[midPoint] Approval processes in Segregation of Duties
Doler, Alexander Earl (LATCO - Buenos Aires)
adoler at deloitte.com
Thu Sep 7 16:34:52 CEST 2017
Hi Martin,
Thank you for this detailed example. With this code, I was able to successfully initiate the SOD approval process.
Thanks again,
Alex
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Martin Lízner - AMI Praha a.s.
Sent: miércoles, 6 de septiembre de 2017 3:00 p. m.
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Approval processes in Segregation of Duties
This is how we (successfully) use SoD rules in mp 3.6 in production:
Global policy rule in system configuration:
- Approvers are all users in SoD Approvers organization
<globalPolicyRule>
<name>Segregation of Duties (SoD) approval</name>
<policyConstraints>
<situation>
<situation>http://midpoint.evolveum.com/xml/ns/public/model/policy/situation#exclusionViolation</situation>
</situation>
</policyConstraints>
<policyActions>
<approval>
<compositionStrategy>
<order>30</order>
</compositionStrategy>
<approvalSchema>
<level>
<name>SoD</name>
<approverRef type="OrgType">
<filter>
<q:equal>
<q:path>name</q:path>
<q:value>SoD Approvers</q:value>
</q:equal>
</filter>
<resolutionTime>run</resolutionTime>
</approverRef>
<evaluationStrategy>firstDecides</evaluationStrategy>
<outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
<groupExpansion>onWorkItemCreation</groupExpansion>
</level>
</approvalSchema>
</approval>
</policyActions>
<focusSelector>
<type>UserType</type>
</focusSelector>
<targetSelector>
<type>RoleType</type> <!-- no need to filter on roleType, as each role has to have SoD defined -->
</targetSelector>
</globalPolicyRule>
Then each role (lets say RoleA, RoleB) has to have mutual exclusivity:
RoleA contains:
<assignment id="1">
<policyRule>
<policyConstraints>
<exclusion>
<targetRef type="c:RoleType">
<filter>
<q:equal>
<q:path>c:name</q:path>
<q:value>RoleB</q:value>
</q:equal>
</filter>
</targetRef>
</exclusion>
</policyConstraints>
<policyActions>
</policyActions>
</policyRule>
</assignment>
RoleB contains:
<assignment id="1">
<policyRule>
<policyConstraints>
<exclusion>
<targetRef type="c:RoleType">
<filter>
<q:equal>
<q:path>c:name</q:path>
<q:value>RoleA</q:value>
</q:equal>
</filter>
</targetRef>
</exclusion>
</policyConstraints>
<policyActions>
</policyActions>
</policyRule>
</assignment>
To see your SoD rules at work you need to use shoppping cart (Request role menu).
M.
Martin Lízner
solution architect
gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz<mailto:martin.lizner at ami.cz>
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz<http://www.ami.cz/>
[Image removed by sender.]
[Image removed by sender. AMI Praha a.s.]<http://www.skyidentity.com/>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.
2017-09-04 14:54 GMT+02:00 Doler, Alexander Earl (LATCO - Buenos Aires) <adoler at deloitte.com<mailto:adoler at deloitte.com>>:
Thanks for your response, Esteban!
Unfortunately, even after changing the approver type to a user and specifying a user’s OID, as you suggested, no workflow is started and the incompatible role is still assigned immediately (however, it is important that the approvers eventually be the members of an organization, and not a single user). The problem is that MidPoint seems to be ignoring reference to the approval altogether, as when I specify “enforcement,” it does indeed block the assignment of incompatible roles. Maybe I am missing something further here?
Any ideas?
Regards,
Alex
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com<mailto:midpoint-bounces at lists.evolveum.com>] On Behalf Of Jeria, Esteban
Sent: jueves, 31 de agosto de 2017 3:36 p. m.
To: midPoint General Discussion <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>>
Subject: Re: [midPoint] Approval processes in Segregation of Duties
Hola Alex,
I was working on exactly the same feature on last days, so I tested your code and I found an error on approverRef, the type should be an user
<approverRef oid="(APPROVER OID)"
relation="org:default"
type="c:UserType"></approverRef>
otherwise your request goes to nobody. Actually you can probably found them under "Work items / All requests"
Once fixed, the approval workflow works properly.
Esteban Jeria
Conseiller CGI / CGI Consultant
Sécurité - Gestion d'identité et des accès / Security - Identity and Access Management
________________________________
From: Doler, Alexander Earl (LATCO - Buenos Aires) [adoler at deloitte.com<mailto:adoler at deloitte.com>]
Sent: August 30, 2017 1:14 PM
To: midPoint General Discussion
Subject: [midPoint] Approval processes in Segregation of Duties
Hello,
I am trying to configure Segregation of Duties in MidPoint so that when incompatible roles are requested, an approval process is triggered. I am able to successfully block assignment of incompatible roles by specifying “<enforcement>” in the policy actions. However, when I replace “enforcement” with “approval,” MidPoint seems to ignore any approval process specified and assigns the role. I noticed the tag “prune” is also ignored when specified here. I am using MidPoint version 3.6.
Here is my code:
<assignment id="7">
<policyRule>
<name>Exclude Role Assignment</name>
<policyConstraints>
<exclusion>
<targetRef oid="(ROLE OID)"
relation="org:default"
type="c:RoleType"></targetRef>
</exclusion>
</policyConstraints>
<policyActions>
<approval>
<compositionStrategy>
<order>10</order>
</compositionStrategy>
<approvalSchema>
<level>
<name>Auditing Approval</name>
<approverRef oid="(APPROVER OID)"
relation="org:default"
type="c:OrgType"></approverRef>
<evaluationStrategy>firstDecides</evaluationStrategy>
<groupExpansion>onWorkItemCreation</groupExpansion>
</level>
</approvalSchema>
</approval>
</policyActions>
</policyRule>
</assignment>
Any thoughts on how to make this work?
Thank you,
Alex
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170907/ac0aa202/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD000.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD000.jpg
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170907/ac0aa202/attachment.jpg>
More information about the midPoint
mailing list