[midPoint] Starting approval processes for secondary deltas
Pavol Mederly
mederly at evolveum.com
Mon May 25 17:44:30 CEST 2015
Hello Ilya,
the problem of approving things in secondary phase is what to do in case
of rejection.
Because if you detect that an assignment of specific role is to be
added, what do you do with the original request?
The original request can be a compound one, consisting e.g. of modifying
givenName, description, and a certain attribute (the one that causes the
discussed assignment to be created).
You have to analyze the situation and cancel the whole operation, or
perhaps remove only the attribute change.
My suggestion is to deal with the primary cause only - and that is the
change of the attribute. You can easily write a custom
PrimaryChangeProcessorAspect that would be focused on that attribute and
would handle changes that lead to assignment of critical roles/resource
to the user object.
If that's not possible, we could analyze other options.
Back to your question. The problem that I've just described (i.e. what
to do in case of rejection) is the reason why we do not like to work
with secondary-phase approvals. Even the general change processor is
quite "half-baked" and unfinished; not quite ready to be used in its
current form.
But, again, I'm quite sure the solution can be implemented by
PrimaryChangeProcessor.
Regards,
Pavol
On 25. 5. 2015 17:24, Илья Дорофеев wrote:
> Hi,
>
> I have user template mappings which assign / unassign certain roles depending on the values of certain attributes. In some cases I want these assignments / unassignments to be passed through an approval process. As these changes appear to be secondary deltas, as far as I understand, I have two options: either to utilize the general change processor or implement my own change processor. But it is not clear which one to choose. What advantages and disadvantages do both provide? In addition to this, I see the PrimaryChangeProcessor which seems suitable for my needs (by implementing specific aspect), but its functionality restricted solely to primary deltas. Could you elaborate on what stands behind this design? Why couldn't it be expanded to processing secondary deltas?
>
>
> Ilya Dorofeev
> Software Architect
> Solar Security
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list