[midPoint] Invoke workflow during attribute changing

Roman Pudil - AMI Praha a.s. roman.pudil at ami.cz
Tue Feb 23 15:58:36 CET 2016 

Hi Pavol,
thanks!

I tried ChangePassword Aspect (published somewhere in examples), it is 
very close to changing aspect. Creating workflow works fine, but it 
seems, that other steps - code around approval GUI - are missing.

Now I analyze processes for customer, the planned deployment is around 2 
months.

Tahks!
Regards

Roman Pudil
solution architect

gsm: [+420] 775 663 666
e-mail: roman.pudil at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: www.ami.cz





Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
výhradně písemnou formu.



------ Původní zpráva ------
Od: "Pavol Mederly" <mederly at evolveum.com>
Komu: midpoint at lists.evolveum.com
Odesláno: 23.2.2016 14:52:17
Předmět: Re: [midPoint] Invoke workflow during attribute changing

>From the point of workflow module, the second option is much easier to 
>implement. The only thing to do is to create so called "change aspect" 
>- a piece of code that detects that the login name attribute is to be 
>changed. Currently we have a lot of ready-made "change aspects" for 
>detecting assignment creation/modification, object creation etc. (see 
>https://wiki.evolveum.com/display/midPoint/Workflow+configuration) but 
>this one is not there yet.
>
>Workflow module is designed so that customers/partners can add their 
>own change aspects, so it would not be a big problem.
>
>However, as currently I'm reworking GUI for approvals anyway, I can 
>implement also this change aspect. I think it's generally useful (when 
>made configurable e.g. to choose what are the 'critical' attributes to 
>watch), and quite easy to do.
>
>In what time frame do you need this feature? It should be part of 3.4, 
>to be out this spring.
>
>Best regards,
>Pavol
>
>
>On 23.02.2016 14:40, Roman Pudil - AMI Praha a.s. wrote:
>>Hi Pavol,
>>first thing - thanks for very very quick answer! :-)
>>Yes, You understand it correctly. LoginName in authoritative app is 
>>not necessary, its only one of possibilities - see later.
>>I have two ideas - see scenarios:
>>First choice - login is in authoritative app:
>>1) user is Jana Novakova, login name jana.novakova is in authoritative 
>>app, in midPoint and in all other apps.
>>2) user change last name to Svobodova; loginname in authoritative app 
>>is changed to jana.svobodova, midPoint invokes workflow "changing 
>>loginname" to jana.svobodova, nothing changes in all other apps
>>3) workflow is approved, loginName is changed in all others apps.
>>Second choice - login is not in authoritative app, login generates in 
>>midPoint:
>>1) user is Jana Novakova, login name jana.novakova is in midPoint and 
>>in all other apps.
>>2) user change last name to Svobodova; last name in midPoint is 
>>changed to Svobodova, midPoint invokes workflow "changing loginname" 
>>to jana.svobodova, nothing changes in all other apps
>>3) workflow is approved, loginName is changed in all others apps.
>>
>>Simpler solution is better solution... :-)
>>
>>Regards!
>>Thanks!
>>
>>Roman Pudil
>>solution architect
>>
>>gsm: [+420] 775 663 666
>>e-mail: roman.pudil at ami.cz
>>
>>
>>AMI Praha a.s.
>>Pláničkova 11
>>162 00 Praha 6
>>tel./fax: [+420] 274 783 239
>>web: www.ami.cz
>>
>>
>>
>>
>>
>>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
>>společnost AMI Praha a.s.
>>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>>výhradně písemnou formu.
>>
>>
>>
>>------ Původní zpráva ------
>>Od: "Pavol Mederly" <mederly at evolveum.com>
>>Komu: midpoint at lists.evolveum.com
>>Odesláno: 23.2.2016 14:11:29
>>Předmět: Re: [midPoint] Invoke workflow during attribute changing
>>
>>>Hello Roman.
>>>
>>>Current implementation of workflows is aimed towards approving so 
>>>called primary changes - i.e. changes explicitly requested by user 
>>>(via GUI) or external application (via SOAP, REST or Java API). We 
>>>could potentially deal also with changes coming from resources, but 
>>>it is a bit more tricky.
>>>
>>>Before trying to answer your question I'd need to understand it more 
>>>deeply. So, you have an authoritative resource. When a login name 
>>>changes on that resource for an account, currently this change is 
>>>propagated to other resources. And you'd like to be able to control 
>>>this process: i.e. either allow or disallow the change on connected 
>>>resources.
>>>
>>>My questions are:
>>>
>>>1) Do I understand it correctly?
>>>
>>>2) Is the allow/reject decision of "all or nothing" nature, i.e. is 
>>>the login name change either allowed on all resources, or rejected 
>>>for all resources? Or you'd like to be able to say: "allow change on 
>>>resources 1, 2, 3 but not on resources 4, 5, 6" ?
>>>
>>>3) What about reconciliations? Imagine that you rejected a change 
>>>today. But (let's say) tonight there will be another reconciliation 
>>>and the change would pop up again. The workflow would be started 
>>>again, and again it should be either allowed and rejected. And so on, 
>>>and so on - each time when the reconciliation would be run. What to 
>>>do with this?
>>>
>>>Best regards,
>>>Pavol
>>>
>>>On 23.02.2016 13:58, Roman Pudil - AMI Praha a.s. wrote:
>>>>Hi all,
>>>>how to invoke workflow when changing some identity attribute?
>>>>I want invoke workflow in midPoint, during loginname in 
>>>>authoritative resource changing. I don't want to change loginname 
>>>>automaitcally in all connected resources. I want to control it.
>>>>
>>>>Thanks!
>>>>
>>>>Regards
>>>>
>>>>Roman Pudil
>>>>solution architect
>>>>
>>>>gsm: [+420] 775 663 666
>>>>e-mail: roman.pudil at ami.cz
>>>>
>>>>
>>>>AMI Praha a.s.
>>>>Pláničkova 11
>>>>162 00 Praha 6
>>>>tel./fax: [+420] 274 783 239
>>>>web: www.ami.cz
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá 
>>>>za společnost AMI Praha a.s.
>>>>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>>>>výhradně písemnou formu.
>>>>
>>>>
>>>>
>>>>_______________________________________________ midPoint mailing 
>>>>list 
>>>>midPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>>
>>_______________________________________________ midPoint mailing list 
>>midPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160223/8c07e53c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4060 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160223/8c07e53c/attachment.bin>

More information about the midPoint mailing list