[midPoint] Require Assistance

[Pavol Mederly]

Hello Anand,

I'm back from the vacation. I have a couple of notes to the questions 
you have raised:

>> *Please provide me assistance for following queries :-*
>>
>>   * I have a requirement where I need to *raise Approval Request*at
>>     the time of *Account/Resource Assignment to Role*in midpoint.
>>
> (...)
> However there may be one issue. Currently the workflow code is built 
> to intercept only operations on users. Or that is the only thing that 
> we have tested so far. MidPoint architecture allows to intercept 
> operations on all objects. But I'm not sure how much generic is the 
> current "hook" code (as we call it) that actually does the intercept. 
> Maybe Pavol can provide more information here.

The core workflow hook code is fairly generic, so it should work well 
with roles.

However, as Radovan said, all scenarios where workflows have been used 
(at least what we know about) were related to users.

Therefore now I'm preparing a sample that will show how to implement 
your role-related scenario. During that effort I'll identify missing 
pieces in midPoint workflow module that are needed for the scenario, if 
there are any.

However, the scenario preparation might take a week or a little more 
because there are some other urgent fixes that have to be done, related 
to upcoming midPoint release.

>>   * Is it possible to *Assign A Manager To User*(Manager will handle
>>     Approval Requests Of multiple users).
>>
(...)

There is a sample #3 in 
https://wiki.evolveum.com/display/midPoint/Some+examples that deals with 
this situation. It uses the Radovan's solution #1a:
>
> 1: Use the organizational structure. Assign user to the org unit and 
> assign a manager for the org unit. This is perhaps the most systematic 
> way. Then when you need a manager of a specific user you need to write 
> an expression that retrieves user's org unit, finds the manager and 
> returns it. The expression can also check for the case that unit does 
> not have a manager and it needs to go one unit up, etc. The trick is 
> how to assign a manager to the org unit. And there are also two options:
>
> a: The architecturally clean way is to use "relation" parameter in 
> midPoint object references. This is designed especially for this case. 
> Every object reference in midPoint can have a "relation" which is an 
> optional qname/uri that can specify how the references objects relate. 
> This can be particularly useful with parentOrgRef reference that forms 
> the organizational structure. The default (empty) relation is 
> interpreted in a way that the user is a member of the org unit. But 
> you can use different relation values to represent a manager, business 
> owner or any similar concept. This can theoretically be used to 
> specify many managers for a particular org unit, pass manager changes 
> through proper approvals, etc. The good news is that the relation is 
> designed to be easily indexed and our search queries are also designed 
> to handle it so it is likely to scale. The bad news is that I'm not 
> sure how much of this is actually implemented. There may also be 
> issues how to express the relation in an assignment.
>
Please have a look at it. Most probably you would have to extend/tweak 
it to match your requirements.

>>   * If yes then how we can force Managers to Approve Resource
>>     requests on Role Assignments .
>>
>
> Each role has an approverExpression property. A user who is the result 
> of this expression will be an approver for this particular role. This 
> is the place where you can put an expression that determines the 
> manager. Or alternatively you can modify the approval workflow (BPMN) 
> and explicitly determine the approvers there.
Here I do not understand the overall context: what exactly should the 
user's manager approve? Because if you want to modify a role by changing 
its resource assignment, there is no user - and so no user's manager - 
you can refer to.

Or do you mean consulting all managers of all users that would be 
touched by the proposed change in the role?

Could you describe a more detailed scenario for me please?
>>
>>   * Handling Multi-Level Approvals (from User's Manager and Manager's
>>     Manager).
>>
> We support multi-level approvals in roles. See the approvalSchema 
> property in the role. But I'm not sure if this can be coupled with the 
> approverExpression result or you will need to modify the workflow to 
> get this. Maybe Pavol can provide more details here.
Yes, it can be combined. You can provide an approvalSchema with e.g. 5 
levels. On each level there can be an approverExpression, giving user's 
managers for that level. I.e.

- on level 1 there will be an expression giving user's immediate 
manager(s): |midpoint.getManagersOidsExceptUser(object)
|- on level 2 there will be an expression giving managers' of these 
manager(s): (such expression does not exist yet, you would have to 
create your own)
- ...

However, there are some issues with this approach:

 1. The approval schema is fixed, so you would have to provide the
    number of levels that would cover your most complex scenario. (It's
    basically a matter of copy & paste - ugly but working.)
 2. Everything is OK unless a user (or anyone in the hierarchy) has more
    managers, either because his organization has more managers or
    because he is a member of more organizations. The question then is -
    which manager should approve the request? Or should all the managers
    approve? See also the notes at the end of the samples page I
    referred to above
    (https://wiki.evolveum.com/display/midPoint/Some+examples). In the
    hierarchical case as you described, the situation is even more
    complex: on level 2, all users "grand-managers" should approve, or
    only managers of the manager that approved the request (assuming one
    manager's approval is sufficient)?

So the situation should be specified in more details.

Nevertheless, as Radovan said, you can always implement your own BPMN 
approval process. Then you will not be limited by standard ItemApproval 
process that uses above-described approvers and approval schemas.

Or, if you could describe your requirements more clearly and if they 
would be quite generic, we could perhaps implement a standard solution 
for this. Something like org-aware generic ItemApproval process. 
(Subject to usual conditions as Radovan pointed to: 
https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature).

Hope this helps. If you would have any questions, please don't hesitate 
to ask here.

Best regards,
Pavol

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150109/48fa927d/attachment.htm>