName": "init",
-		"type": "LAMBDA",
+		"type": "INLINE",
 		"inputParameters": {
 			"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 			"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-			"scriptExpression": "1"
+			"evaluatorType" : "javascript",
+			"expression": "1"
 			}
 		},
 		{
@@ -40,7 +41,7 @@
 			"type" : "SIMPLE",
 			"inputParameters" : {
 				"url" : "${init.input.keycloak_admin}/users",
-				"expect" : 201,
+				"expect" : [201, 409],
 				"method" : "POST",
 				"body" : {
 					"username": "${workflow.input.user}",

templates/jupyterhub_add_serveroptions_to_context.json.j2

@@ -0,0 +1,385 @@
+{
+  "createTime": 1657617957794,
+  "updateTime": 1657639881455,
+  "name": "jupyterhub_add_serveroptions_to_context",
+  "description": "Reflects the JupyterHub ServerOptions from a given IS Context to the AuthZ on the IAM",
+  "version": 1,
+  "tasks": [
+    {
+      "name": "INLINE_TASK",
+      "taskReferenceName": "init",
+      "inputParameters": {
+        "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+        "keycloak_admin": "{{ keycloak_admin }}/{{ keycloak_realm }}",
+        "ctx": "${workflow.input.context}",
+        "jupyterhub_clientid" : "jupyterhub1",
+        "evaluatorType" : "javascript",
+        "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.ctx)) throw('Context must not be empty'); else return { encoded_context : $.ctx.replaceAll('/', '%2F')}} f()"
+      },
+      "type": "INLINE",
+      "decisionCases": {},
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    },
+    {
+      "name": "pyrest",
+      "taskReferenceName": "authorize",
+      "inputParameters": {
+        "url": "{{ keycloak }}/master/protocol/openid-connect/token",
+        "method": "POST",
+        "headers": {
+          "Accept": "application/json"
+        },
+        "body": {
+          "client_id": "orchestrator",
+          "client_secret": "{{ keycloak_auth_master }}",
+          "grant_type": "client_credentials"
+        }
+      },
+      "type": "SIMPLE",
+      "decisionCases": {},
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    },
+    {
+      "name": "fork_join",
+      "taskReferenceName": "pre-query",
+      "inputParameters": {},
+      "type": "FORK_JOIN",
+      "decisionCases": {},
+      "defaultCase": [],
+      "forkTasks": [
+        [
+          {
+            "name": "pyrest",
+            "taskReferenceName": "lookup_client",
+            "inputParameters": {
+              "url": "${init.input.keycloak_admin}/clients",
+              "params": {
+                "clientId": "${init.output.result.encoded_context}"
+              },
+              "method": "GET",
+              "headers": {
+                "Authorization": "Bearer ${authorize.output.body.access_token}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE"
+          },
+          {
+            "name": "pyrest",
+            "taskReferenceName": "get_client_member_role",
+            "inputParameters": {
+              "url": "${init.input.keycloak_admin}/clients/${lookup_client.output.body[0].id}/roles/Member",
+              "method": "GET",
+              "headers": {
+                "Authorization": "Bearer ${authorize.output.body.access_token}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE"
+          },
+          {
+            "name": "jq_1",
+            "taskReferenceName": "role_to_array",
+            "type": "JSON_JQ_TRANSFORM",
+            "inputParameters": {
+                "role": "${get_client_member_role.output.body}",
+                "queryExpression" : ".role"
+            }
+          }
+        ],
+        [
+          {
+            "name": "pyrest",
+            "taskReferenceName": "lookup_jupyterhub",
+            "inputParameters": {
+              "url": "${init.input.keycloak_admin}/clients",
+              "params": {
+                "clientId": "${init.input.jupyterhub_clientid}"
+              },
+              "method": "GET",
+              "headers": {
+                "Authorization": "Bearer ${authorize.output.body.access_token}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE",
+            "decisionCases": {},
+            "defaultCase": [],
+            "forkTasks": [],
+            "startDelay": 0,
+            "joinOn": [],
+            "optional": false,
+            "defaultExclusiveJoinTask": [],
+            "asyncComplete": false,
+            "loopOver": []
+          },
+          {
+            "name": "pyrest",
+            "taskReferenceName": "lookup_jupyterhub_resources",
+            "inputParameters": {
+              "url": "${init.input.keycloak_admin}/clients/${lookup_jupyterhub.output.body[0].id}/authz/resource-server/resource",
+              "params": {
+                "clientId": "${init.input.jupyterhub_clientid}"
+              },
+              "method": "GET",
+              "headers": {
+                "Authorization": "Bearer ${authorize.output.body.access_token}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE",
+            "decisionCases": {},
+            "defaultCase": [],
+            "forkTasks": [],
+            "startDelay": 0,
+            "joinOn": [],
+            "optional": false,
+            "defaultExclusiveJoinTask": [],
+            "asyncComplete": false,
+            "loopOver": []
+          }
+        ],
+        [
+          {
+            "name": "pyrest",
+            "taskReferenceName": "authorize_with_uma_rpt",
+            "inputParameters": {
+              "url": "{{ keycloak }}/{{ keycloak_realm }}/protocol/openid-connect/token",
+              "method": "POST",
+              "headers": {
+                "Accept": "application/json"
+              },
+              "body": {
+                "audience": "${init.output.result.encoded_context}",
+                "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
+                "client_id": "orchestrator",
+                "client_secret": "{{ keycloak_auth }}"
+              }
+            },
+            "type": "SIMPLE",
+            "decisionCases": {},
+            "defaultCase": [],
+            "forkTasks": [],
+            "startDelay": 0,
+            "joinOn": [],
+            "optional": false,
+            "defaultExclusiveJoinTask": [],
+            "asyncComplete": false,
+            "loopOver": []
+          },
+          {
+            "name": "pyrest",
+            "taskReferenceName": "lookup_resources_on_icproxy",
+            "inputParameters": {
+              "url": "{{ ic_proxy }}/icproxy/gcube/service/GenericResource/JupyterHub",
+              "method": "GET",
+              "headers": {
+                "Authorization": "Bearer ${authorize_with_uma_rpt.output.body.access_token}"
+              }
+            },
+            "type": "SIMPLE",
+            "decisionCases": {},
+            "defaultCase": [],
+            "forkTasks": [],
+            "startDelay": 0,
+            "joinOn": [],
+            "optional": false,
+            "defaultExclusiveJoinTask": [],
+            "asyncComplete": false,
+            "loopOver": []
+          },
+          {
+            "name": "pyeval",
+            "taskReferenceName": "extract_authids",
+            "inputParameters": {
+              "code": "exec('import xml.etree.ElementTree as ET') or list(map(lambda n: n.text, ET.fromstring(data['xmlstring']).findall('Resource/Profile/Body/ServerOption/AuthId')))",
+              "xmlstring": "${lookup_resources_on_icproxy.output.body}"
+            },
+            "type": "SIMPLE",
+            "decisionCases": {},
+            "defaultCase": [],
+            "forkTasks": [],
+            "startDelay": 0,
+            "joinOn": [],
+            "optional": false,
+            "defaultExclusiveJoinTask": [],
+            "asyncComplete": false,
+            "loopOver": []
+          }
+        ]
+      ],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    },
+    {
+      "name": "join",
+      "taskReferenceName": "join-pre-query",
+      "inputParameters": {},
+      "type": "JOIN",
+      "decisionCases": {},
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [
+        "lookup_jupyterhub_resources",
+        "extract_authids"
+      ],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    },
+    {
+      "name": "INLINE_TASK",
+      "taskReferenceName": "check",
+      "inputParameters": {
+        "evaluatorType" : "javascript",
+        "param": "ok",
+        "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; function f(){if(e($.param)) throw('Param must not be empty'); else return $.param} f()"
+      },
+      "type": "INLINE",
+      "decisionCases": {},
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    },
+    {
+      "name": "INLINE_TASK",
+      "taskReferenceName": "filter_and_update",
+      "inputParameters": {
+        "evaluatorType" : "javascript",
+        "allowed": "${extract_authids.output.result}",
+        "res": "${lookup_jupyterhub_resources.output.body}",
+        "ctx": "${init.output.result.encoded_context}",
+        "expression": "var ret = []; function f(){for(var r=0; r < $.res.length; r++){ if($.allowed.indexOf($.res[r].name) !== -1){ $.res[r].attributes[$.ctx] = Java.to(['true'], 'java.lang.String[]'); ret.push($.res[r]) } } return Java.to(ret, 'java.util.Map[]')} f()"
+      },
+      "type": "INLINE",
+      "decisionCases": {},
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    },
+    {
+      "name": "INLINE_TASK",
+      "taskReferenceName": "build_parallel_tasks",
+      "inputParameters": {
+        "evaluatorType" : "javascript",
+        "res": "${filter_and_update.output.result}",
+        "url": "${init.input.keycloak_admin}/clients/${lookup_jupyterhub.output.body[0].id}/authz/resource-server/resource/",
+        "expression": "inputs = {}, tasks = [];function f(){for (var i = 0; i < $.res.length; i++){s = $.res[i];tasks.push({name: 'pyrest',type: 'SIMPLE',taskReferenceName: 't' + i});inputs['t' + i] = {url: $.url + $.res[i]._id,method: 'PUT', body: $.res[i], headers: {Authorization: 'Bearer ${authorize.output.body.access_token}', 'Content-Type': 'application/json'}}};return {tasks: Java.to(tasks, 'java.util.Map[]'),inputs: inputs};} f()"
+      },
+      "type": "INLINE",
+      "decisionCases": {},
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    },
+    {
+      "name": "fork_dynamic",
+      "taskReferenceName": "parallel_tasks",
+      "inputParameters": {
+        "tasks": "${build_parallel_tasks.output.result.tasks}",
+        "inputs": "${build_parallel_tasks.output.result.inputs}"
+      },
+      "type": "FORK_JOIN_DYNAMIC",
+      "decisionCases": {},
+      "dynamicForkTasksParam": "tasks",
+      "dynamicForkTasksInputParamName": "inputs",
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    },
+    {
+      "name": "join",
+      "taskReferenceName": "join_parallel_tasks",
+      "inputParameters": {},
+      "type": "JOIN"
+    },
+    {
+      "name": "check_at_least_one",
+      "taskReferenceName": "check_at_least_one",
+      "inputParameters": {
+        "tasks": "${join_parallel_tasks.input.*}"
+      },
+      "type": "SWITCH",
+      "evaluatorType" : "javascript",
+      "expression": "($.tasks.length > 0 ? 'true' : 'false')",
+      "decisionCases": {
+        "true": [
+          {
+            "name": "pyrest",
+            "taskReferenceName": "enable_jupyterhub_scope_for_context",
+            "inputParameters": {
+              "url": "${init.input.keycloak_admin}/clients/${lookup_jupyterhub.output.body[0].id}/scope-mappings/clients/${lookup_client.output.body[0].id}",
+              "method": "POST",
+              "headers": {
+                "Authorization": "Bearer ${authorize.output.body.access_token}",
+                "Content-Type": "application/json"
+              },
+              "body": "${role_to_array.output.resultList}"
+            },
+            "type": "SIMPLE"
+          }
+        ]
+      },
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    }
+  ],
+  "inputParameters": [
+    "context"
+  ],
+  "outputParameters": {},
+  "schemaVersion": 2,
+  "restartable": true,
+  "workflowStatusListenerEnabled": false,
+  "ownerEmail": "example@email.com",
+  "timeoutPolicy": "ALERT_ONLY",
+  "timeoutSeconds": 0,
+  "variables": {},
+  "inputTemplate": {}
+}

