[midPoint] org approver usage in workflow

Pavol Mederly mederly at evolveum.com
Tue Mar 21 11:11:52 CET 2017 

Hello Oskar,

currently I can think of only two solutions:

 1. using approverExpression, as you mentioned;
 2. using global policy rules.

Each global policy rule has two selectors that drive its application: 
focusSelector and targetSelector. In your case, targetSelector should 
point to the role(s) that have to be approved. And focusSelector should 
point to to the user(s) to which the role is to be assigned. One of 
possibilities how to select objects is using organization membership, so 
this is applicable to your situation.

The disadvantage of using global policy rules is that you have to use 
one such rule for each approver. And you have to duplicate the approval 
action information (or use some advanced composition techniques to mix 
"bare" approval action information containing only the approverRef with 
all the common settings that would come through another assignment 
policy rule).

But, overall, your use case of defining an approver for requester's org 
membership is interesting. You might create a jira for that. However, in 
the current rush it is not very likely we'd be able to implement it in 3.6.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 20.03.2017 15:53, Oskar Butovič - AMI Praha a.s. wrote:
> Hello everybody,
>
> I need to define approver for role by org structure.
>
> Users from each organization subtree have different approver for same 
> role.
>
> Can it be done by org:approver? Following configuration ignores 
> organization membership of user which requests approved role.
>
> I have assignment on my approver:
> <assignment id="3">
>       <metadata>
>  <requestTimestamp>2017-03-20T14:38:40.330+01:00</requestTimestamp>
>          <requestorRef oid="00000000-0000-0000-0000-000000000002" 
> type="c:UserType"><!--  --></requestorRef>
>  <createTimestamp>2017-03-20T14:38:41.434+01:00</createTimestamp>
>          <creatorRef oid="00000000-0000-0000-0000-000000000002" 
> type="c:UserType"><!--  --></creatorRef>
>         
>  <createChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</createChannel>
>       </metadata>
>       <targetRef 
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>  oid="e19d0f9f-7c57-4597-94a1-6e1de6676db9"
>                  relation="org:approver"
>                  type="c:RoleType"><!--  --></targetRef>
>       <activation>
>  <effectiveStatus>enabled</effectiveStatus>
>       </activation>
>       <orgRef oid="daf3c536-817f-460a-b2b4-a243e3ac8db5" 
> type="c:OrgType"><!--  --></orgRef>
>    </assignment>
> ------------------------------------------------------------------------------------------------
>
> Next i have configured metarole and assigned it to role 
> e19d0f9f-7c57-4597-94a1-6e1de6676db9 . Metarole:
> <role 
> xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" 
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
> xmlns:gen45="http://prism.evolveum.com/xml/ns/public/debug" 
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" 
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" 
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" 
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
> oid="org-approver-approved-meta-role" version="10" 
> xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>     <name>Org Approver Approved Role</name>
> <inducement>
>         <policyRule>
>             <policyConstraints>
>                 <assignment/>
>             </policyConstraints>
>             <policyActions>
>                 <approval>
>                     <compositionStrategy>
>                         <order>40</order>
>                     </compositionStrategy>
>                     <approvalSchema>
>                         <level>
>                             <name>Org Approvers</name>
> <approverRelation>approver</approverRelation>
> <evaluationStrategy>firstDecides</evaluationStrategy>
>                         </level>
>                     </approvalSchema>
>                 </approval>
>             </policyActions>
>         </policyRule>
>     </inducement>
> </role>
> ------------------------------------------------------------------------------------------------
>
> This seems to ignore orgRef in assignment. When I try 
> <approverRelation>org:approver</approverRelation> midpoint thinks that 
> org: is namespace prefix. (Undeclared namespace prefix 'org' in 
> 'org:approver'). Is there any configurational way aroud or do I have 
> to make approverExpression script?
>
>
> Best Regards
>
> Oskar Butovič
>
> -- 
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
> 			
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
>
> 			
>
> AMI Praha a.s.
>
>
> AMI Praha a.s. 
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170321/b16d4bba/attachment.htm>

More information about the midPoint mailing list