[midPoint] Approval policy rule not started when role is assigned from template
Pavol Mederly
mederly at evolveum.com
Fri Feb 2 15:27:28 CET 2018
I'm sure more people on this list did something like that. I don't have
a code ready, so I can provide just a few hints:
1. *modelContext* variable holds the whole context of the operation
(see LensContext
<https://github.com/Evolveum/midpoint/blob/v3.7/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java>)
2. *modelContext.focusContext.primaryDelta* contains the primary delta
3. And here comes the hard part :) First of all, you should skip
processing if the *delta.isDelete()* is true - the object is being
deleted
4. Then you have to find out what assignments are being added or
removed... either you manually treat *delta.isAdd()* case (object is
being added) and *delta.isModify()* case (there is a list of item
deltas to be applied), or you use
*delta.factorOut(Collections.singletonList(new
ItemPath(FocusType.F_ASSIGNMENT)), true)* method that would provide
you with item deltas related to assignments.
5. You would need through the assignment values being added or deleted
to find out if any of them is relevant for your case.
I know it is quite hard, but definitely doable. I hope someone here has
the code.
Pavol Mederly
Software developer
evolveum.com
On 02.02.2018 15:11, Alcides Carlos de Moraes Neto wrote:
> I think that would work, yes. Nice feature, I didn't know about it.
>
> How would one detect a new assignment? Are there more examples?
>
> Thanks!
>
> 2018-02-02 12:00 GMT-02:00 Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>>:
>
> I think I understand. One option (although maybe not the cleanest
> and nicest one) would be this:
>
> You could write a scripting hook
> <https://wiki.evolveum.com/display/midPoint/Scripting+Hooks> that
> would detect when a user is added to the organization. The hook
> would be attached to the final state, so it would be activated
> only after the whole operation is executed. If the hook detects
> that the organization assignment was recently added, it would
> start a new operation of adding all the roles from the default set
> for that organization.
>
> The new operation would contain new assignments in its primary
> delta, so they could be approved or rejected, as necessary.
>
> But the approved roles would stay with the user indefinitely, even
> after he is unassigned from the organization. If you'd need to
> change this, you'd have to implement another hook that would take
> care of that.
>
> Hope this helps,
>
> Pavol Mederly
> Software developer
> evolveum.com <http://evolveum.com>
>
> On 02.02.2018 14:45, Alcides Carlos de Moraes Neto wrote:
>> Hi Pavol,
>>
>> Thanks for the help. This is what I'm trying to accomplish: I
>> want to be able to configure a set of roles to be a default set
>> for an organization. For the roles I want to be applied every
>> time, I can just use inducements, or mappings, from the OrgType,
>> that's easy.
>> But I wanted some of the roles to be upon approval only, and I
>> wanted the approval workflow to happen automatically, so as soon
>> as the new employee is in the Org, his manager gets notified to
>> approve his roles.
>>
>> 2018-02-01 19:36 GMT-02:00 Pavol Mederly <mederly at evolveum.com
>> <mailto:mederly at evolveum.com>>:
>>
>> Hello Alcides Carlos,
>>
>> yes, it is intended so. There are some conceptual reasons
>> behind it, mainly along the line of how we should react to
>> rejection.
>>
>> What's your use case? Why do you want to approve something
>> that was given by the mapping?
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com <http://evolveum.com>
>>
>> On 01.02.2018 21:19, Alcides Carlos de Moraes Neto wrote:
>>> Hello list,
>>>
>>> I have a role that has a policy rule for approval by the
>>> user's manager. It works when I assign the role to a user
>>> manually.
>>>
>>> However, I now have a mapping in user template for this
>>> role. Assignments from this mapping do not start the
>>> approval workflow. Is this intended? Is there a way to
>>> require approval from role assigned from mappings?
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180202/5eb486b5/attachment.htm>
More information about the midPoint
mailing list