[midPoint] Approval processes in Segregation of Duties
Doler, Alexander Earl (LATCO - Buenos Aires)
adoler at deloitte.com
Mon Sep 4 14:54:32 CEST 2017
Thanks for your response, Esteban!
Unfortunately, even after changing the approver type to a user and specifying a user's OID, as you suggested, no workflow is started and the incompatible role is still assigned immediately (however, it is important that the approvers eventually be the members of an organization, and not a single user). The problem is that MidPoint seems to be ignoring reference to the approval altogether, as when I specify "enforcement," it does indeed block the assignment of incompatible roles. Maybe I am missing something further here?
Any ideas?
Regards,
Alex
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Jeria, Esteban
Sent: jueves, 31 de agosto de 2017 3:36 p. m.
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Approval processes in Segregation of Duties
Hola Alex,
I was working on exactly the same feature on last days, so I tested your code and I found an error on approverRef, the type should be an user
<approverRef oid="(APPROVER OID)"
relation="org:default"
type="c:UserType"></approverRef>
otherwise your request goes to nobody. Actually you can probably found them under "Work items / All requests"
Once fixed, the approval workflow works properly.
Esteban Jeria
Conseiller CGI / CGI Consultant
Sécurité - Gestion d'identité et des accès / Security - Identity and Access Management
________________________________
From: Doler, Alexander Earl (LATCO - Buenos Aires) [adoler at deloitte.com]
Sent: August 30, 2017 1:14 PM
To: midPoint General Discussion
Subject: [midPoint] Approval processes in Segregation of Duties
Hello,
I am trying to configure Segregation of Duties in MidPoint so that when incompatible roles are requested, an approval process is triggered. I am able to successfully block assignment of incompatible roles by specifying "<enforcement>" in the policy actions. However, when I replace "enforcement" with "approval," MidPoint seems to ignore any approval process specified and assigns the role. I noticed the tag "prune" is also ignored when specified here. I am using MidPoint version 3.6.
Here is my code:
<assignment id="7">
<policyRule>
<name>Exclude Role Assignment</name>
<policyConstraints>
<exclusion>
<targetRef oid="(ROLE OID)"
relation="org:default"
type="c:RoleType"></targetRef>
</exclusion>
</policyConstraints>
<policyActions>
<approval>
<compositionStrategy>
<order>10</order>
</compositionStrategy>
<approvalSchema>
<level>
<name>Auditing Approval</name>
<approverRef oid="(APPROVER OID)"
relation="org:default"
type="c:OrgType"></approverRef>
<evaluationStrategy>firstDecides</evaluationStrategy>
<groupExpansion>onWorkItemCreation</groupExpansion>
</level>
</approvalSchema>
</approval>
</policyActions>
</policyRule>
</assignment>
Any thoughts on how to make this work?
Thank you,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170904/693d94a7/attachment.htm>
More information about the midPoint
mailing list