[midPoint] Invoke workflow during attribute changing

Tue Feb 23 16:08:03 CET 2016

Yes. That was an attempt to show an example how 'attribute changing 
aspect' could look like.
The GUI should be somehow hackable through QuestionForm and related 
prism objects, but it is quite ugly. (That's why I'm reworking it now.)

Hopefully 3.4 would be either released or at least working well enough 
to be used when deployment is due. :)

Best regards,
Pavol

On 23.02.2016 15:58, Roman Pudil - AMI Praha a.s. wrote:
> Hi Pavol,
> thanks!
> I tried ChangePassword Aspect (published somewhere in examples), it is 
> very close to changing aspect. Creating workflow works fine, but it 
> seems, that other steps - code around approval GUI - are missing.
> Now I analyze processes for customer, the planned deployment is around 
> 2 months.
> Tahks!
> Regards
>
> Roman Pudil
> solution architect
>
> gsm: [+420] 775 663 666
> e-mail:roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>
> 			
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel./fax: [+420] 274 783 239
> web:www.ami.cz <http://www.ami.cz/>
>
> 			
>
>
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
> ------ Původní zpráva ------
> Od: "Pavol Mederly" <mederly at evolveum.com <mailto:mederly at evolveum.com>>
> Komu: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
> Odesláno: 23.2.2016 14:52:17
> Předmět: Re: [midPoint] Invoke workflow during attribute changing
>> From the point of workflow module, the second option is much easier 
>> to implement. The only thing to do is to create so called "change 
>> aspect" - a piece of code that detects that the login name attribute 
>> is to be changed. Currently we have a lot of ready-made "change 
>> aspects" for detecting assignment creation/modification, object 
>> creation etc. (see 
>> https://wiki.evolveum.com/display/midPoint/Workflow+configuration) 
>> but this one is not there yet.
>>
>> Workflow module is designed so that customers/partners can add their 
>> own change aspects, so it would not be a big problem.
>>
>> However, as currently I'm reworking GUI for approvals anyway, I can 
>> implement also this change aspect. I think it's generally useful 
>> (when made configurable e.g. to choose what are the 'critical' 
>> attributes to watch), and quite easy to do.
>>
>> In what time frame do you need this feature? It should be part of 
>> 3.4, to be out this spring.
>>
>> Best regards,
>> Pavol
>>
>>
>> On 23.02.2016 14:40, Roman Pudil - AMI Praha a.s. wrote:
>>> Hi Pavol,
>>> first thing - thanks for very very quick answer! :-)
>>> Yes, You understand it correctly. LoginName in authoritative app is 
>>> not necessary, its only one of possibilities - see later.
>>> I have two ideas - see scenarios:
>>> First choice - login is in authoritative app:
>>> 1) user is Jana Novakova, login name jana.novakova is in 
>>> authoritative app, in midPoint and in all other apps.
>>> 2) user change last name to Svobodova; loginname in authoritative 
>>> app is changed to jana.svobodova, midPoint invokes workflow 
>>> "changing loginname" to jana.svobodova, nothing changes in all other 
>>> apps
>>> 3) workflow is approved, loginName is changed in all others apps.
>>> Second choice - login is not in authoritative app, login generates 
>>> in midPoint:
>>> 1) user is Jana Novakova, login name jana.novakova is in midPoint 
>>> and in all other apps.
>>> 2) user change last name to Svobodova; last name in midPoint is 
>>> changed to Svobodova, midPoint invokes workflow "changing loginname" 
>>> to jana.svobodova, nothing changes in all other apps
>>> 3) workflow is approved, loginName is changed in all others apps.
>>> Simpler solution is better solution... :-)
>>> Regards!
>>> Thanks!
>>>
>>> Roman Pudil
>>> solution architect
>>>
>>> gsm: [+420] 775 663 666
>>> e-mail:roman.pudil at ami.cz
>>>
>>> 			
>>>
>>> AMI Praha a.s.
>>> Pláničkova 11
>>> 162 00 Praha 6
>>> tel./fax: [+420] 274 783 239
>>> web:www.ami.cz
>>>
>>> 			
>>>
>>>
>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá 
>>> za společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>>> výhradně písemnou formu.
>>>
>>> ------ Původní zpráva ------
>>> Od: "Pavol Mederly" <mederly at evolveum.com <mailto:mederly at evolveum.com>>
>>> Komu: midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>
>>> Odesláno: 23.2.2016 14:11:29
>>> Předmět: Re: [midPoint] Invoke workflow during attribute changing
>>>> Hello Roman.
>>>>
>>>> Current implementation of workflows is aimed towards approving so 
>>>> called primary changes - i.e. changes explicitly requested by user 
>>>> (via GUI) or external application (via SOAP, REST or Java API). We 
>>>> could potentially deal also with changes coming from resources, but 
>>>> it is a bit more tricky.
>>>>
>>>> Before trying to answer your question I'd need to understand it 
>>>> more deeply. So, you have an authoritative resource. When a login 
>>>> name changes on that resource for an account, currently this change 
>>>> is propagated to other resources. And you'd like to be able to 
>>>> control this process: i.e. either allow or disallow the change on 
>>>> connected resources.
>>>>
>>>> My questions are:
>>>>
>>>> 1) Do I understand it correctly?
>>>>
>>>> 2) Is the allow/reject decision of "all or nothing" nature, i.e. is 
>>>> the login name change either allowed on all resources, or rejected 
>>>> for all resources? Or you'd like to be able to say: "allow change 
>>>> on resources 1, 2, 3 but not on resources 4, 5, 6" ?
>>>>
>>>> 3) What about reconciliations? Imagine that you rejected a change 
>>>> today. But (let's say) tonight there will be another reconciliation 
>>>> and the change would pop up again. The workflow would be started 
>>>> again, and again it should be either allowed and rejected. And so 
>>>> on, and so on - each time when the reconciliation would be run. 
>>>> What to do with this?
>>>>
>>>> Best regards,
>>>> Pavol
>>>>
>>>> On 23.02.2016 13:58, Roman Pudil - AMI Praha a.s. wrote:
>>>>> Hi all,
>>>>> how to invoke workflow when changing some identity attribute?
>>>>> I want invoke workflow in midPoint, during loginname in 
>>>>> authoritative resource changing. I don't want to change loginname 
>>>>> automaitcally in all connected resources. I want to control it.
>>>>> Thanks!
>>>>> Regards
>>>>>
>>>>> Roman Pudil
>>>>> solution architect
>>>>>
>>>>> gsm: [+420] 775 663 666
>>>>> e-mail:roman.pudil at ami.cz
>>>>>
>>>>> 			
>>>>>
>>>>> AMI Praha a.s.
>>>>> Pláničkova 11
>>>>> 162 00 Praha 6
>>>>> tel./fax: [+420] 274 783 239
>>>>> web:www.ami.cz
>>>>>
>>>>> 			
>>>>>
>>>>>
>>>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management> 
>>>>>
>>>>>
>>>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá 
>>>>> za společnost AMI Praha a.s.
>>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>>>>> výhradně písemnou formu.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160223/06a3cfa2/attachment.htm>