[midPoint] Unassignment workflow
Pavol Mederly
mederly at evolveum.com
Fri Sep 22 12:36:33 CEST 2017
Hello Jaakko,
you should have a look at policy rules:
https://wiki.evolveum.com/display/midPoint/Policy+Rules
https://wiki.evolveum.com/display/midPoint/Approval
You have to attach a policy rule to your roles, stating that any
add/delete operation on that role should be approved by specified user.
The policy rule you need is something like this:
<policyRule>
<policyConstraints>
<assignment/> <!-- applies to both assigning and
unassigning roles -->
</policyConstraints>
<policyActions>
<approval>
<approverRelation>approver</approverRelation>
</approval>
</policyActions>
</policyRule>
The approverRelation tells midPoint that it has to find user with
relation of "approver" to the role, and use him as an approver. You can
also specify any user(s) directly by approverRef. Or you can use
approverExpression.
But generally, if you want to use approvals and policy rules, I strongly
recommend upgrading to midPoint 3.6. In 3.5 the support is very basic.
(E.g. by default if there's no approver, the operation will continue;
whereas in 3.6 it is possible to configure this behavior, with the
default of "reject".)
Best regards,
Pavol Mederly
Software developer
evolveum.com
On 21.09.2017 9:19, Jaakko Leskinen wrote:
> Hmm, what I effectively would want to achieve is to have an authorization role which enables the user (a manager; not a direct) to:
> - see and browse the roles (or preferably just a role) in the GUI
> - assign and unassign a role directly to/from a user(s) from Role > Members view
> Any role assignment or unassignment should always fire a manual task workflow to prevent accidentally unassigning all members from a role.
> Let’s say we have a manager of a org unit who is responsible of managing his/her user’s roles and we don’t want
>
> Currently the assignment of a “Role-Test” works correctly and fires a manual approval task but unassignment is direct and instant without any tasks being generated.
>
> This is what I have as the role (“Role Manager”) authorizing the above which works:
> <authorization>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#rolesAll</action>
> </authorization>
> <authorization>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
> <object>
> <type>TaskType</type>
> </object>
> </authorization>
> <authorization>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
> <phase>execution</phase>
> <object>
> <type>UserType</type>
> </object>
> <object>
> <type>ShadowType</type>
> </object>
> </authorization>
> <authorization>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
> <target>
> <type>RoleType</type>
> <filter>
> <q:equal>
> <q:path>name</q:path>
> <q:value>Role-Test</q:value>
> </q:equal>
> </filter>
> </target>
> </authorization>
>
> Any thoughts of what I am missing? Could this be related to the MP version – I’m running this on MidPoint version 3.5.
>
More information about the midPoint
mailing list