[midPoint] create approval workflow from liveSync

Pavol Mederly mederly at evolveum.com
Thu Jun 14 11:32:01 CEST 2018


Hello Marco,

midPoint's approach to approvals is:

Just execute the required change (e.g. add a role or enable the user), 
using e.g. midpoint.executeChanges() method. Your midPoint configuration 
should ensure that the approval process will be started; e.g. by 
definiting an approver for a role, or by defining a policy rule, etc.

I am not sure how the approvals configuration exactly looked like in 3.5 
(I am afraid policy rules were in their beginnings). But approvals for 
role assignment should be quite easily definable.

Pavol Mederly
Software developer
evolveum.com

On 13.06.2018 17:50, Marco Benucci wrote:
>
> Thank you Pavol, but I cannot understand what I have to do to create 
> an approval process with an hook and unfortunately the javadoc from 
> 3.5 is not available.
>
> Is there something on github or even in the wiki about the creation of 
> a workflow using the scripting hook mechanism?
>
> Thanks,
> Marco
>
>
> On 06/13/2018 09:56 AM, Pavol Mederly wrote:
>>
>> Marco,
>>
>> yes it is here: 
>> https://wiki.evolveum.com/display/midPoint/Scripting+Hooks
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com
>> On 11.06.2018 13:01, Marco Benucci wrote:
>>>
>>> Thank you Pavol,
>>>
>>> we were thinking that the reaction to the liveSync unmatched could 
>>> be "add user" and with an object template we could disable the newly 
>>> created user (and the account too) or expire the password (or even 
>>> both).
>>>
>>> The approval could be about 2 request:
>>> 1) adding the role that grants access to that resource
>>> 2) enabling the user and the account
>>>
>>> If the approval were rejected, it could be possibile to delete the 
>>> user and the account through an hook, I suppose...
>>>
>>> I would like to give it a try.
>>> What about the "custom scripting hook" to create an approval?
>>> Is there something on the wiki that talk about this?
>>>
>>> Thank you,
>>> Marco
>>>
>>>
>>>
>>> On 06/11/2018 11:24 AM, Pavol Mederly wrote:
>>>>
>>>> Marco,
>>>>
>>>> this question have been discussed here a couple of times already. 
>>>> The answer is "currently not" - at least not in a simple way.
>>>>
>>>> The basic reason is that it is unclear how should midPoint react to 
>>>> rejection of the approval. A naive approach (i.e. rejection means 
>>>> the user would not be created) means that the same approval request 
>>>> would pop up on next reconciliation; or on any other occasion where 
>>>> midPoint learns that there's an unmatched account.
>>>>
>>>> Maybe there could be a workaround like
>>>>
>>>>  1. LiveSync would create user with the lifecycle state of Proposed.
>>>>  2. An approval of switching the state to Active would be (somehow)
>>>>     started.
>>>>  3. If the approval would be completed positively, the user would
>>>>     be activated. Otherwise it would stay in Proposed state.
>>>>
>>>> I am not quite sure how the step 2 should be implemented. It could 
>>>> be certainly done by a custom scripting hook. (Maybe a policy rule 
>>>> could be used as well but I am not sure.)
>>>>
>>>> Best regards,
>>>>
>>>> Pavol Mederly
>>>> Software developer
>>>> evolveum.com
>>>> On 04.06.2018 16:50, Marco Benucci wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> would it be possible to create an approval process strarting from 
>>>>> a LiveSync "reaction"?
>>>>>
>>>>> For example:
>>>>>
>>>>> I'd like to create an approval workflow about the creation of a 
>>>>> user created by anĀ  "adduser" reaction from an "unmatched" result 
>>>>> discovered by liveSync looking for new accounts on a resource.
>>>>>
>>>>> Could it be possible?
>>>>>
>>>>> Thank you,
>>>>> Marco
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180614/6c16ede3/attachment.htm>


More information about the midPoint mailing list