templates/keycloak_delete_account.json.j2

@@ -0,0 +1,303 @@
+{
+  "ownerApp": "Orchestrator",
+  "createTime": 1712929588891,
+  "updateTime": 1712930905661,
+  "accessPolicy": {},
+  "name": "keycloak_delete_account",
+  "description": "Handle Admin events from Keycloak",
+  "version": 1,
+  "tasks": [
+    {
+      "name": "INLINE_TASK",
+      "taskReferenceName": "init",
+      "inputParameters": {
+        "root_vo": "{{ root_vo }}",
+        "keycloak": "{{ keycloak }}/${workflow.input.realm}",
+        "keycloak_admin": "{{ keycloak_admin }}/${workflow.input.realm}",
+        "liferay": "{{ liferay }}",
+        "liferay_auth": "{{ liferay_auth }}",
+        "keycloak_username": "${workflow.input.username}",
+        "evaluatorType": "javascript",
+        "expression": "function f(){ return { 'decoded_root_vo' : $.root_vo.replace('%2F','/'), 'encoded_root_vo' : encodeURIComponent($.root_vo)}} f()"
+      },
+      "type": "INLINE",
+      "startDelay": 0,
+      "optional": false,
+      "asyncComplete": false,
+      "permissive": false
+    },
+    {
+      "name": "pyrest",
+      "taskReferenceName": "authorize",
+      "inputParameters": {
+        "url": "${init.input.keycloak}/protocol/openid-connect/token",
+        "method": "POST",
+        "headers": {
+          "Accept": "application/json"
+        },
+        "body": {
+          "client_id": "orchestrator",
+          "client_secret" : "{{ keycloak_auth }}",
+          "grant_type": "client_credentials"
+        }
+      },
+      "type": "SIMPLE",
+      "startDelay": 0,
+      "optional": false,
+      "asyncComplete": false,
+      "permissive": false
+    },
+    {
+      "name": "fork_join",
+      "taskReferenceName": "global_delete_user",
+      "inputParameters": {},
+      "type": "FORK_JOIN",
+      "forkTasks": [
+        [
+          {
+            "name": "pyrest",
+            "taskReferenceName": "lookup_lr_company",
+            "inputParameters": {
+              "url": "${init.input.liferay}/company/get-company-by-web-id",
+              "method": "GET",
+              "params": {
+                "webId": "liferay.com"
+              },
+              "headers": {
+                "Authorization": "Basic ${init.input.liferay_auth}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          },
+          {
+            "name": "pyrest",
+            "taskReferenceName": "lookup_lr_user_by_screenname",
+            "inputParameters": {
+              "url": "${init.input.liferay}/user/get-user-by-screen-name",
+              "method": "GET",
+              "params": {
+                "companyId": "${lookup_lr_company.output.body.companyId}",
+                "screenName": "${init.input.keycloak_username}"
+              },
+              "headers": {
+                "Authorization": "Basic ${init.input.liferay_auth}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          },
+          {
+            "name": "pyrest",
+            "taskReferenceName": "lookup_lr_user_groups",
+            "inputParameters": {
+              "url": "${init.input.liferay}/group/get-user-sites-groups",
+              "method": "GET",
+              "params": {
+                "classNames": "[\"com.liferay.portal.model.Group\"]",
+                "userId": "${lookup_lr_user_by_screenname.output.body.userId}",
+                "max": "-1"
+              },
+              "headers": {
+                "Authorization": "Basic ${init.input.liferay_auth}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          },
+          {
+            "name": "INLINE_TASK",
+            "taskReferenceName": "build_delete_group_tasks",
+            "inputParameters": {
+              "evaluatorType": "javascript",
+              "groups": "${lookup_lr_user_groups.output.body.*.groupId}",
+              "userId": "${lookup_lr_user_by_screenname.output.body.userId}",
+              "expression": "inputs = {}; tasks = []; function f(){ for(var i=0;i<$.groups.length;i++){tasks.push({'name': 'pyrest','type' : 'SIMPLE','taskReferenceName' : 'del-' + i});inputs['del-'+i] = {'url' : '${init.input.liferay}/user/unset-group-users?userIds=' + $.userId + '&groupId=' + $.groups[i],'method' : 'POST','headers' : {'Authorization' : 'Basic ' + '${init.input.liferay_auth}', 'Accept' : 'application/json'}}}; return { 'tasks' : Java.to(tasks, 'java.util.Map[]'), 'inputs' : inputs}} f()"
+            },
+            "type": "INLINE",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          },
+          {
+            "name": "fork_dynamic",
+            "taskReferenceName": "parallel_delete_group",
+            "inputParameters": {
+              "tasks": "${build_delete_group_tasks.output.result.tasks}",
+              "inputs": "${build_delete_group_tasks.output.result.inputs}"
+            },
+            "type": "FORK_JOIN_DYNAMIC",
+            "dynamicForkTasksParam": "tasks",
+            "dynamicForkTasksInputParamName": "inputs",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          },
+          {
+            "name": "join",
+            "taskReferenceName": "join_parallel_group_deletion",
+            "inputParameters": {},
+            "type": "JOIN",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          },
+          {
+            "name": "pyrest",
+            "taskReferenceName": "delete_lr_user",
+            "inputParameters": {
+              "url": "${init.input.liferay}/user/delete-user",
+              "method": "POST",
+              "params": {
+                "userId": "${lookup_lr_user_by_screenname.output.body.userId}"
+              },
+              "headers": {
+                "Authorization": "Basic ${init.input.liferay_auth}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          },
+          {
+            "name": "INLINE_TASK",
+            "taskReferenceName": "lr_final_task",
+            "inputParameters": {
+              "evaluatorType": "javascript",
+              "expression": "1 == 1"
+            },
+            "type": "INLINE",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          }
+        ],
+        [
+          {
+            "name": "pyrest",
+            "taskReferenceName": "get_rootvo",
+            "inputParameters": {
+              "url": "${init.input.keycloak_admin}/clients?clientId=${init.output.result.encoded_root_vo}",
+              "method": "GET",
+              "headers": {
+                "Authorization": "Bearer ${authorize.output.body.access_token}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          },
+          {
+            "name": "pyrest",
+            "taskReferenceName": "get_rootvo_roles",
+            "inputParameters": {
+              "url": "${init.input.keycloak_admin}/clients/${get_rootvo.output.body[0].id}/roles",
+              "method": "GET",
+              "expect": [
+                200,
+                404
+              ],
+              "headers": {
+                "Authorization": "Bearer ${authorize.output.body.access_token}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          },
+          {
+            "name": "pyrest",
+            "taskReferenceName": "get_rootvo_infra_managers",
+            "inputParameters": {
+              "url": "${init.input.keycloak_admin}/clients/${get_rootvo.output.body[0].id}/roles/Infrastructure-Manager/users",
+              "method": "GET",
+              "expect": [
+                200,
+                404
+              ],
+              "headers": {
+                "Authorization": "Bearer ${authorize.output.body.access_token}",
+                "Accept": "application/json"
+              }
+            },
+            "type": "SIMPLE",
+            "startDelay": 0,
+            "optional": false,
+            "asyncComplete": false,
+            "permissive": false
+          }
+        ]
+      ],
+      "startDelay": 0,
+      "optional": false,
+      "asyncComplete": false,
+      "permissive": false
+    },
+    {
+      "name": "join",
+      "taskReferenceName": "global_delete_user_join",
+      "inputParameters": {},
+      "type": "JOIN",
+      "startDelay": 0,
+      "joinOn": [
+        "lr_final_task",
+        "get_rootvo_infra_managers"
+      ],
+      "optional": false,
+      "asyncComplete": false,
+      "permissive": false
+    },
+    {
+      "name": "pymail",
+      "taskReferenceName": "notify_infra_managers",
+      "inputParameters": {
+        "subject": "User account REMOVAL notification",
+        "from": "noreply@d4science.org",
+        "to": "${get_rootvo_infra_managers.output.body.*.email}",
+        "html": "<html><body><p>Dear ${init.output.result.decoded_root_vo} Infrastructure Manager,</p><p>'${lookup_lr_user_by_screenname.output.body.firstName} ${lookup_lr_user_by_screenname.output.body.lastName} (${lookup_lr_user_by_screenname.output.body.screenName})' removed his/her account from the IAM</p><p>You received this email because you are an Infrastructure Manager.</p><p>WARNING / LEGAL TEXT: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received.</p></body></html>"
+      },
+      "type": "SIMPLE",
+      "startDelay": 0,
+      "optional": false,
+      "asyncComplete": false,
+      "permissive": false
+    }
+  ],
+  "inputParameters": [
+    "userid"
+  ],
+  "outputParameters": {},
+  "schemaVersion": 2,
+  "restartable": true,
+  "workflowStatusListenerEnabled": false,
+  "ownerEmail": "mauro.mugnaini@nubisware.com",
+  "timeoutPolicy": "ALERT_ONLY",
+  "timeoutSeconds": 0,
+  "variables": {},
+  "inputTemplate": {}
+}

