[midPoint] ?==?utf-8?q? Approval by Org Manager - strange behavior

Wojciech Staszewski wojciech.staszewski at diagnostyka.pl
Thu Apr 12 19:33:36 CEST 2018 

Hello!

The authorization solved the problem. Thank you very much!!!

Best regards!
WS


W dniu 12.04.2018 o 10:27, TIPA Sylvaire-Kevin pisze:
> Hello,
>
> I use the same think, you end user need to have authorization for read
> userType information (name min). If it dosen't, he canno't get the
> manager of the org.
>
>  <authorization>
>         <name>RE-READ-OtherUserName</name>
>         <description>
>             Allow to read name of all user, needed by workflow process
>         </description>
>        
> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
>         <object>
>             <type>UserType</type>
>         </object>
>         <c:item>name</c:item>
>     </authorization>
>
>
>
> Other way, you can change the runas of your approver metarole
>
> <approverExpression>
>                                 <description>Get user's managers from
> parent Org</description>
>                                 <runAsRef
> oid="00000000-0000-0000-0000-000000000002" />
>                                 <script
> xsi:type="c:ScriptExpressionEvaluatorType">
>                                     <code>
>                                        
> log.info("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n")
>                                         log.error("Target : {}",target)
>                                         log.error("Target OID : {}",
> target.parentOrgRef.oid[0])
>                                         approvers =
> midpoint.getManagersOfOrg(target.parentOrgRef.oid[0])
>                                         log.info("Approvers : {}",
> approvers)
>                                         approvers.oid
>                                     </code>
>                                 </script>
>                             </approverExpression>
>
>
> -- 
>
> Cordialement.
>
> *Sylvaire-Kevin TIPA*
> /Infrastructure/
>
> *THALES SERVICES SAS*
> 44 Quai Charles de Gaulle
> CS 20100
> 69463 Lyon Cedex 06
>
> www.thalesgroup.com <http://www.thalesgroup.com/>
>
> 	
>
> Thales group
>
>
> -------- Message original --------
> Sujet: [midPoint] Approval by Org Manager - strange behavior
> Date: Mercredi 11 Avril 2018 21:19 CEST
> De: Wojciech Staszewski <wojciech.staszewski at diagnostyka.pl>
> Répondre à: midPoint General Discussion <midpoint at lists.evolveum.com>
> Pour: midPoint General Discussion <midpoint at lists.evolveum.com>
>
>
>  
>> Hello!
>>
>> I have a role with approval by Org Manager.
>>
>> - If I (The SuperUser) assign this role to a common user, the workflow
>> is starting and manager gets a work item to do.
>> - If the user itself is requesting for the same role using SelfService,
>> the approval tasks is rejected automatically with "no approvers found"
>> message.
>>
>> The approval metarole inducement, this is Ctrl+C & Ctrl+V from Evolveum
>> example, except evaluationStrategy:
>>
>>    <inducement id="2">
>>       <policyRule>
>>          <policyConstraints>
>>             <assignment id="1"/>
>>          </policyConstraints>
>>          <policyActions>
>>             <approval id="3">
>>                <compositionStrategy>
>>                   <order>10</order>
>>                </compositionStrategy>
>>                <approvalSchema>
>>                   <level id="4">
>>                      <name>Approval by organization managers (first
>> decides)</name>
>>                      <approverExpression>
>>                         <script
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>                                
>> xsi:type="c:ScriptExpressionEvaluatorType">
>>                           
>> <code>midpoint.getManagersOidsExceptUser(object)</code>
>>                         </script>
>>                      </approverExpression>
>>                     
>> <evaluationStrategy>firstDecides</evaluationStrategy>
>>                      <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
>>                   </level>
>>                </approvalSchema>
>>             </approval>
>>          </policyActions>
>>       </policyRule>
>>       <activation>
>>          <administrativeStatus>enabled</administrativeStatus>
>>       </activation>
>>    </inducement>
>>
>> The user is a member of two Org Units. Only one of them has a manager.
>> But I unassign the user from one OU, that has no manager and this not
>> helped.
>>
>> V 3.7.1.
>> Any ideas? Thanks!
>> Wojciech Staszewski
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>  
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180412/485aae29/attachment.htm>

More information about the midPoint mailing list