[midPoint] accessing role (and/or accessing delta and identifying change type and role added) during approverExpression

pdbogen at cernu.us pdbogen at cernu.us
Tue Sep 20 18:59:38 CEST 2016 

I answered my own question here, at least the first part.

It turns out I can iterate through this.binding.variables, like so:

  this.binding.variables.each { k,v ->
    log.error( '{} = {}', k, v )
  }

This results in:

  requester = user:00000000-0000-0000-0000-000000000002(administrator)
  actor = user:00000000-0000-0000-0000-000000000002(administrator)
  log = com.evolveum.midpoint.model.common.expression.functions.LogExpressionFunctions at 94e81ac
  objectDelta = ObjectDelta(UserType:fdab341e-862f-4550-ad00-05b21f70b3cd,MODIFY: ContainerDelta( / {.../common/common-3}assignment, ADD))
  context = javax.script.SimpleScriptContext at 1ea75835
  midpoint = com.evolveum.midpoint.model.impl.expr.MidpointFunctionsImpl at 27aa6baa
  basic = com.evolveum.midpoint.model.common.expression.functions.BasicExpressionFunctions at 54456a85
  object = user:fdab341e-862f-4550-ad00-05b21f70b3cd(mark)
  target = role:082e00c2-4f33-4d69-ba13-498a3f006e4b(active)
  out = java.io.PrintWriter at 297bc240

..and so it looks like I'll be able to use `target` to make the decisions I 
want.

Still not sure about whether I can induce different schema, but hopefully this 
knowledge will be useful for others.

Can we update the wiki page 
(https://wiki.evolveum.com/display/midPoint/Some+examples) to fully describe 
the context available to approver expressions?

Thanks!
- Patrick

On Mon, Sep 19, 2016 at 10:27:18AM -0700, pdbogen at cernu.us wrote:
> Howdy!
> 
> I'm working on building up my approval workflow, which will look like this:
> 
> * For all role additions,
>   * If Administrator is requester, auto-approve (done)
>   * Look up user's manager via custom user schema extension attribute, and 
>   require their approval (done)
> * For sensitive roles,
>   * Require approval from one of specific set of users
> 
> Because I want this to be based on a role attribute `sensitive` (which I'll 
> extend the schema for), I thought I'd implement this as two levels; where the 
> second level includes an automaticallyApproved when `sensitive` is NOT set.
> 
> This requires me to identify the role that's being changed so that I can 
> obtain the value of the extension attribute; but the only documentation I can 
> find that discusses the context provided to approval expressions 
> (https://wiki.evolveum.com/display/midPoint/Some+examples) lists only `object` 
> and `requester` as populated into the script environment.
> 
> So main question then, is- how can I access information about the role being 
> added in an approverExpression?
> 
> (Secondary question- can I `induce` an approval schema via a meta-role?)
> 
> Thanks!
> -- 
>              .
> Patrick Bogen .
>             ...



-- 
             .
Patrick Bogen .
            ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160920/0b3a7230/attachment.sig>

More information about the midPoint mailing list