[midPoint] ?==?utf-8?q? Approval by Org Manager - strange behavior
TIPA Sylvaire-Kevin
sylvaire-kevin.tipa at mythalesgroup.com
Thu Apr 12 10:27:30 CEST 2018
Hello,
I use the same think, you end user need to have authorization for read userType information (name min). If it dosen't, he canno't get the manager of the org.
<authorization>
<name>RE-READ-OtherUserName</name>
<description>
Allow to read name of all user, needed by workflow process
</description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
<object>
<type>UserType</type>
</object>
<c:item>name</c:item>
</authorization>
Other way, you can change the runas of your approver metarole
<approverExpression>
<description>Get user's managers from parent Org</description>
<runAsRef oid="00000000-0000-0000-0000-000000000002" />
<script xsi:type="c:ScriptExpressionEvaluatorType">
<code>
log.info("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n")
log.error("Target : {}",target)
log.error("Target OID : {}", target.parentOrgRef.oid[0])
approvers = midpoint.getManagersOfOrg(target.parentOrgRef.oid[0])
log.info("Approvers : {}", approvers)
approvers.oid
</code>
</script>
</approverExpression>
--
Cordialement.
Sylvaire-Kevin TIPA
InfrastructureTHALES SERVICES SAS
44 Quai Charles de Gaulle
CS 20100
69463 Lyon Cedex 06
www.thalesgroup.com
-------- Message original --------
Sujet: [midPoint] Approval by Org Manager - strange behavior
Date: Mercredi 11 Avril 2018 21:19 CEST
De: Wojciech Staszewski <wojciech.staszewski at diagnostyka.pl>
Répondre à: midPoint General Discussion <midpoint at lists.evolveum.com>
Pour: midPoint General Discussion <midpoint at lists.evolveum.com>
Hello!
I have a role with approval by Org Manager.
- If I (The SuperUser) assign this role to a common user, the workflow
is starting and manager gets a work item to do.
- If the user itself is requesting for the same role using SelfService,
the approval tasks is rejected automatically with "no approvers found"
message.
The approval metarole inducement, this is Ctrl+C & Ctrl+V from Evolveum
example, except evaluationStrategy:
<inducement id="2">
<policyRule>
<policyConstraints>
<assignment id="1"/>
</policyConstraints>
<policyActions>
<approval id="3">
<compositionStrategy>
<order>10</order>
</compositionStrategy>
<approvalSchema>
<level id="4">
<name>Approval by organization managers (first
decides)</name>
<approverExpression>
<script
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ScriptExpressionEvaluatorType">
<code>midpoint.getManagersOidsExceptUser(object)</code>
</script>
</approverExpression>
<evaluationStrategy>firstDecides</evaluationStrategy>
<outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
</level>
</approvalSchema>
</approval>
</policyActions>
</policyRule>
<activation>
<administrativeStatus>enabled</administrativeStatus>
</activation>
</inducement>
The user is a member of two Org Units. Only one of them has a manager.
But I unassign the user from one OU, that has no manager and this not
helped.
V 3.7.1.
Any ideas? Thanks!
Wojciech Staszewski
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180412/1ec3a2c4/attachment.htm>
More information about the midPoint
mailing list