[midPoint] Approval processes in Segregation of Duties

Jeria, Esteban esteban.jeria at cgi.com
Thu Aug 31 20:36:17 CEST 2017 

Hola Alex,



I was working on exactly the same feature on last days, so I tested your code and I found an error on approverRef, the type should be an user



<approverRef oid="(APPROVER OID)"
                                  relation="org:default"
                                  type="c:UserType"></approverRef>



otherwise your request goes to nobody. Actually you can probably found them under "Work items / All requests"

Once fixed, the approval workflow works properly.



Esteban Jeria
Conseiller CGI / CGI Consultant

Sécurité - Gestion d'identité et des accès / Security - Identity and Access Management

________________________________
From: Doler, Alexander Earl (LATCO - Buenos Aires) [adoler at deloitte.com]
Sent: August 30, 2017 1:14 PM
To: midPoint General Discussion
Subject: [midPoint] Approval processes in Segregation of Duties

Hello,

I am trying to configure Segregation of Duties in MidPoint so that when incompatible roles are requested, an approval process is triggered. I am able to successfully block assignment of incompatible roles by specifying “<enforcement>” in the policy actions. However, when I replace “enforcement” with “approval,” MidPoint seems to ignore any approval process specified and assigns the role. I noticed the tag “prune” is also ignored when specified here. I am using MidPoint version 3.6.

Here is my code:

   <assignment id="7">
      <policyRule>
         <name>Exclude Role Assignment</name>
         <policyConstraints>
            <exclusion>
               <targetRef oid="(ROLE OID)"
                          relation="org:default"
                          type="c:RoleType"></targetRef>
            </exclusion>
         </policyConstraints>
         <policyActions>
            <approval>
               <compositionStrategy>
                  <order>10</order>
               </compositionStrategy>
               <approvalSchema>
                  <level>
                     <name>Auditing Approval</name>
                     <approverRef oid="(APPROVER OID)"
                                  relation="org:default"
                                  type="c:OrgType"></approverRef>
                     <evaluationStrategy>firstDecides</evaluationStrategy>
                     <groupExpansion>onWorkItemCreation</groupExpansion>
                  </level>
               </approvalSchema>
            </approval>
         </policyActions>
      </policyRule>
   </assignment>

Any thoughts on how to make this work?

Thank you,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170831/fd3ffa0c/attachment.htm>

More information about the midPoint mailing list