[midPoint] Multiple Approvers

Pavol Mederly mederly at evolveum.com
Mon Aug 15 23:28:45 CEST 2016 

Hello Florin,

there are actually two problems with approval schema levels:

The first one is that - as you said - levels have no IDs. This is 
because of an omission to generate them when saving an object into the 
repository (PrismIdentifierGenerator class). Workaround is quite simple: 
when creating a role, just manually insert such identifiers into the XML 
representation.

But, what is worse, is the second issue: multivalued prism structures 
are unsorted. ID is not a sorting key; it's just an identifier. So it's 
quite possible that ordering of multi-level approval schema gets 
swapped. This can occur on applying add/delete item deltas that address 
levels.

Fortunately, workaround for both problems is quite simple: always 
execute <itemDelta> that replaces all the content of 
<approvalStructure>, e.g. like this:

<apit:objectModification 
xmlns:apit='http://midpoint.evolveum.com/xml/ns/public/common/api-types-3' 
xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3' 
xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3' 
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
     <apit:itemDelta>
<t:modificationType>replace</t:modificationType>
         <t:path>c:approvalSchema</t:path>
         <t:value>
             <name>Sample Complex Schema 1</name>
             <description>A sample complex approval schema, involving 
the security administrator</description>
             <level>
                 <name>Bosses</name>
                 <description>At this level, either one of the company 
directors has to approve the assignment.</description>
                 <approverRef oid="75f2806d-e31b-40c9-8133-85ed4d9e6252" 
type="c:UserType"/>
                 <approverRef oid="0e030e0c-a37d-47b2-bde8-f8e61e4a2bfb" 
type="c:UserType"/>
<evaluationStrategy>firstDecides</evaluationStrategy>
             </level>
             <level>
                 <name>Administrators</name>
                 <description>At this level, system administrator as 
well as security manager must approve.</description>
                 <approverRef oid="00000000-0000-0000-0000-000000000002" 
type="c:UserType"/>
                 <approverRef oid="c168470c-bfef-414f-88b5-5d144f4f3d6c" 
type="c:UserType"/>
<evaluationStrategy>allMustApprove</evaluationStrategy>
             </level>
         </t:value>
     </apit:itemDelta>
</apit:objectModification>

Looking at your planned command line tool I think this could work. (Even 
if you'd need to apply deltas, it's possible to fetch current state, 
apply the delta yourself, and push the new state into midPoint. Except 
for race conditions, it should be OK.)

Anyway, I've logged a jira issue for this (MID-3350 
<https://jira.evolveum.com/browse/MID-3350>).

As for the plans for support editing approval schemas in GUI, I don't 
know. Maybe Radovan or Igor would.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 15.08.2016 22:38, Florin. Stingaciu wrote:
> Hello,
>
> I'm currently trying to set up a role such that it has multiple 
> approvers in a firstDecides strategy. Everything works just fine when 
> I directly edit the role object via the configuration tab (in browser 
> editor).
>
> I'm actually trying to automate this process such that my admins can 
> just call a tool from cmd line. Something like:
>
> midpoint_client -group _name_ -approvers _list_ -strategy _strategy_
>
> So far I've written a python client interfacing with midPoint via the 
> REST API. If I'm adding a brand new approval workflow there's no 
> problem, however if I have to modify or delete these programmatically, 
> I can't. This is due to the fact that <level> under approvalSchema 
> doesn't contain an ID. For example this is my item delta:
>
>         <itemDelta>
> <t:modificationType>delete</t:modificationType>
> <t:path>c:approvalSchema/level/approverRef</t:path>
>                 <value oid="358a2151-f85d-4d92-8145-e8228aa4faa6" 
> type="c:UserType"></value>
>         </itemDelta>
>
> I'm wondering if there's any plan to expose approvalSchema operations 
> directly in the GUI any time soon. Also any suggestions on getting 
> around this programmatically (while still continuing to use the REST 
> API) would be very appreciated.
>
> Thanks,
> -F
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160815/6e6984da/attachment.htm>

More information about the midPoint mailing list