templates/record_context_to_is.json.j2

@@ -0,0 +1,179 @@
+{
+  "createTime": 1689254203836,
+  "updateTime": 1689259676819,
+  "name": "record_context_to_is",
+  "description": "Upon creation of a new context, record it to the Information System",
+  "version": 1,
+  "tasks": [
+    {
+      "name": "INLINE_TASK",
+      "type" : "INLINE",
+      "taskReferenceName": "init",
+      "inputParameters": {
+        "base_url": "{{is_url}}/resource-registry/contexts",
+        "root_vo": "{{ root_vo }}",
+        "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
+	      "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+	      "ctx": "${workflow.input.context}",
+        "ic_proxy" : "{{ ic_proxy }}",
+        "evaluatorType" : "javascript",
+        "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))} function f(){if(e($.ctx)) throw('Context must not be empty'); var tree = $.ctx.split('%2F'); return { child : tree[tree.length - 1], parent : tree[tree.length-2], decoded_root_vo : $.root_vo.replace('%2F', '/') }} f()"
+      }
+    },
+    {
+      "name" : "parallel_ic_proxy_queries",
+      "taskReferenceName" : "parallel_ic_proxy_queries",
+      "type" : "FORK_JOIN",
+      "forkTasks" : [
+        [
+          {
+            "name" : "pyrest",
+            "taskReferenceName" : "authorize_uma_rootvo",
+            "type" : "SIMPLE",
+            "inputParameters" : {
+                "url" : "${init.input.keycloak}/protocol/openid-connect/token",
+                "method" : "POST",
+                "headers" : {
+                    "Accept" : "application/json"
+                },
+                "body" : {
+                    "audience" : "${init.input.root_vo}",
+                    "grant_type" : "urn:ietf:params:oauth:grant-type:uma-ticket",
+                    "client_id" : "orchestrator", 
+                    "client_secret" : "{{ keycloak_auth }}"
+                }
+            }
+          },
+          {
+            "name" : "pyrest",
+            "taskReferenceName" : "retrieve_infrastructure",
+            "type" : "SIMPLE",
+            "inputParameters" : {
+              "url" : "{{ ic_proxy }}/icproxy/gcube/service/GenericResource/INFRASTRUCTURE",
+              "method" : "GET",
+              "headers" : {
+                "Accept" : "application/xml",
+                "Authorization" : "Bearer ${authorize_uma_rootvo.output.body.access_token}"
+              }
+            }
+          },
+          {
+            "name" : "pyeval",
+            "taskReferenceName" : "extract_infrastructure_id",
+            "type" : "SIMPLE",
+            "inputParameters" : {
+              "code" : "exec('import xml.etree.ElementTree as ET') or list(map(lambda n: n.text, ET.fromstring(data['xmlstring']).findall('Resource/Profile/Body/infrastructures/infrastructure/vos/vo[scope=\\'${init.output.result.decoded_root_vo}/${init.output.result.parent}\\'].id')))",
+              "xmlstring" : "${retrieve_infrastructure.output.body}"
+            }
+          }
+        ],
+        [
+          {
+            "name" : "pyrest",
+            "taskReferenceName" : "authorize_uma_parent_vo",
+            "type" : "SIMPLE",
+            "inputParameters" : {
+                "url" : "${init.input.keycloak}/protocol/openid-connect/token",
+                "method" : "POST",
+                "headers" : {
+                    "Accept" : "application/json"
+                },
+                "body" : {
+                    "audience" : "${init.input.root_vo}%2F${init.output.result.parent}",
+                    "grant_type" : "urn:ietf:params:oauth:grant-type:uma-ticket",
+                    "client_id" : "orchestrator", 
+                    "client_secret" : "{{ keycloak_auth }}"
+                }
+            }
+          },
+          {
+            "name" : "pyrest",
+            "taskReferenceName" : "retrieve_vre",
+            "type" : "SIMPLE",
+            "inputParameters" : {
+              "url" : "{{ ic_proxy }}/icproxy/gcube/service/GenericResource/VRE/${init.output.result.child}",
+              "method" : "GET",
+              "headers" : {
+                "Accept" : "application/xml",
+                "Authorization" : "Bearer ${authorize_uma_parent_vo.output.body.access_token}"
+              }
+            }
+          },
+          {
+            "name" : "pyeval",
+            "taskReferenceName" : "extract_vre_id",
+            "type" : "SIMPLE",
+            "inputParameters" : {
+              "code" : "exec('import xml.etree.ElementTree as ET') or list(map(lambda n: n.text, ET.fromstring(data['xmlstring']).findall('Resource/ID')))",
+              "xmlstring" : "${retrieve_vre.output.body}"
+            }
+          }
+        ]
+      ]
+    },
+    {
+      "name": "notification_join",
+      "taskReferenceName": "notification_join_ref",
+      "type": "JOIN",
+      "joinOn": ["extract_infrastructure_id", "extract_vre_id"]
+    },
+    {
+      "type" : "INLINE",
+      "name": "INLINE_TASK",
+      "taskReferenceName": "check",
+      "inputParameters": {
+        "vre": "${extract_vre_id.output.result[0]}",
+        "infra": "${extract_infrastructure_id.output.result[0]}",
+        "evaluatorType" : "javascript",
+        "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))} function f(){if(e($.vre) || e($.infra)) throw('VRE ID and Infra ID must not be empty');} f()"
+      }
+    },
+    {
+      "name": "pyrest",
+      "taskReferenceName": "write_to_is",
+      "inputParameters": {
+        "url": "${init.input.base_url}/${extract_vre_id.output.result[0]}",
+        "method": "PUT",
+        "headers": {
+          "Authorization": "Bearer ${authorize_uma_rootvo.output.body.access_token}",
+          "Content-Type": "application/json",
+          "Accept" : "application/json"
+        },
+        "body": {
+          "type": "Context",
+          "id": "${extract_vre_id.output.result[0]}",
+          "name": "${init.output.result.child}",
+          "parent": {
+            "type": "IsParentOf",
+            "source": {
+              "type": "Context",
+              "id": "${extract_infrastructure_id.output.result[0]}"
+            }
+          }
+        }
+      },
+      "type": "SIMPLE",
+      "decisionCases": {},
+      "defaultCase": [],
+      "forkTasks": [],
+      "startDelay": 0,
+      "joinOn": [],
+      "optional": false,
+      "defaultExclusiveJoinTask": [],
+      "asyncComplete": false,
+      "loopOver": []
+    }
+  ],
+  "inputParameters": [
+    "context"
+  ],
+  "outputParameters": {},
+  "schemaVersion": 2,
+  "restartable": true,
+  "workflowStatusListenerEnabled": false,
+  "ownerEmail": "example@email.com",
+  "timeoutPolicy": "ALERT_ONLY",
+  "timeoutSeconds": 0,
+  "variables": {},
+  "inputTemplate": {}
+}

