[midPoint] Starting approval processes for secondary deltas

Pavol Mederly mederly at evolveum.com
Mon May 25 17:44:30 CEST 2015 

Hello Ilya,

the problem of approving things in secondary phase is what to do in case 
of rejection.

Because if you detect that an assignment of specific role is to be 
added, what do you do with the original request?
The original request can be a compound one, consisting e.g. of modifying 
givenName, description, and a certain attribute (the one that causes the 
discussed assignment to be created).
You have to analyze the situation and cancel the whole operation, or 
perhaps remove only the attribute change.

My suggestion is to deal with the primary cause only - and that is the 
change of the attribute. You can easily write a custom 
PrimaryChangeProcessorAspect that would be focused on that attribute and 
would handle changes that lead to assignment of critical roles/resource 
to the user object.

If that's not possible, we could analyze other options.

Back to your question. The problem that I've just described (i.e. what 
to do in case of rejection) is the reason why we do not like to work 
with secondary-phase approvals. Even the general change processor is 
quite "half-baked" and unfinished; not quite ready to be used in its 
current form.

But, again, I'm quite sure the solution can be implemented by 
PrimaryChangeProcessor.

Regards,
Pavol

On 25. 5. 2015 17:24, Илья Дорофеев wrote:
> Hi,
>
> I have user template mappings which assign / unassign certain roles depending on the values of certain attributes. In some cases I want these assignments / unassignments to be passed through an approval process. As these changes appear to be secondary deltas, as far as I understand, I have two options: either to utilize the general change processor or implement my own change processor. But it is not clear which one to choose. What advantages and disadvantages do both provide? In addition to this, I see the PrimaryChangeProcessor which seems suitable for my needs (by implementing specific aspect), but its functionality restricted solely to primary deltas. Could you elaborate on what stands behind this design? Why couldn't it be expanded to processing secondary deltas?
>
>
> Ilya Dorofeev
> Software Architect
> Solar Security
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list