[midPoint] Approval policy rule not started when role is assigned from template

Pavol Mederly mederly at evolveum.com
Fri Feb 2 15:33:36 CET 2018 

Oh I forgot: there is one more option how to find out about org being 
added or removed:

You can go through *modelContext.evaluatedAssignmentTriple*. That 
structure contains assignments that were added, deleted, or kept 
unchanged. I'm not sure if that structure is correctly filled-in in the 
final stage, though. An inspiration can be found in the 
HasAssignmentConstraintEvaluator class 
<https://github.com/Evolveum/midpoint/blob/v3.7/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/HasAssignmentConstraintEvaluator.java>. 
But again, it is only a hint. You'd need to play a bit (or a lot) with 
that to see how it works.

Pavol Mederly
Software developer
evolveum.com

On 02.02.2018 15:27, Pavol Mederly wrote:
>
> I'm sure more people on this list did something like that. I don't 
> have a code ready, so I can provide just a few hints:
>
>  1. *modelContext* variable holds the whole context of the operation
>     (see LensContext
>     <https://github.com/Evolveum/midpoint/blob/v3.7/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensContext.java>)
>  2. *modelContext.focusContext.primaryDelta* contains the primary delta
>  3. And here comes the hard part :) First of all, you should skip
>     processing if the *delta.isDelete()* is true - the object is being
>     deleted
>  4. Then you have to find out what assignments are being added or
>     removed... either you manually treat *delta.isAdd()* case (object
>     is being added) and *delta.isModify()* case (there is a list of
>     item deltas to be applied), or you use
>     *delta.factorOut(Collections.singletonList(new
>     ItemPath(FocusType.F_ASSIGNMENT)), true)* method that would
>     provide you with item deltas related to assignments.
>  5. You would need through the assignment values being added or
>     deleted to find out if any of them is relevant for your case.
>
> I know it is quite hard, but definitely doable. I hope someone here 
> has the code.
>
> Pavol Mederly
> Software developer
> evolveum.com
> On 02.02.2018 15:11, Alcides Carlos de Moraes Neto wrote:
>> I think that would work, yes. Nice feature, I didn't know about it.
>>
>> How would one detect a new assignment? Are there more examples?
>>
>> Thanks!
>>
>> 2018-02-02 12:00 GMT-02:00 Pavol Mederly <mederly at evolveum.com 
>> <mailto:mederly at evolveum.com>>:
>>
>>     I think I understand. One option (although maybe not the cleanest
>>     and nicest one) would be this:
>>
>>     You could write a scripting hook
>>     <https://wiki.evolveum.com/display/midPoint/Scripting+Hooks> that
>>     would detect when a user is added to the organization. The hook
>>     would be attached to the final state, so it would be activated
>>     only after the whole operation is executed. If the hook detects
>>     that the organization assignment was recently added, it would
>>     start a new operation of adding all the roles from the default
>>     set for that organization.
>>
>>     The new operation would contain new assignments in its primary
>>     delta, so they could be approved or rejected, as necessary.
>>
>>     But the approved roles would stay with the user indefinitely,
>>     even after he is unassigned from the organization. If you'd need
>>     to change this, you'd have to implement another hook that would
>>     take care of that.
>>
>>     Hope this helps,
>>
>>     Pavol Mederly
>>     Software developer
>>     evolveum.com <http://evolveum.com>
>>
>>     On 02.02.2018 14:45, Alcides Carlos de Moraes Neto wrote:
>>>     Hi Pavol,
>>>
>>>     Thanks for the help. This is what I'm trying to accomplish: I
>>>     want to be able to configure a set of roles to be a default set
>>>     for an organization. For the roles I want to be applied every
>>>     time, I can just use inducements, or mappings, from the OrgType,
>>>     that's easy.
>>>     But I wanted some of the roles to be upon approval only, and I
>>>     wanted the approval workflow to happen automatically, so as soon
>>>     as the new employee is in the Org, his manager gets notified to
>>>     approve his roles.
>>>
>>>     2018-02-01 19:36 GMT-02:00 Pavol Mederly <mederly at evolveum.com
>>>     <mailto:mederly at evolveum.com>>:
>>>
>>>         Hello Alcides Carlos,
>>>
>>>         yes, it is intended so. There are some conceptual reasons
>>>         behind it, mainly along the line of how we should react to
>>>         rejection.
>>>
>>>         What's your use case? Why do you want to approve something
>>>         that was given by the mapping?
>>>
>>>         Best regards,
>>>
>>>         Pavol Mederly
>>>         Software developer
>>>         evolveum.com <http://evolveum.com>
>>>
>>>         On 01.02.2018 21:19, Alcides Carlos de Moraes Neto wrote:
>>>>         Hello list,
>>>>
>>>>         I have a role that has a policy rule for approval by the
>>>>         user's manager. It works when I assign the role to a user
>>>>         manually.
>>>>
>>>>         However, I now have a mapping in user template for this
>>>>         role. Assignments from this mapping do not start the
>>>>         approval workflow. Is this intended? Is there a way to
>>>>         require approval from role assigned from mappings?
>>>>
>>>>
>>>>         _______________________________________________
>>>>         midPoint mailing list
>>>>         midPoint at lists.evolveum.com
>>>>         <mailto:midPoint at lists.evolveum.com>
>>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>     midPoint mailing list
>>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180202/2c9f2ce7/attachment.htm>

More information about the midPoint mailing list