templates/role_created.json.j2

@@ -8,13 +8,14 @@
 	"inputParameters" : ["role", "first", "max"],
 	"tasks" : [
     {
-		  "name": "LAMBDA_TASK",
+		  "name": "INLINE_TASK",
 		  "taskReferenceName": "init",
-		  "type": "LAMBDA",
+		  "type": "INLINE",
 		  "inputParameters": {
 			  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 			  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-			  "scriptExpression": "1 == 1"
+			  "evaluatorType" : "javascript",
+        "expression": "1 == 1"
 		  }
 		},
 		{
@@ -39,7 +40,7 @@
       "taskReferenceName" : "get_all_vres",
       "type" : "SIMPLE",
       "inputParameters" : {
-          "url" : "${init.input.keycloak_admin}/clients?clientId=%252F&search=true&first=${workflow.input.first}&max=${workflow.input.max}",
+          "url" : "${init.input.keycloak_admin}/clients?clientId=%252F&search=true",
           "method" : "GET",
           "headers" : {
               "Authorization" : "Bearer ${authorize.output.body.access_token}",
@@ -47,32 +48,6 @@
           }
       }
     },
-    {
-      "name": "LAMBDA_TASK",
-      "taskReferenceName": "build_delete_role_tasks",
-      "type": "LAMBDA",
-      "inputParameters": {
-        "role" : "${workflow.input.role}",
-        "vres" : "${get_all_vres.output.body}",
-        "scriptExpression": "inputs={};tasks=[];for(var i=0;i<$.vres.length;i++)vre=$.vres[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'delete_role_'+i}),inputs['delete_role_'+i]={url:'${init.input.keycloak_admin}/clients/' + vre.id + '/roles/' + $.role,method:'DELETE', expect:Java.to([204,404],'int[]'),headers:{Authorization:'Bearer ${authorize.output.body.access_token}'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
-      }
-    },
-    {
-      "name" : "fork_dynamic",
-      "type" : "FORK_JOIN_DYNAMIC",
-      "taskReferenceName" : "parallel_delete_role",
-      "inputParameters" : {
-          "tasks" : "${build_delete_role_tasks.output.result.tasks}",
-          "inputs" : "${build_delete_role_tasks.output.result.inputs}"
-      },
-      "dynamicForkTasksParam": "tasks",
-      "dynamicForkTasksInputParamName": "inputs"
-    },
-    {
-        "name" : "join",
-        "type" : "JOIN",
-        "taskReferenceName" : "join_parallel_role_deletion"
-    },
     {
 			"name" : "pyrest",
 			"taskReferenceName" : "authorize2",
@@ -91,13 +66,14 @@
 			}
 		},
     {
-      "name": "LAMBDA_TASK",
+      "name": "INLINE_TASK",
       "taskReferenceName": "build_add_role_tasks",
-      "type": "LAMBDA",
+      "type": "INLINE",
       "inputParameters": {
         "role" : "${workflow.input.role}",
         "vres" : "${get_all_vres.output.body}",
-        "scriptExpression": "inputs={};tasks=[];for(var i=0;i<$.vres.length;i++)vre=$.vres[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_'+i}),inputs['create_role_'+i]={url:'${init.input.keycloak_admin}/clients/' + vre.id + '/roles',body:{clientRole:true,name:$.role,description: $.role + ' role'},method:'POST',headers:{Authorization:'Bearer ${authorize2.output.body.access_token}','Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
+        "evaluatorType" : "javascript",
+        "expression": "inputs={};tasks=[];function f(){for(var i=0;i<$.vres.length;i++)vre=$.vres[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'create_role_'+i}),inputs['create_role_'+i]={url:'${init.input.keycloak_admin}/clients/' + vre.id + '/roles',body:{clientRole:true,name:$.role,description: $.role + ' role'},method:'POST',headers:{Authorization:'Bearer ${authorize2.output.body.access_token}','Content-Type':'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs}} f();"
       }
     },
     {
@@ -134,12 +110,13 @@
 			}
 		},
     {
-      "name": "LAMBDA_TASK",
+      "name": "INLINE_TASK",
       "taskReferenceName": "build_get_back_role_tasks",
-      "type": "LAMBDA",
+      "type": "INLINE",
       "inputParameters": {
+        "evaluatorType" : "javascript",
         "roleurls" : "${join_parallel_role_addition.output[*]..location}",
-        "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roleurls.length;i++)u=$.roleurls[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'get_back_'+i}),inputs['get_back_'+i]={url:u,method:'GET',headers:{Authorization:'Bearer ${authorize3.output.body.access_token}',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
+        "expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.roleurls.length;i++)u=$.roleurls[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'get_back_'+i}),inputs['get_back_'+i]={url:u,method:'GET',headers:{Authorization:'Bearer ${authorize3.output.body.access_token}',Accept:'application/json'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs}} f();"
       }
     },
     {
@@ -159,13 +136,22 @@
       "taskReferenceName" : "join_parallel_getting_back"
     },
     {
-      "name": "LAMBDA_TASK",
+      "name": "INLINE_TASK",
       "taskReferenceName": "build_policy_permission_tasks",
