[midPoint] workflow for secondary delta
Radovan Semancik
radovan.semancik at evolveum.com
Thu Dec 14 13:06:31 CET 2017
Hi,
This is exactly the point.
The original idea was to use "secondary approvals" by system
administrators so they will be aware of all the accounts that are
created on their systems. We have used similar approach in
first-generation (pre-midpoint) IDM deployments. But in fact, as far as
I know, it was never used in practice as it was quite useless. The
problem is if system administrator rejects secondary delta, but primary
delta is executed. The result is a situation that violates the policy:
roles says that there should be an account, but the account is not
there. So midPoint will try to create the account again and again.
Early in midPoint design and development we though that "secondary
approvals" might be needed. We were not sure. So we have designed
midPoint to allow for this option sometime in the future. It was just an
architectural construct with just a partial implementation. It was never
fully implemented. But up until now there was no demand to this
features. Therefore we had no plans to finish the implementation. In
fact we were thinking about phasing out the secondary approval option
altogether.
--
Radovan Semancik
Software Architect
evolveum.com
On 12/14/2017 12:51 PM, Pavol Mederly wrote:
>
> Hello Oskar,
>
> the crucial question is: what should midPoint do if such a secondary
> change would get rejected?
>
> Pavol Mederly
> Software developer
> evolveum.com
> On 14.12.2017 11:34, Oskar Butovič - AMI Praha a.s. wrote:
>> Hello everybody,
>>
>> I was wondering whether I can enforce executing approval workflow
>> upon assignment which is in the secondary delta. Eg. role assignment
>> synchronized from an external system or role assigned by object
>> template based on some attribute values.
>>
>> I have some ideas:
>> - can it be configured by policy rules alone?
>> - can it be done by generalChangeProcessor
>> https://wiki.evolveum.com/display/midPoint/How+to+develop+your+own+approval+processes+-+case+3:+using+general+change+processor
>> ?
>> - If all else fails would moving the assignment delta from secondary
>> to primary via hook do the trick?
>>
>> Could any of those ideas work?
>>
>> Best Regards
>> Oskar Butovič
>> --
>>
>> Oskar Butovič
>> solution architect
>>
>> gsm: [+420] 774 480 101
>> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>>
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239
>> web: www.ami.cz <http://www.ami.cz/>
>>
>>
>>
>> AMI Praha a.s.
>>
>>
>> AMI Praha a.s.
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>> výhradně písemnou formu.
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171214/47113fdc/attachment.htm>
More information about the midPoint
mailing list