[midPoint] Policy Constraints and User Templates

Pavol Mederly mederly at evolveum.com
Mon Oct 12 15:46:29 CEST 2020 

Hello Brandon,

if I remember correctly, this question was opened once or twice (in the 
last years), for example here:

https://lists.evolveum.com/pipermail/midpoint/2017-December/004293.html

The basic question (posed also in the above mentioned thread) is: what 
should midPoint do if there would be a rejection of the role assignment?

To keep things consistent, the change would need to affect even the 
source resource. So it would stop propagating the value to specific user 
attribute, and then to the role assignment.

Or, such a rejection would need to set up a flag that would be respected 
by the mappings involved (inbound mapping providing user attribute or 
template mapping providing the role assignment), so that they would 
start ignoring the data coming from the source resource. But this is 
definitely not a standard behavior of midPoint approvals component.

Hope this helps,

Pavol Mederly
Software developer
evolveum.com

On 12/10/2020 15:18, Brandon Powers via midPoint wrote:
> Hello all,
>
> We are interested in approval workflows for assignments that are 
> applied to users automatically via default user template mappings 
> (utilizing assignmentTargetSearch).  So far, we've been unsuccessful 
> in finding a way to trigger the approval policy constraint when the 
> assignment is made automatically via an object template mapping (the 
> approval workflow does kick off when /manually/ assigning the 
> org/role, however).
>
> I've had a lot of trouble finding any documentation on the matter to 
> determine if this is supported or not, so I wanted to reach out and 
> see if anyone could offer any insight on the matter? Perhaps there is 
> undocumented functionality that allows this, or a speicifc approach 
> that should be taken.
>
> For more context, we have auto assignments via the default user 
> template to assign orgs based on the value of a specific user 
> attribute which is defined from one of our resource's inbound mappings.
>
> Any insight on the matter from anyone is greatly appreciated!
>
> Brandon Powers
> Exclamation Labs
> 300 Washington Street
> Cumberland, MD 21502
> 888.545.5008 <tel:888.545.5008> or 301.722.5008 ext 144 
> <tel:301.722.5008+ext+144>
> fax 301.722.2183
> brandon at exclamationlabs.com <mailto:brandon at exclamationlabs.com>
> www.exclamationlabs.com <mailto:brandon at exclamationlabs.com>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201012/4c3105d7/attachment.htm>

More information about the midPoint mailing list