[midPoint] Approval processes in Segregation of Duties
Martin Lízner - AMI Praha a.s.
martin.lizner at ami.cz
Wed Sep 6 19:59:31 CEST 2017
This is how we (successfully) use SoD rules in mp 3.6 in production:
*Global policy rule in system configuration:*
- Approvers are all users in SoD Approvers organization
<globalPolicyRule>
<name>Segregation of Duties (SoD) approval</name>
<policyConstraints>
<situation>
<situation>
http://midpoint.evolveum.com/xml/ns/public/model/policy/situation#exclusionViolation
</situation>
</situation>
</policyConstraints>
<policyActions>
<approval>
<compositionStrategy>
<order>30</order>
</compositionStrategy>
<approvalSchema>
<level>
<name>SoD</name>
<approverRef type="OrgType">
<filter>
<q:equal>
<q:path>name</q:path>
<q:value>SoD Approvers</q:value>
</q:equal>
</filter>
<resolutionTime>run</resolutionTime>
</approverRef>
<evaluationStrategy>firstDecides</evaluationStrategy>
<outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
<groupExpansion>onWorkItemCreation</groupExpansion>
</level>
</approvalSchema>
</approval>
</policyActions>
<focusSelector>
<type>UserType</type>
</focusSelector>
<targetSelector>
<type>RoleType</type> <!-- no need to filter on roleType, as each role has
to have SoD defined -->
</targetSelector>
</globalPolicyRule>
Then each role (lets say RoleA, RoleB) has to have mutual exclusivity:
*RoleA contains:*
<assignment id="1">
<policyRule>
<policyConstraints>
<exclusion>
<targetRef type="c:RoleType">
<filter>
<q:equal>
<q:path>c:name</q:path>
<q:value>RoleB</q:value>
</q:equal>
</filter>
</targetRef>
</exclusion>
</policyConstraints>
<policyActions>
</policyActions>
</policyRule>
</assignment>
*RoleB contains:*
<assignment id="1">
<policyRule>
<policyConstraints>
<exclusion>
<targetRef type="c:RoleType">
<filter>
<q:equal>
<q:path>c:name</q:path>
<q:value>RoleA</q:value>
</q:equal>
</filter>
</targetRef>
</exclusion>
</policyConstraints>
<policyActions>
</policyActions>
</policyRule>
</assignment>
To see your SoD rules at work you need to use shoppping cart (Request role
menu).
M.
Martin Lízner
solution architect
gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.] <http://www.skyidentity.com/>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
2017-09-04 14:54 GMT+02:00 Doler, Alexander Earl (LATCO - Buenos Aires) <
adoler at deloitte.com>:
> Thanks for your response, Esteban!
>
>
>
> Unfortunately, even after changing the approver type to a user and
> specifying a user’s OID, as you suggested, no workflow is started and the
> incompatible role is still assigned immediately (however, it is important
> that the approvers eventually be the members of an organization, and not a
> single user). The problem is that MidPoint seems to be ignoring reference
> to the approval altogether, as when I specify “enforcement,” it does indeed
> block the assignment of incompatible roles. Maybe I am missing something
> further here?
>
>
>
> Any ideas?
>
>
>
> Regards,
>
> Alex
>
>
>
> *From:* midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On Behalf
> Of *Jeria, Esteban
> *Sent:* jueves, 31 de agosto de 2017 3:36 p. m.
> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject:* Re: [midPoint] Approval processes in Segregation of Duties
>
>
>
> Hola Alex,
>
>
>
> I was working on exactly the same feature on last days, so I tested your
> code and I found an error on approverRef, the type should be an user
>
>
>
> <approverRef oid="(APPROVER OID)"
>
> relation="org:default"
>
> type="c:UserType"></approverRef>
>
>
>
> otherwise your request goes to nobody. Actually you can probably found
> them under "Work items / All requests"
>
> Once fixed, the approval workflow works properly.
>
>
>
> *Esteban Jeria*
> Conseiller *CGI* / *CGI* Consultant
>
> Sécurité - Gestion d'identité et des accès / Security - Identity and
> Access Management
> ------------------------------
>
> *From:* Doler, Alexander Earl (LATCO - Buenos Aires) [adoler at deloitte.com]
> *Sent:* August 30, 2017 1:14 PM
> *To:* midPoint General Discussion
> *Subject:* [midPoint] Approval processes in Segregation of Duties
>
> Hello,
>
>
>
> I am trying to configure Segregation of Duties in MidPoint so that when
> incompatible roles are requested, an approval process is triggered. I am
> able to successfully block assignment of incompatible roles by specifying
> “<enforcement>” in the policy actions. However, when I replace
> “enforcement” with “approval,” MidPoint seems to ignore any approval
> process specified and assigns the role. I noticed the tag “prune” is also
> ignored when specified here. I am using MidPoint version 3.6.
>
>
>
> Here is my code:
>
>
>
> <assignment id="7">
>
> <policyRule>
>
> <name>Exclude Role Assignment</name>
>
> <policyConstraints>
>
> <exclusion>
>
> <targetRef oid="(ROLE OID)"
>
> relation="org:default"
>
> type="c:RoleType"></targetRef>
>
> </exclusion>
>
> </policyConstraints>
>
> <policyActions>
>
> <approval>
>
> <compositionStrategy>
>
> <order>10</order>
>
> </compositionStrategy>
>
> <approvalSchema>
>
> <level>
>
> <name>Auditing Approval</name>
>
> <approverRef oid="(APPROVER OID)"
>
> relation="org:default"
>
> type="c:OrgType"></approverRef>
>
> <evaluationStrategy>firstDecides</evaluationStrategy>
>
> <groupExpansion>onWorkItemCreation</groupExpansion>
>
> </level>
>
> </approvalSchema>
>
> </approval>
>
> </policyActions>
>
> </policyRule>
>
> </assignment>
>
>
>
> Any thoughts on how to make this work?
>
>
>
> Thank you,
>
> Alex
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170906/b894896f/attachment.htm>
More information about the midPoint
mailing list