-      "type": "LAMBDA",
       "inputParameters": {
-        "roles" : "${join_parallel_getting_back.output[*].body}",
-        "scriptExpression": "inputs={},tasks=[];for(var i=0;i<$.roles.length;i++)r=$.roles[i],tasks.push({name:'sub_workflow_task',type:'SUB_WORKFLOW',taskReferenceName:'call_policy_workflow_'+i, subWorkflowParam:{ name:'add_role_policy_permission'}}),inputs['call_policy_workflow_'+i]={role:r};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
-      }
+        "evaluatorType": "javascript",
+        "roles": "${join_parallel_getting_back.output[*].body}",
+        "iam_master": "{{ keycloak }}/master/protocol/openid-connect/token",
+        "iam_admin": "${init.input.keycloak_admin}",
+        "user": "orchestrator",
+        "pass": "{{ keycloak_auth_master }}",
+        "playbook": "LSBuYW1lOiB0ZXN0CiAgaG9zdHM6IGxvY2FsaG9zdAogIHRhc2tzOgogICAgLSBuYW1lOiAiQXV0aG9yaXplIgogICAgICB1cmk6IAogICAgICAgIHVybDogInt7aWFtX21hc3Rlcn19IgogICAgICAgIHVzZXI6ICJ7e3VzZXJ9fSIKICAgICAgICBwYXNzd29yZCA6ICJ7e3Bhc3N3fX0iCiAgICAgICAgZm9yY2VfYmFzaWNfYXV0aDogdHJ1ZQogICAgICAgIG1ldGhvZDogUE9TVAogICAgICAgIGJvZHlfZm9ybWF0OiAiZm9ybS11cmxlbmNvZGVkIiAKICAgICAgICBib2R5OgogICAgICAgICAgLSBbZ3JhbnRfdHlwZSxjbGllbnRfY3JlZGVudGlhbHNdCiAgICAgIHJlZ2lzdGVyOiBhdXRoX3Jlc3AKICAgIAogICAgLSBzZXRfZmFjdDoKICAgICAgICB0b2sgOiAie3sgYXV0aF9yZXNwLmpzb24uYWNjZXNzX3Rva2VuIH19IgoKICAgIC0gbmFtZTogIlJldHJpZXZlIGRlZmF1bHQgcGVybWlzc2lvbiIKICAgICAgdXJpOgogICAgICAgIHVybDogInt7IGlhbV9hZG1pbiB9fS9jbGllbnRzL3t7IHJvbGUuY29udGFpbmVySWQgfX0vYXV0aHovcmVzb3VyY2Utc2VydmVyL3Blcm1pc3Npb24/bmFtZT17eydEZWZhdWx0IFBlcm1pc3Npb24nfHVybGVuY29kZX19IgogICAgICAgIG1ldGhvZDogIkdFVCIKICAgICAgICBoZWFkZXJzOgogICAgICAgICAgQXV0aG9yaXphdGlvbjogIkJlYXJlciB7eyB0b2sgfX0iCiAgICAgIHJlZ2lzdGVyOiBkZWZhdWx0X3Blcm1pc3Npb25fcmVzcAoKICAgIC0gc2V0X2ZhY3Q6CiAgICAgICAgZGVmYXVsdF9wZXJtIDogInt7IGRlZmF1bHRfcGVybWlzc2lvbl9yZXNwLmpzb24gfX0iCiAgICAgIGZhaWxlZF93aGVuOgogICAgICAgIGRlZmF1bHRfcGVybWlzc2lvbl9yZXNwLmpzb258bGVuZ3RoICE9IDEKCiAgICAtIG5hbWU6ICJSZXRyaWV2ZSBkZWZhdWx0IHBlcm1pc3Npb24gcG9saWNpZXMiCiAgICAgIHVyaToKICAgICAgICB1cmw6ICJ7eyBpYW1fYWRtaW4gfX0vY2xpZW50cy97eyByb2xlLmNvbnRhaW5lcklkIH19L2F1dGh6L3Jlc291cmNlLXNlcnZlci9wZXJtaXNzaW9uL3t7ZGVmYXVsdF9wZXJtWzBdLmlkfX0vYXNzb2NpYXRlZFBvbGljaWVzIgogICAgICAgIG1ldGhvZDogIkdFVCIKICAgICAgICBoZWFkZXJzOgogICAgICAgICAgQXV0aG9yaXphdGlvbjogIkJlYXJlciB7eyB0b2sgfX0iCiAgICAgIHJlZ2lzdGVyOiBkZWZhdWx0X3Blcm1pc3Npb25fcG9saWNpZXNfcmVzcAoKICAgIC0gc2V0X2ZhY3Q6CiAgICAgICAgcHJldl9wb2xpY2llcyA6ICJ7eyBkZWZhdWx0X3Blcm1pc3Npb25fcG9saWNpZXNfcmVzcC5qc29uIH19IgogICAgICBmYWlsZWRfd2hlbjoKICAgICAgICBkZWZhdWx0X3Blcm1pc3Npb25fcG9saWNpZXNfcmVzcC5qc29ufGxlbmd0aCA9PSAwCgogICAgLSBuYW1lOiAiQWRkIHBvbGljeSIKICAgICAgdXJpOgogICAgICAgIHVybDogInt7IGlhbV9hZG1pbiB9fS9jbGllbnRzL3t7IHJvbGUuY29udGFpbmVySWQgfX0vYXV0aHovcmVzb3VyY2Utc2VydmVyL3BvbGljeS9yb2xlIgogICAgICAgIG1ldGhvZDogIlBPU1QiCiAgICAgICAgYm9keV9mb3JtYXQ6ICJqc29uIgogICAgICAgIGJvZHk6ICJ7IFwibmFtZVwiIDogXCJ7eyByb2xlLm5hbWV9fV9wb2xpY3lcIiwgXCJkZXNjcmlwdGlvblwiIDogXCJQb2xpY3kgZm9yIGhhdmluZyB7e3JvbGUubmFtZX19IHJvbGVcIiwgXCJ0eXBlXCIgOiBcInJvbGVcIiwgXCJsb2dpY1wiIDogXCJQT1NJVElWRVwiLCBcImRlY2lzaW9uU3RyYXRlZ3lcIiA6IFwiVU5BTklNT1VTXCIsIFwicm9sZXNcIiA6IFt7IFwiaWRcIiA6IFwie3tyb2xlLmlkfX1cIiwgXCJyZXF1aXJlZFwiIDogdHJ1ZX1dfSIKICAgICAgICBoZWFkZXJzOgogICAgICAgICAgQXV0aG9yaXphdGlvbjogIkJlYXJlciB7eyB0b2sgfX0iCiAgICAgICAgc3RhdHVzX2NvZGU6IDIwMQogICAgICByZWdpc3RlcjogYWRkX3BvbGljeV9yZXNwCgogICAgLSBzZXRfZmFjdDoKICAgICAgICBuZXdfcG9saWN5IDogInt7YWRkX3BvbGljeV9yZXNwLmpzb259fSIKCiAgICAtIHNldF9mYWN0OgogICAgICAgIGZpbmFsX3BvbGljaWVzOiAie3sgKHByZXZfcG9saWNpZXMgKyBbbmV3X3BvbGljeV0pIHwgbWFwKGF0dHJpYnV0ZT0naWQnKSB9fSIKCiAgICAtIG5hbWU6ICJGaW5hbGl6ZSBwZXJtaXNzaW9uIgogICAgICB1cmk6CiAgICAgICAgdXJsOiAie3sgaWFtX2FkbWluIH19L2NsaWVudHMve3sgcm9sZS5jb250YWluZXJJZCB9fS9hdXRoei9yZXNvdXJjZS1zZXJ2ZXIvcGVybWlzc2lvbi97e2RlZmF1bHRfcGVybVswXS5pZH19IgogICAgICAgIG1ldGhvZDogIlBVVCIKICAgICAgICBib2R5X2Zvcm1hdDogImpzb24iCiAgICAgICAgYm9keTogInsgXCJuYW1lXCIgOiBcIkRlZmF1bHQgUGVybWlzc2lvblwiLCBcImRlc2NyaXB0aW9uXCIgOiBcIlwiLCBcInR5cGVcIiA6IFwicmVzb3VyY2VcIiwgXCJsb2dpY1wiIDogXCJQT1NJVElWRVwiLCBcImRlY2lzaW9uU3RyYXRlZ3lcIiA6IFwiQUZGSVJNQVRJVkVcIiwgXCJwb2xpY2llc1wiIDoge3tmaW5hbF9wb2xpY2llc319IH0iCiAgICAgICAgaGVhZGVyczoKICAgICAgICAgIEF1dGhvcml6YXRpb246ICJCZWFyZXIge3sgdG9rIH19IgogICAgICAgIHN0YXR1c19jb2RlOiAyMDEKICAgICAgcmVnaXN0ZXI6IGFkZF9wb2xpY3lfcmVzcAoKICAgIAoKCg==",
+        "expression": "inputs={},tasks=[];function f(){for(var i=0;i<$.roles.length;i++)r=$.roles[i],tasks.push({name:'pyansible',type:'SIMPLE',taskReferenceName:'call_policy_workflow_'+i}),inputs['call_policy_workflow_'+i]={playbook:$.playbook, extra_vars : {role:r, iam_master:$.iam_master,iam_admin:$.iam_admin,user:$.user,passw:$.pass}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs}} f();"
+      },
+      "type": "INLINE",
+      "startDelay": 0,
+      "optional": false,
+      "asyncComplete": false
     },
     {
       "name" : "fork_dynamic",

