[midPoint] workflow - approvers approving - midpoint 3.5.1

Oskar Butovič - AMI Praha a.s. oskar.butovic at ami.cz
Fri Apr 7 09:49:55 CEST 2017 

Hello Pavol,

I have tested it today on midpoint 3.5.1 and it worked perfectly. Approver
relation assignments are not checked by workflow and memeber ones are
checked by policy rules.

<useDefaultApprovalPolicyRules>never</useDefaultApprovalPolicyRules>
 <useLegacyApproversSpecification>never</useLegacyApproversSpecification>

did the trick.

Thanks a lot.

Best Regards

Oskar Butovi4

2017-04-06 16:20 GMT+02:00 Pavol Mederly <mederly at evolveum.com>:

> Although setting useLegacyApproversSpecification to "never" is
> recommended (after you decided to use policy rules to drive approvals), it
> will most probably not help in this case. I'd suggest setting
> useDefaultApprovalPolicyRules to "never" as well, although it will not
> probably help.
>
> The problem is deep in the midPoint code, where assignments are evaluated.
> I have fixed it for 3.6, but it would be very hard to backport the fix to
> 3.5.x.
>
> What exactly are you trying to achieve? Maybe we could find some
> alternative way.
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 06.04.2017 16:02, Oskar Butovič - AMI Praha a.s. wrote:
>
> Hello Pavol,
>
> I Use policy rules. Follows example of one of my workflow roles.
>
> I have not set anything regarding  legacy approvers and default approval
> policy rules. So this behaviour would stop if i set
> useLegacyApproversSpecification to never?
>
> ------------------------------------------------------------
> ----------------
> <role xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/
> common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
> common/common-3" xmlns:gen45="http://prism.evolveum.com/xml/ns/public/
> debug" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/
> connector/icf-1/resource-schema-3" xmlns:q="http://prism.
> evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.
> evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.
> evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/
> 2001/XMLSchema-instance"
> oid="refused-meta-role" version="10" xmlns="http://midpoint.
> evolveum.com/xml/ns/public/common/common-3">
>     <name>Refused Role</name>
>     <inducement>
>         <policyRule>
>             <policyConstraints>
>                 <assignment/>
>             </policyConstraints>
>             <policyActions>
>                 <approval>
>                     <compositionStrategy>
>                         <order>2</order>
>                     </compositionStrategy>
>                     <approvalSchema>
>                         <level>
>                             <name>Automatic refusal</name>
>                             <approverExpression>
>                                 <script>
>                                     <code>
>                                 log.warn("approving new role with
> undefined workflow for user: " + serachedUser.getName() + " automatically
> refusing.");
>                                 //TODO zastavit approve process v 3.5.1
> bude mozne pouzit outcomeIfNoApprovers
>                                 return "workflow-refuser-user";
>                                     </code>
>                                 </script>
>                             </approverExpression>
>                             <evaluationStrategy>firstDecides</
> evaluationStrategy>
>                         </level>
>                     </approvalSchema>
>                 </approval>
>             </policyActions>
>         </policyRule>
>     </inducement>
> </role>
> --------------------------------------------------------------------
>
>
> Best regards
>
> Oskar Butovič
>
> 2017-04-06 15:30 GMT+02:00 Pavol Mederly <mederly at evolveum.com>:
>
>> Hello Oskar,
>>
>> how are your approvals set up? Do you use policy rules? What are your
>> settings regarding legacy approvers and default approval policy rules? (see
>> https://wiki.evolveum.com/pages/viewpage.action?pageId=24084761).
>>
>> Because, unfortunately, there are some problems with policy-based
>> approvals for non-default relations in 3.5.x (see MID-3799, #1).
>>
>> Pavol Mederly
>> Software developerevolveum.com
>>
>> On 06.04.2017 15:12, Oskar Butovič - AMI Praha a.s. wrote:
>>
>> Hello everybody,
>>
>> I have stumbled across some strange approval workflow behaviour.
>>
>> When I am assigning roles with relation member everything works fine,
>> exactly as configured.
>>
>> But when i try to assign members weird stuff starts to happen.
>> Example:
>> - no or any workflow is configured for role via assigned metaroles
>> 1) I assign role R1 as approver to user U1
>>     a) everything executes ok and role is assigned as approver relation
>> 2) I assign role R1 as approver to user U2
>>     a) midpoint ignores any workflow configured on metaroles
>> (approverExpressions are not executed at all)
>>     b) approval task for user U1 is created.
>>
>> Why this might happen and how it could be changed? Part 2.b is especially
>> bothersome. It might cause that confusing workflow notifications are sent
>> during initial or following workflow approver configuration.
>>
>> Best Regards
>>
>> Oskar Butovič
>>
>> --
>>
>> Oskar Butovič
>> solution architect
>>
>> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
>> e-mail: oskar.butovic at ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>> web: www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________ midPoint mailing list
>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>> man/listinfo/midpoint
>
> --
>
> Oskar Butovič solution architect gsm: [+420] 774 480 101
> <+420%20774%20480%20101> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239
> <+420%20274%20783%20239> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude
> uzavřena, musí mít výhradně písemnou formu.
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170407/5cb015d8/attachment.htm>

More information about the midPoint mailing list