[midPoint] Approval processes in Segregation of Duties

[Doler, Alexander Earl (LATCO - Buenos Aires)]

Thanks for your response, Esteban!

Unfortunately, even after changing the approver type to a user and specifying a user's OID, as you suggested, no workflow is started and the incompatible role is still assigned immediately (however, it is important that the approvers eventually be the members of an organization, and not a single user). The problem is that MidPoint seems to be ignoring reference to the approval altogether, as when I specify "enforcement," it does indeed block the assignment of incompatible roles. Maybe I am missing something further here?

Any ideas?

Regards,
Alex

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Jeria, Esteban
Sent: jueves, 31 de agosto de 2017 3:36 p. m.
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Approval processes in Segregation of Duties


Hola Alex,



I was working on exactly the same feature on last days, so I tested your code and I found an error on approverRef, the type should be an user



<approverRef oid="(APPROVER OID)"
                                  relation="org:default"
                                  type="c:UserType"></approverRef>



otherwise your request goes to nobody. Actually you can probably found them under "Work items / All requests"

Once fixed, the approval workflow works properly.



Esteban Jeria
Conseiller CGI / CGI Consultant

Sécurité - Gestion d'identité et des accès / Security - Identity and Access Management

________________________________
From: Doler, Alexander Earl (LATCO - Buenos Aires) [adoler at deloitte.com]
Sent: August 30, 2017 1:14 PM
To: midPoint General Discussion
Subject: [midPoint] Approval processes in Segregation of Duties
Hello,

I am trying to configure Segregation of Duties in MidPoint so that when incompatible roles are requested, an approval process is triggered. I am able to successfully block assignment of incompatible roles by specifying "<enforcement>" in the policy actions. However, when I replace "enforcement" with "approval," MidPoint seems to ignore any approval process specified and assigns the role. I noticed the tag "prune" is also ignored when specified here. I am using MidPoint version 3.6.

Here is my code:

   <assignment id="7">
      <policyRule>
         <name>Exclude Role Assignment</name>
         <policyConstraints>
            <exclusion>
               <targetRef oid="(ROLE OID)"
                          relation="org:default"
                          type="c:RoleType"></targetRef>
            </exclusion>
         </policyConstraints>
         <policyActions>
            <approval>
               <compositionStrategy>
                  <order>10</order>
               </compositionStrategy>
               <approvalSchema>
                  <level>
                     <name>Auditing Approval</name>
                     <approverRef oid="(APPROVER OID)"
                                  relation="org:default"
                                  type="c:OrgType"></approverRef>
                     <evaluationStrategy>firstDecides</evaluationStrategy>
                     <groupExpansion>onWorkItemCreation</groupExpansion>
                  </level>
               </approvalSchema>
            </approval>
         </policyActions>
      </policyRule>
   </assignment>

Any thoughts on how to make this work?

Thank you,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170904/693d94a7/attachment.htm>