templates/role_deleted.json.j2

@@ -8,13 +8,14 @@
 	"inputParameters" : ["role"],
 	"tasks" : [
     {
-		  "name": "LAMBDA_TASK",
+		  "name": "INLINE_TASK",
 		  "taskReferenceName": "init",
-		  "type": "LAMBDA",
+		  "type": "INLINE",
 		  "inputParameters": {
 			  "keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 			  "keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-			  "scriptExpression": "1 == 1"
+			  "evaluatorType" : "javascript",
+        "expression": "1 == 1"
 		  }
 		},
 		{
@@ -48,13 +49,14 @@
       }
     },
     {
-      "name": "LAMBDA_TASK",
+      "name": "INLINE_TASK",
       "taskReferenceName": "build_delete_role_tasks",
-      "type": "LAMBDA",
+      "type": "INLINE",
       "inputParameters": {
         "role" : "${workflow.input.role}",
         "vres" : "${get_all_vres.output.body}",
-        "scriptExpression": "inputs={};tasks=[];for(var i=0;i<$.vres.length;i++)vre=$.vres[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'delete_role_'+i}),inputs['delete_role_'+i]={url:'${init.input.keycloak_admin}/clients/' + vre.id + '/roles/' + $.role,method:'DELETE', expect:Java.to([204,404],'int[]'),headers:{Authorization:'Bearer ${authorize.output.body.access_token}'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs};"
+        "evaluatorType" : "javascript",
+        "expression": "inputs={};tasks=[];function f(){for(var i=0;i<$.vres.length;i++)vre=$.vres[i],tasks.push({name:'pyrest',type:'SIMPLE',taskReferenceName:'delete_role_'+i}),inputs['delete_role_'+i]={url:'${init.input.keycloak_admin}/clients/' + vre.id + '/roles/' + $.role,method:'DELETE', expect:Java.to([204,404],'int[]'),headers:{Authorization:'Bearer ${authorize.output.body.access_token}'}};return {tasks:Java.to(tasks,'java.util.Map[]'),inputs:inputs}} f();"
       }
     },
     {

templates/user-group-role_created.json.j2

@@ -8,13 +8,14 @@
 	"inputParameters" : ["role", "user", "group"],
 	"tasks" : [
 		{
-			"name": "LAMBDA_TASK",
+			"name": "INLINE_TASK",
 			"taskReferenceName": "init",
-			"type": "LAMBDA",
+			"type": "INLINE",
 			"inputParameters": {
 				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-				"scriptExpression": "1"
+				"expression": "1",
+				"evaluatorType" : "javascript"
 			}
 		},
 		{
@@ -48,36 +49,38 @@
 			}
 		},
 		{
-                     "name": "LAMBDA_TASK",
-                     "taskReferenceName": "select_user",
-                     "inputParameters": {
-                        "foundusers" : "${lookup_user.output.body}",
-			"username" : "${workflow.input.user}",
- 		     	"scriptExpression": "for(var i=0; i < $.foundusers.length;i++){if($.foundusers[i]['username'] == $.username) return Java.to([$.foundusers[i]], 'java.lang.Object[]')}"
-                     },
-                     "type": "LAMBDA"
-                },
+			"name": "INLINE_TASK",
+			"taskReferenceName": "select_user",
+			"inputParameters": {
+				"foundusers" : "${lookup_user.output.body}",
+				"username" : "${workflow.input.user}",
+				"expression": "function f(){for(var i=0; i < $.foundusers.length;i++){if($.foundusers[i]['username'] == $.username) return $.foundusers[i]}} f()",
+				"evaluatorType" : "javascript"
+			},
+			"type": "INLINE"
+			},
 		{
-                        "name": "check_user_existance",
-                        "taskReferenceName": "check_user_existance",
-                        "inputParameters": {
-                                "user": "${select_user.output.result[0]}"
-                        },
-                        "type": "DECISION",
-                        "caseExpression": "($.user == null ? 'true' : 'false')",
-                        "decisionCases": {
-                                "true": [
-                                        {
-                                                "name" : "terminate",
-                                                "taskReferenceName" : "terminate_when_no_user",
-                                                "type" : "TERMINATE",
-                                                "inputParameters" : {
-                                                        "terminationStatus" : "COMPLETED"
-                                                }
-                                        }
-                                ]
-                        }
-                },
+			"name": "check_user_existance",
+			"taskReferenceName": "check_user_existance",
+			"inputParameters": {
+				"user": "${select_user.output.result}"
+			},
+			"type": "SWITCH",
+			"evaluatorType": "javascript",
+			"expression": "$.user == null ? 'true' : 'false'",
+			"decisionCases": {
+				"true": [
+					{
+						"name" : "terminate",
+						"taskReferenceName" : "terminate_when_no_user",
+						"type" : "TERMINATE",
+						"inputParameters" : {
+							"terminationStatus" : "COMPLETED"
+						}
+					}
+				]
+			}
+		},
 		{
 			"name" : "pyrest",
 			"taskReferenceName" : "lookup_client",
@@ -112,18 +115,20 @@
 			"inputParameters": {
 				"prev_status": "${get_client_roles.output.status}"
 			},
-			"type": "DECISION",
-			"caseValueParam": "prev_status",
+			"type": "SWITCH",
+			"evaluatorType": "value-param",
+			"expression": "prev_status",
 			"decisionCases": {
 				"200": [
 					{
-					"name": "LAMBDA_TASK",
+					"name": "INLINE_TASK",
 					"taskReferenceName": "select_role",
-					"type": "LAMBDA",
+					"type": "INLINE",
 					"inputParameters": {
 						"role": "${workflow.input.role}",
 						"roles" : "${get_client_roles.output.body}",
-						"scriptExpression": "for(var i=0; i < $.roles.length;i++){if($.roles[i]['name'] == $.role) return Java.to([$.roles[i]], 'java.lang.Object[]')}"
+						"expression": "function f(){for(var i=0; i < $.roles.length;i++){if($.roles[i]['name'] == $.role) return Java.to([$.roles[i]], 'java.lang.Object[]')}} f()",
+						"evaluatorType" : "javascript"
 						}
 					},
 					{
@@ -131,7 +136,7 @@
 						"taskReferenceName" : "assign_role_to_user",
 						"type" : "SIMPLE",
 						"inputParameters" : {
-							"url" : "${init.input.keycloak_admin}/users/${select_user.output.result[0].id}/role-mappings/clients/${lookup_client.output.body[0].id}",
+							"url" : "${init.input.keycloak_admin}/users/${select_user.output.result.id}/role-mappings/clients/${lookup_client.output.body[0].id}",
 							"expect" : [204, 404],
 							"method" : "POST",
 							"body" : "${select_role.output.result}",

templates/user-group-role_deleted.json.j2

@@ -8,13 +8,14 @@
 	"inputParameters" : ["role", "user", "group"],
 	"tasks" : [
 		{
-			"name": "LAMBDA_TASK",
+			"name": "INLINE_TASK",
 			"taskReferenceName": "init",
-			"type": "LAMBDA",
+			"type": "INLINE",
 			"inputParameters": {
 				"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 				"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-				"scriptExpression": "1"
+				"expression": "1",
+				"evaluatorType" : "javascript"
 			}
 		},
 		{
@@ -48,36 +49,38 @@
 			}
 		},
 		{
-      			"name": "LAMBDA_TASK",
+      			"name": "INLINE_TASK",
       			"taskReferenceName": "select_user",
       			"inputParameters": {
         			"foundusers": "${lookup_user.output.body}",
         			"username": "${workflow.input.user}",
-        			"scriptExpression": "for(var i=0; i < $.foundusers.length;i++){if($.foundusers[i]['username'] == $.username) return Java.to([$.foundusers[i]], 'java.lang.Object[]')}"
+					"evaluatorType" : "javascript",
+        			"expression": "function f(){for(var i=0; i < $.foundusers.length;i++){if($.foundusers[i]['username'] == $.username) return $.foundusers[i]}} f()"
       			},
-      			"type": "LAMBDA"
+      			"type": "INLINE"
     		},
 		{
-                        "name": "check_user_existance",
-                        "taskReferenceName": "check_user_existance",
-                        "inputParameters": {
-                                "user": "${select_user.output.result[0]}"
-                        },
-                        "type": "DECISION",
-                        "caseExpression": "($.user == null ? 'true' : 'false')",
-                        "decisionCases": {
-                                "true": [
-                                        {
-                                                "name" : "terminate",
-                                                "taskReferenceName" : "terminate_when_no_user",
-                                                "type" : "TERMINATE",
-                                                "inputParameters" : {
-                                                        "terminationStatus" : "COMPLETED"
-                                                }
-                                        }
-                                ]
-                        }
-                },
+				"name": "check_user_existance",
+				"taskReferenceName": "check_user_existance",
+				"inputParameters": {
+					"user": "${select_user.output.result}"
+				},
+				"type": "SWITCH",
+				"evaluatorType" : "javascript",
+				"expression": "($.user == null ? 'true' : 'false')",
+				"decisionCases": {
+						"true": [
+								{
+										"name" : "terminate",
+										"taskReferenceName" : "terminate_when_no_user",
+										"type" : "TERMINATE",
+										"inputParameters" : {
+												"terminationStatus" : "COMPLETED"
+										}
+								}
+						]
+				}
+		},
 		{
 			"name" : "pyrest",
 			"taskReferenceName" : "lookup_client",
@@ -106,13 +109,14 @@
 			}
 		},
 		{
-		"name": "LAMBDA_TASK",
+		"name": "INLINE_TASK",
 		"taskReferenceName": "select_role",
-		"type": "LAMBDA",
+		"type": "INLINE",
 		"inputParameters": {
 			"role": "${workflow.input.role}",
 			"roles" : "${get_client_roles.output.body}",
-			"scriptExpression": "for(var i=0; i < $.roles.length;i++){if($.roles[i]['name'] == $.role) return Java.to([$.roles[i]], 'java.lang.Object[]')}"
+			"evaluatorType" : "javascript",
+			"expression": "function f(){for(var i=0; i < $.roles.length;i++){if($.roles[i]['name'] == $.role) return Java.to([$.roles[i]], 'java.lang.Object[]')}} f()"
 			}
 		},
 		{
@@ -120,7 +124,7 @@
 			"taskReferenceName" : "remove_role_from_user",
 			"type" : "SIMPLE",
 			"inputParameters" : {
-				"url" : "${init.input.keycloak_admin}/users/${select_user.output.result[0].id}/role-mappings/clients/${lookup_client.output.body[0].id}",
+				"url" : "${init.input.keycloak_admin}/users/${select_user.output.result.id}/role-mappings/clients/${lookup_client.output.body[0].id}",
 				"expect" : 204,
 				"method" : "DELETE",
 				"body" : "${select_role.output.result}",

