[midPoint] Multiple Approvers

Florin. Stingaciu fstingaciu at mirantis.com
Tue Aug 16 00:29:48 CEST 2016


Using ItemDeltas solved my problem. Thanks Pavol!

On Mon, Aug 15, 2016 at 2:28 PM, Pavol Mederly <mederly at evolveum.com> wrote:

> Hello Florin,
> there are actually two problems with approval schema levels:
>
> The first one is that - as you said - levels have no IDs. This is because
> of an omission to generate them when saving an object into the repository
> (PrismIdentifierGenerator class). Workaround is quite simple: when creating
> a role, just manually insert such identifiers into the XML representation.
>
> But, what is worse, is the second issue: multivalued prism structures are
> unsorted. ID is not a sorting key; it's just an identifier. So it's quite
> possible that ordering of multi-level approval schema gets swapped. This
> can occur on applying add/delete item deltas that address levels.
>
> Fortunately, workaround for both problems is quite simple: always execute
> <itemDelta> that replaces all the content of <approvalStructure>, e.g. like
> this:
>
> <apit:objectModification xmlns:apit='http://midpoint.
> evolveum.com/xml/ns/public/common/api-types-3' xmlns:c='http://midpoint.
> evolveum.com/xml/ns/public/common/common-3' xmlns='http://midpoint.
> evolveum.com/xml/ns/public/common/common-3' xmlns:t="http://prism.
> evolveum.com/xml/ns/public/types-3"
> <http://prism.evolveum.com/xml/ns/public/types-3>>
>     <apit:itemDelta>
>         <t:modificationType>replace</t:modificationType>
>         <t:path>c:approvalSchema</t:path>
>         <t:value>
>             <name>Sample Complex Schema 1</name>
>             <description>A sample complex approval schema, involving the
> security administrator</description>
>             <level>
>                 <name>Bosses</name>
>                 <description>At this level, either one of the company
> directors has to approve the assignment.</description>
>                 <approverRef oid="75f2806d-e31b-40c9-8133-85ed4d9e6252"
> type="c:UserType"/>
>                 <approverRef oid="0e030e0c-a37d-47b2-bde8-f8e61e4a2bfb"
> type="c:UserType"/>
>                 <evaluationStrategy>firstDecides</evaluationStrategy>
>             </level>
>             <level>
>                 <name>Administrators</name>
>                 <description>At this level, system administrator as well
> as security manager must approve.</description>
>                 <approverRef oid="00000000-0000-0000-0000-000000000002"
> type="c:UserType"/>
>                 <approverRef oid="c168470c-bfef-414f-88b5-5d144f4f3d6c"
> type="c:UserType"/>
>                 <evaluationStrategy>allMustApprove</evaluationStrategy>
>             </level>
>         </t:value>
>     </apit:itemDelta>
> </apit:objectModification>
>
> Looking at your planned command line tool I think this could work. (Even
> if you'd need to apply deltas, it's possible to fetch current state, apply
> the delta yourself, and push the new state into midPoint. Except for race
> conditions, it should be OK.)
>
> Anyway, I've logged a jira issue for this (MID-3350
> <https://jira.evolveum.com/browse/MID-3350>).
>
> As for the plans for support editing approval schemas in GUI, I don't
> know. Maybe Radovan or Igor would.
>
> Best regards,
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 15.08.2016 22:38, Florin. Stingaciu wrote:
>
> Hello,
>
> I'm currently trying to set up a role such that it has multiple approvers
> in a firstDecides strategy. Everything works just fine when I directly edit
> the role object via the configuration tab (in browser editor).
>
> I'm actually trying to automate this process such that my admins can just
> call a tool from cmd line. Something like:
>
> midpoint_client -group _name_ -approvers _list_ -strategy _strategy_
>
> So far I've written a python client interfacing with midPoint via the REST
> API. If I'm adding a brand new approval workflow there's no problem,
> however if I have to modify or delete these programmatically, I can't. This
> is due to the fact that <level> under approvalSchema doesn't contain an ID.
> For example this is my item delta:
>
>         <itemDelta>
>                 <t:modificationType>delete</t:modificationType>
>                 <t:path>c:approvalSchema/level/approverRef</t:path>
>                 <value oid="358a2151-f85d-4d92-8145-e8228aa4faa6"
> type="c:UserType"></value>
>         </itemDelta>
>
> I'm wondering if there's any plan to expose approvalSchema operations
> directly in the GUI any time soon. Also any suggestions on getting around
> this programmatically (while still continuing to use the REST API) would be
> very appreciated.
>
> Thanks,
> -F
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160815/734a72d0/attachment.htm>


More information about the midPoint mailing list