[midPoint] Unassignment workflow
Jaakko Leskinen
jaakko.leskinen at qvantel.com
Thu Sep 21 09:19:56 CEST 2017
Hmm, what I effectively would want to achieve is to have an authorization role which enables the user (a manager; not a direct) to:
- see and browse the roles (or preferably just a role) in the GUI
- assign and unassign a role directly to/from a user(s) from Role > Members view
Any role assignment or unassignment should always fire a manual task workflow to prevent accidentally unassigning all members from a role.
Let’s say we have a manager of a org unit who is responsible of managing his/her user’s roles and we don’t want
Currently the assignment of a “Role-Test” works correctly and fires a manual approval task but unassignment is direct and instant without any tasks being generated.
This is what I have as the role (“Role Manager”) authorizing the above which works:
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#rolesAll</action>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<object>
<type>TaskType</type>
</object>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
<phase>execution</phase>
<object>
<type>UserType</type>
</object>
<object>
<type>ShadowType</type>
</object>
</authorization>
<authorization>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
<target>
<type>RoleType</type>
<filter>
<q:equal>
<q:path>name</q:path>
<q:value>Role-Test</q:value>
</q:equal>
</filter>
</target>
</authorization>
Any thoughts of what I am missing? Could this be related to the MP version – I’m running this on MidPoint version 3.5.
--
Jaakko Leskinen
System Developer / Team Lead
Qvantel
Piippukatu 11
FI-40100 Jyväskylä, Finland
+358 44 977 3829
jaakko.leskinen at qvantel.com
www.qvantel.com <http://www.qvantel.com/>
On 20/09/2017, 16.37, "midPoint on behalf of Wojciech Staszewski" <midpoint-bounces at lists.evolveum.com on behalf of wojciech.staszewski at diagnostyka.pl> wrote:
Well... it works for me by default. When the role has approver, workflow starts on assignmet and on unassignment too, the tasks are created:
"Approve unassigning ROLE_NAME from USER"
I'm doing this by assigning meta-role with approval definition to the main role and not tried the simple way (by picking approvers in the UI).
Regards,
WS
W dniu 20.09.2017 o 14:07, Jaakko Leskinen pisze:
> Hi
>
>
>
> Is it possible to utilize the workflow engine to establish approvals for role unassignments?
>
>
>
> I am especially concerned about the button ‘unassign all members’ which I assume is easy to mis-click under the Role > Members list. Is there any safeguards we could implement to block accidentally the approver from removing all role members?
>
>
>
> --
>
> Jaakko Leskinen
> System Developer / Team Lead
> Qvantel
> Piippukatu 11
> FI-40100 Jyväskylä, Finland
> +358 44 977 3829
> jaakko.leskinen at qvantel.com <mailto:jaakko.leskinen at qvantel.com>
> www.qvantel.com <http://www.qvantel.com/>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list