templates/user-group_created.json.j2

@@ -8,14 +8,16 @@
 	"inputParameters" : ["user", "group"],
 	"tasks" : [
 		{
-		"name": "LAMBDA_TASK",
+		"name": "INLINE_TASK",
 		"taskReferenceName": "init",
-		"type": "LAMBDA",
+		"type": "INLINE",
 		"inputParameters": {
 			"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 			"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
+			"user" : "${workflow.input.user}", 
 			"group" : "${workflow.input.group}", 
-            "scriptExpression": "var path = $.group.split('%2F').slice(1); return { 'tree' : Java.to(path, 'java.lang.Object[]'), 'name' : path.slice(path.length-1)[0]}"
+            "evaluatorType" : "javascript",
+			"expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; if(e($.user) || e($.group)) throw('User and Group must not be empty'); function f(){ var path = $.group.startsWith('%2F') ? $.group.split('%2F').slice(1) : [$.group]; return { 'path' : path.join('/'), 'name' : path.slice(path.length-1)[0], 'search' : encodeURIComponent(path.slice(path.length-1)[0])}} f()"
 			}
 		},
 		{
@@ -40,31 +42,7 @@
 			"taskReferenceName" : "lookup_user",
 			"type" : "SIMPLE",
 			"inputParameters" : {
-				"url" : "${init.input.keycloak_admin}/users?username=${workflow.input.user}",
-				"method" : "GET",
-				"headers" : {
-					"Authorization" : "Bearer ${authorize.output.body.access_token}",
-					"Accept" : "application/json"
-				}
-			}
-		},
-		{
-      			"name": "LAMBDA_TASK",
-      			"taskReferenceName": "select_user",
-      			"inputParameters": {
-        			"foundusers": "${lookup_user.output.body}",
-        			"username": "${workflow.input.user}",
-        			"scriptExpression": "for(var i=0; i < $.foundusers.length;i++){if($.foundusers[i]['username'] == $.username) return Java.to([$.foundusers[i]], 'java.lang.Object[]')}"
-      			},
-      			"type": "LAMBDA"
-    		},
-		{
-			"name" : "pyrest",
-			"taskReferenceName" : "lookup_client",
-			"type" : "SIMPLE",
-			"inputParameters" : {
-				"url" : "${init.input.keycloak_admin}/clients",
-				"params" : { "clientId" : "${workflow.input.group}"},
+				"url" : "${init.input.keycloak_admin}/users?username=${workflow.input.user}&exact=true&briefRepresentation=true",
 				"method" : "GET",
 				"headers" : {
 					"Authorization" : "Bearer ${authorize.output.body.access_token}",
@@ -74,12 +52,11 @@
 		},
 		{
 			"name" : "pyrest",
-			"taskReferenceName" : "get_client_roles",
+			"taskReferenceName" : "lookup_group",
 			"type" : "SIMPLE",
 			"inputParameters" : {
-				"url" : "${init.input.keycloak_admin}/clients/${lookup_client.output.body[0].id}/roles",
+				"url" : "${init.input.keycloak_admin}/group-by-path/${init.output.result.path}",
 				"expect" : [200, 404],
-				"method" : "GET",
 				"headers" : {
 					"Authorization" : "Bearer ${authorize.output.body.access_token}",
 					"Accept" : "application/json"
@@ -87,53 +64,23 @@
 			}
 		},
 		{
-			"name" : "check_role_existance",
-			"taskReferenceName" : "check_role_existance",
-			"type" : "DECISION",
-			"inputParameters" :{
-				"previous_outcome" : "${get_client_roles.output.status}"
+			"name": "check_user_group_existance",
+			"taskReferenceName": "check_user_group_existance",
+			"inputParameters": {
+				"user": "${lookup_user.output.body[0]}",
+				"group" : "${lookup_group.output.body.id}"
 			},
-			"caseValueParam" : "previous_outcome",
-			"decisionCases" : {
-				"200" : [
-					{
-					"name": "LAMBDA_TASK",
-					"taskReferenceName": "select_role",
-					"type": "LAMBDA",
-					"inputParameters": {
-						"role": "${workflow.input.role}",
-						"roles" : "${get_client_roles.output.body}",
-						"scriptExpression": "for(var i=0; i < $.roles.length;i++){if($.roles[i]['name'] == 'Member') return Java.to([$.roles[i]], 'java.lang.Object[]')}"
-						}
-					},
-                    {
-                        "name" : "pyrest",
-                        "taskReferenceName" : "look_up_groups",
-                        "type" : "SIMPLE",
-                        "inputParameters" : {
-                            "url" : "${init.input.keycloak_admin}/groups?search=${init.output.result.name}",
-                            "headers" : {
-                                "Authorization" : "Bearer ${authorize.output.body.access_token}",
-                                "Accept" : "application/json"
-                            }
-                        }
-                    },
-                    {
-					"name": "LAMBDA_TASK",
-					"taskReferenceName": "extract_group",
-					"type": "LAMBDA",
-					"inputParameters": {
-						"tree" : "${init.output.result.tree}",
-                        "groups" : "${look_up_groups.output.body}",
-                        "scriptExpression": "function selectByPath(groups, path, level) { for (var i=0; i < groups.length; i++) {if (groups[i].name === path[level]) {if (level === path.length - 1) return groups[i];return selectByPath(groups[i].subGroups, path, level+1)}} return null; } return { 'group' : selectByPath($.groups, $.tree, 0)}"
-						}
-					},
+			"type": "SWITCH",
+			"evaluatorType" : "javascript",
+			"expression": "($.user == null || $.group == null? 'error' : 'assign')",
+			"decisionCases": {
+				"assign" : [
 					{
 						"name" : "pyrest",
 						"taskReferenceName" : "assign_user_to_group",
 						"type" : "SIMPLE",
 						"inputParameters" : {
-							"url" : "${init.input.keycloak_admin}/users/${select_user.output.result[0].id}/groups/${extract_group.output.result.group.id}",
+							"url" : "${init.input.keycloak_admin}/users/${lookup_user.output.body[0].id}/groups/${lookup_group.output.body.id}",
 							"method" : "PUT",
 							"headers" : {
 								"Authorization" : "Bearer ${authorize.output.body.access_token}"
@@ -142,6 +89,6 @@
 					}
 				]
 			}
-		}
+        }
 	]
 }

