[midPoint] org approver usage in workflow
Oskar Butovič - AMI Praha a.s.
oskar.butovic at ami.cz
Mon Mar 20 15:53:10 CET 2017
Hello everybody,
I need to define approver for role by org structure.
Users from each organization subtree have different approver for same role.
Can it be done by org:approver? Following configuration ignores
organization membership of user which requests approved role.
I have assignment on my approver:
<assignment id="3">
<metadata>
<requestTimestamp>2017-03-20T14:38:40.330+01:00</requestTimestamp>
<requestorRef oid="00000000-0000-0000-0000-000000000002"
type="c:UserType"><!-- --></requestorRef>
<createTimestamp>2017-03-20T14:38:41.434+01:00</createTimestamp>
<creatorRef oid="00000000-0000-0000-0000-000000000002"
type="c:UserType"><!-- --></creatorRef>
<createChannel>
http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user
</createChannel>
</metadata>
<targetRef xmlns:org="
http://midpoint.evolveum.com/xml/ns/public/common/org-3"
oid="e19d0f9f-7c57-4597-94a1-6e1de6676db9"
relation="org:approver"
type="c:RoleType"><!-- --></targetRef>
<activation>
<effectiveStatus>enabled</effectiveStatus>
</activation>
<orgRef oid="daf3c536-817f-460a-b2b4-a243e3ac8db5"
type="c:OrgType"><!-- --></orgRef>
</assignment>
------------------------------------------------------------------------------------------------
Next i have configured metarole and assigned it to role
e19d0f9f-7c57-4597-94a1-6e1de6676db9 . Metarole:
<role xmlns:apti="
http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:gen45="
http://prism.evolveum.com/xml/ns/public/debug" xmlns:icfs="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="
http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
oid="org-approver-approved-meta-role" version="10" xmlns="
http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>Org Approver Approved Role</name>
<inducement>
<policyRule>
<policyConstraints>
<assignment/>
</policyConstraints>
<policyActions>
<approval>
<compositionStrategy>
<order>40</order>
</compositionStrategy>
<approvalSchema>
<level>
<name>Org Approvers</name>
<approverRelation>approver</approverRelation>
<evaluationStrategy>firstDecides</evaluationStrategy>
</level>
</approvalSchema>
</approval>
</policyActions>
</policyRule>
</inducement>
</role>
------------------------------------------------------------------------------------------------
This seems to ignore orgRef in assignment. When I try
<approverRelation>org:approver</approverRelation> midpoint thinks that org:
is namespace prefix. (Undeclared namespace prefix 'org' in 'org:approver').
Is there any configurational way aroud or do I have to
make approverExpression script?
Best Regards
Oskar Butovič
--
Oskar Butovič
solution architect
gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170320/4d028231/attachment.htm>
More information about the midPoint
mailing list