[midPoint] Role request questions

Pavol Mederly mederly at evolveum.com
Fri Aug 12 11:12:34 CEST 2016 

Hello Aivo,


please see answers in your text.


Best regards,

Pavol Mederly
Software developer
evolveum.com
  

> When I request a role (which have approver) then I don't see the 
> request under My Requests. Does the requester needs some authorization 
> to view his/her currently active requests?

Yes.

The background is this: Information about an approval process is stored 
in midPoint task (as well as in Activiti process instance, but that's 
not important now). In 3.4, we are not able to specify authorization for 
tasks to allow displaying only the tasks that are somehow related to the 
user. We are limited to quite static conditions, like "show tasks that 
belong to a (fixed) user", or "show tasks that were requested by a 
(fixed) user". So, basically, you'd need a separate role for each 
possible requester, and that's obviously a nonsense.

This more flexible mechanism is to be implemented in 3.5, as per 
https://jira.evolveum.com/browse/MID-3121. (It's little bit unclear if 
it will really fit into the schedule, but that's another story.)

As a workaround for 3.4, you could give users read access to 
workflowContext section of /all/ tasks. If you disallow non-GUI access 
for them, and disallow using Task List page, it could be reasonably 
secure. (Based on the fact that the users will not know tasks' OIDs to 
access them directly.) But it depends on how secure you want your system 
to be.

> Can user request to remove the assigned roles? By default it does not 
> seem to work?

This is an interesting question. Do you want this operation to be 
carried out automatically (without approval), or to be approved in the 
same way as assignment creation?

> Is it possible in request roles dialog to hide from available roles 
> the roles which have already assigned to user and/or roles which user 
> has already requested but have not yet approved?

Currently it is (as far as I know) not implemented. I think it is not a 
too much work to be done. (Please create a jira if you're interested.)

There is one aspect that comes to mind: An assignment can be e.g. 
disabled, or valid only through a period of time, or be bound to a 
specific org or tenant, or have any parameters that make it different 
from other assignments of the given role. So there might be reason to 
add a role for which some assignment already exists. Therefore, this 
feature should be configurable (by administrator, knowing the deployment 
details), or should be switchable on/off by the user.

> By default when role is requestable but have no approver the end user 
> can order a role without any approval - is it possible to avoid such 
> situation, eg by defining some kind of policy that when request have 
> no any approving users then the administrator still has to approve it?

Good idea! I am convinced this can be done using authorizations 
mechanism: To allow end user see only roles that have non-empty 
approverRef field.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160812/c5b46899/attachment.htm>

More information about the midPoint mailing list