templates/user-group_deleted.json.j2

@@ -5,17 +5,19 @@
 	"description": "Handle workflow related to Portal event user-group_deleted",
 	"version" : 1,
 	"ownerEmail" : "m.lettere@gmail.com",
-	"inputParameters" : ["role", "user", "group"],
+	"inputParameters" : ["user", "group"],
 	"tasks" : [
 		{
-		"name": "LAMBDA_TASK",
+		"name": "INLINE_TASK",
 		"taskReferenceName": "init",
-		"type": "LAMBDA",
+		"type": "INLINE",
 		"inputParameters": {
 			"keycloak": "{{ keycloak }}/{{ keycloak_realm }}",
 			"keycloak_admin" : "{{ keycloak_admin }}/{{ keycloak_realm }}",
-			"group" : "${workflow.input.group}", 
-            "scriptExpression": "var path = $.group.split('%2F').slice(1); return { 'tree' : Java.to(path, 'java.lang.Object[]'), 'name' : path.slice(path.length-1)[0]}"
+			"group" : "${workflow.input.group}",
+			"user" : "${workflow.input.user}", 
+			"evaluatorType" : "javascript",
+            "expression": "function e(v){ return (v == null || (v.trim && v.trim() === ''))}; if(e($.user) || e($.group)) throw('User and Group must not be empty'); function f(){var path = $.group.startsWith('%2F') ? $.group.split('%2F').slice(1) : [$.group]; return { 'tree' : Java.to(path, 'java.lang.String[]'), 'name' : path.slice(path.length-1)[0], search : encodeURIComponent(path.slice(path.length-1)[0])}} f()"
 			}
 		},
 		{
@@ -48,24 +50,26 @@
 				}
 			}
 		},
-                {
-      			"name": "LAMBDA_TASK",
-      			"taskReferenceName": "select_user",
-      			"inputParameters": {
-        			"foundusers": "${lookup_user.output.body}",
-        			"username": "${workflow.input.user}",
-        			"scriptExpression": "for(var i=0; i < $.foundusers.length;i++){if($.foundusers[i]['username'] == $.username) return Java.to([$.foundusers[i]], 'java.lang.Object[]')}"
-      			},
-      			"type": "LAMBDA"
-    		},
+		{
+			"name": "INLINE_TASK",
+			"taskReferenceName": "select_user",
+			"inputParameters": {
+				"foundusers": "${lookup_user.output.body}",
+				"username": "${workflow.input.user}",
+				"evaluatorType" : "javascript",
+				"expression": "function f(){for(var i=0; i < $.foundusers.length;i++){if($.foundusers[i]['username'] == $.username) return $.foundusers[i]}} f()"
+			},
+			"type": "INLINE"
+		},
 		{
 			"name": "check_user_existance",
 			"taskReferenceName": "check_user_existance",
 			"inputParameters": {
-				"user": "${select_user.output.result[0]}"
+				"user": "${select_user.output.result}"
 			},
-			"type": "DECISION",
-			"caseExpression": "($.user == null ? 'true' : 'false')",
+			"type": "SWITCH",
+			"evaluatorType" : "javascript",
+			"expression": "($.user == null ? 'true' : 'false')",
 			"decisionCases": {
 				"true": [
 					{
@@ -79,6 +83,63 @@
 				]
 			}
 		},
+		{
+            "name" : "pyrest",
+            "taskReferenceName" : "look_up_groups",
+            "type" : "SIMPLE",
+            "inputParameters" : {
+                "url" : "${init.input.keycloak_admin}/groups?search=${init.output.result.search}",
+                "headers" : {
+                    "Authorization" : "Bearer ${authorize.output.body.access_token}",
+                    "Accept" : "application/json"
+                }
+            }
+        },
+        {
+        "name": "INLINE_TASK",
+        "taskReferenceName": "extract_group",
+        "type": "INLINE",
+        "inputParameters": {
+            "tree" : "${init.output.result.tree}",
+            "groups" : "${look_up_groups.output.body}",
+            "evaluatorType" : "javascript",
+			"expression": "function selectByPath(groups, path, level) { for (var i=0; i < groups.length; i++) {if (groups[i].name === path[level]) {if (level === path.length - 1) return groups[i];return selectByPath(groups[i].subGroups, path, level+1)}} return null; } function f() { return { 'group' : selectByPath($.groups, $.tree, 0)}} f()"
+            }
+        },
+        {
+			"name" : "check_group_existance",
+			"taskReferenceName" : "check_group_existance",
+			"type" : "SWITCH",
+			"inputParameters" :{
+				"group" : "${extract_group.output.result.group}"
+			},
+			"evaluatorType" : "javascript",
+			"expression": "(($.group != null) ? 'delete' : 'skip')",
+			"decisionCases" : {
+				"skip" : [
+					{
+						"name" : "terminate",
+						"taskReferenceName" : "terminate_when_no_group",
+						"type" : "TERMINATE",
+						"inputParameters" : {
+							"terminationStatus" : "COMPLETED"
+						}
+					}
+				]
+			}
+		},
+        {
+            "name" : "pyrest",
+            "taskReferenceName" : "delete_user_from_group",
+            "type" : "SIMPLE",
+            "inputParameters" : {
+                "url" : "${init.input.keycloak_admin}/users/${select_user.output.result.id}/groups/${extract_group.output.result.group.id}",
+                "method" : "DELETE",
+                "headers" : {
+                    "Authorization" : "Bearer ${authorize.output.body.access_token}"
+                }
+            }
+        },
 		{
 			"name" : "pyrest",
 			"taskReferenceName" : "lookup_client",
@@ -100,6 +161,7 @@
 			"inputParameters" : {
 				"url" : "${init.input.keycloak_admin}/clients/${lookup_client.output.body[0].id}/roles",
 				"method" : "GET",
+				"expect" : [200, 404],
 				"headers" : {
 					"Authorization" : "Bearer ${authorize.output.body.access_token}",
 					"Accept" : "application/json"
@@ -107,53 +169,33 @@
 			}
 		},
 		{
-			"name" : "pyrest",
-			"taskReferenceName" : "remove_all_roles_from_user",
-			"type" : "SIMPLE",
-			"inputParameters" : {
-				"url" : "${init.input.keycloak_admin}/users/${select_user.output.result[0].id}/role-mappings/clients/${lookup_client.output.body[0].id}",
-				"expect" : 204,
-				"method" : "DELETE",
-				"body" : "${get_client_roles.body}",
-				"headers" : {
-					"Authorization" : "Bearer ${authorize.output.body.access_token}",
-					"Content-Type" : "application/json"
-				}
+			"name" : "check_role_existance",
+			"taskReferenceName" : "check_role_existance",
+			"type" : "SWITCH",
+			"evaluatorType" : "value-param",
+			"inputParameters" :{
+				"previous_outcome" : "${get_client_roles.output.status}"
+			},
+			"expression" : "previous_outcome",
+			"decisionCases" : {
+				"200" : [
+					{
+						"name" : "pyrest",
+						"taskReferenceName" : "remove_all_roles_from_user",
+						"type" : "SIMPLE",
+						"inputParameters" : {
+							"url" : "${init.input.keycloak_admin}/users/${select_user.output.result.id}/role-mappings/clients/${lookup_client.output.body[0].id}",
+							"expect" : 204,
+							"method" : "DELETE",
+							"body" : "${get_client_roles.body}",
+							"headers" : {
+								"Authorization" : "Bearer ${authorize.output.body.access_token}",
+								"Content-Type" : "application/json"
+							}
+						}
+					}
+				]
 			}
-		},
-        {
-            "name" : "pyrest",
-            "taskReferenceName" : "look_up_groups",
-            "type" : "SIMPLE",
-            "inputParameters" : {
-                "url" : "${init.input.keycloak_admin}/groups?search=${init.output.result.name}",
-                "headers" : {
-                    "Authorization" : "Bearer ${authorize.output.body.access_token}",
-                    "Accept" : "application/json"
-                }
-            }
-        },
-        {
-        "name": "LAMBDA_TASK",
-        "taskReferenceName": "extract_group",
-        "type": "LAMBDA",
-        "inputParameters": {
-            "tree" : "${init.output.result.tree}",
-            "groups" : "${look_up_groups.output.body}",
-            "scriptExpression": "function selectByPath(groups, path, level) { for (var i=0; i < groups.length; i++) {if (groups[i].name === path[level]) {if (level === path.length - 1) return groups[i];return selectByPath(groups[i].subGroups, path, level+1)}} return null; } return { 'group' : selectByPath($.groups, $.tree, 0)}"
-            }
-        },
-        {
-            "name" : "pyrest",
-            "taskReferenceName" : "assign_user_to_group",
-            "type" : "SIMPLE",
-            "inputParameters" : {
-                "url" : "${init.input.keycloak_admin}/users/${lookup_user.output.body[0].id}/groups/${extract_group.output.result.group.id}",
-                "method" : "DELETE",
-                "headers" : {
-                    "Authorization" : "Bearer ${authorize.output.body.access_token}"
-                }
-            }
-        }
+		}
 	]
 }