[midPoint] accessing role (and/or accessing delta and identifying change type and role added) during approverExpression

[pdbogen at cernu.us]

Howdy!

I'm working on building up my approval workflow, which will look like this:

* For all role additions,
  * If Administrator is requester, auto-approve (done)
  * Look up user's manager via custom user schema extension attribute, and 
  require their approval (done)
* For sensitive roles,
  * Require approval from one of specific set of users

Because I want this to be based on a role attribute `sensitive` (which I'll 
extend the schema for), I thought I'd implement this as two levels; where the 
second level includes an automaticallyApproved when `sensitive` is NOT set.

This requires me to identify the role that's being changed so that I can 
obtain the value of the extension attribute; but the only documentation I can 
find that discusses the context provided to approval expressions 
(https://wiki.evolveum.com/display/midPoint/Some+examples) lists only `object` 
and `requester` as populated into the script environment.

So main question then, is- how can I access information about the role being 
added in an approverExpression?

(Secondary question- can I `induce` an approval schema via a meta-role?)

Thanks!
-- 
             .
Patrick Bogen .
            ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160919/c438ce19/attachment.sig>