[midPoint] accessing role (and/or accessing delta and identifying change type and role added) during approverExpression

Pavol Mederly mederly at evolveum.com
Tue Sep 20 23:37:46 CEST 2016 

Hello Patrick,

you are correct; for "assignment-related" approvals the target variable 
is what you need. I'll update the wiki page.

As for the metarole, you can try this:

<role oid="8e42a67e-2203-4c6a-ae1f-bd5bb97fa698" 
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
     <name>Approvals metarole</name>
     <inducement id="1">
         <focusMappings>
             <mapping>
                 <strength>strong</strength>
                 <expression>
                     <value>
                         <name>Sample Complex Schema 1</name>
                         <description>A sample complex approval schema, 
involving the security administrator</description>
                         <level>
<name>Bosses</name>
                             <description>At this level, either one of 
the company directors has to approve the assignment.</description>
                             <approverRef 
oid="75f2806d-e31b-40c9-8133-85ed4d9e6252" type="UserType">
                                 <description>Big boss #1 
approval</description>
                             </approverRef>
                             <approverRef 
oid="0e030e0c-a37d-47b2-bde8-f8e61e4a2bfb" type="UserType">
                                 <description>Big boss #2 
approval</description>
                             </approverRef>
<evaluationStrategy>firstDecides</evaluationStrategy>
                         </level>
                         <level>
<name>Administrators</name>
                             <description>At this level, system 
administrator as well as security manager must approve.</description>
                             <approverRef 
oid="00000000-0000-0000-0000-000000000002" type="UserType">
<description>Administrator approval</description>
                             </approverRef>
                             <approverRef 
oid="c168470c-bfef-414f-88b5-5d144f4f3d6c" type="UserType">
<description>Security Manager approval</description>
                             </approverRef>
<evaluationStrategy>allMustApprove</evaluationStrategy>
                         </level>
                     </value>
                 </expression>
                 <target>
<path>approvalSchema</path>
                 </target>
             </mapping>
         </focusMappings>
     </inducement>
</role>

After assigning this metarole to any role R1 and recomputing R1, the 
role R1 gets approvalSchema from the metarole.

Note that each change in metarole should be followed by recomputation of 
affected roles.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 20.09.2016 18:59, pdbogen at cernu.us wrote:
> I answered my own question here, at least the first part.
>
> It turns out I can iterate through this.binding.variables, like so:
>
>    this.binding.variables.each { k,v ->
>      log.error( '{} = {}', k, v )
>    }
>
> This results in:
>
>    requester = user:00000000-0000-0000-0000-000000000002(administrator)
>    actor = user:00000000-0000-0000-0000-000000000002(administrator)
>    log = com.evolveum.midpoint.model.common.expression.functions.LogExpressionFunctions at 94e81ac
>    objectDelta = ObjectDelta(UserType:fdab341e-862f-4550-ad00-05b21f70b3cd,MODIFY: ContainerDelta( / {.../common/common-3}assignment, ADD))
>    context = javax.script.SimpleScriptContext at 1ea75835
>    midpoint = com.evolveum.midpoint.model.impl.expr.MidpointFunctionsImpl at 27aa6baa
>    basic = com.evolveum.midpoint.model.common.expression.functions.BasicExpressionFunctions at 54456a85
>    object = user:fdab341e-862f-4550-ad00-05b21f70b3cd(mark)
>    target = role:082e00c2-4f33-4d69-ba13-498a3f006e4b(active)
>    out = java.io.PrintWriter at 297bc240
>
> ..and so it looks like I'll be able to use `target` to make the decisions I
> want.
>
> Still not sure about whether I can induce different schema, but hopefully this
> knowledge will be useful for others.
>
> Can we update the wiki page
> (https://wiki.evolveum.com/display/midPoint/Some+examples) to fully describe
> the context available to approver expressions?
>
> Thanks!
> - Patrick
>
> On Mon, Sep 19, 2016 at 10:27:18AM -0700, pdbogen at cernu.us wrote:
>> Howdy!
>>
>> I'm working on building up my approval workflow, which will look like this:
>>
>> * For all role additions,
>>    * If Administrator is requester, auto-approve (done)
>>    * Look up user's manager via custom user schema extension attribute, and
>>    require their approval (done)
>> * For sensitive roles,
>>    * Require approval from one of specific set of users
>>
>> Because I want this to be based on a role attribute `sensitive` (which I'll
>> extend the schema for), I thought I'd implement this as two levels; where the
>> second level includes an automaticallyApproved when `sensitive` is NOT set.
>>
>> This requires me to identify the role that's being changed so that I can
>> obtain the value of the extension attribute; but the only documentation I can
>> find that discusses the context provided to approval expressions
>> (https://wiki.evolveum.com/display/midPoint/Some+examples) lists only `object`
>> and `requester` as populated into the script environment.
>>
>> So main question then, is- how can I access information about the role being
>> added in an approverExpression?
>>
>> (Secondary question- can I `induce` an approval schema via a meta-role?)
>>
>> Thanks!
>> -- 
>>               .
>> Patrick Bogen .
>>              ...
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160920/cc537d9e/attachment.htm>

More information about the midPoint mailing list