[midPoint] AutomaticallyCompleted condition on role assignment

Devin Rosenbauer devin at identityworksllc.com
Tue Feb 5 19:07:57 CET 2019


So the rest of us can learn, can you summarize what was misconfigured? Was
it that the inducement wasn't working?

On Tue, Feb 5, 2019 at 1:02 PM Nicolas Rossi <nrossi at identicum.com> wrote:

> Sorry guys. It was a misconfiguration on the role. It is working now.
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Oficina: +54 (11) 4552-3050
> Móvil: +54 (911) 6041-3920
> www.identicum.com
>
>
> On Tue, Feb 5, 2019 at 12:16 PM Arnošt Starosta - AMI Praha a.s. <
> arnost.starosta at ami.cz> wrote:
>
>> ok, sorry, i'm not that versed in assignment policy and thought that this
>> inducement from metarole (without any orderConstraint) would check
>> assignments for the role itself and not the user assignments.
>>
>> than i don't see the problem either. you can try tracing
>> the com.evolveum.midpoint.wf.impl loggers, it may tell you more.
>>
>> good luck
>>
>> út 5. 2. 2019 v 15:17 odesílatel Nicolas Rossi <nrossi at identicum.com>
>> napsal:
>>
>>> I already tried with the SchemaConstants and I got the same behavior.
>>> The debug message is not logged. Even when I change it to log.error. This
>>> is the operation log I get:
>>>
>>> 2019-02-04 18:01:22,678 [] [pool-4-thread-29] DEBUG
>>> (com.evolveum.midpoint.model.impl.lens.Clockwork): Allow
>>> assignment/unassignment to user:b1ddb76d-769a-4937-a88b-dd6c2798a79b(
>>> andressa.silva at customer.com) becasue access to assignment
>>> container/properties is explicitly allowed
>>>
>>> 2019-02-04 18:01:22,745 [] [pool-4-thread-29] DEBUG
>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.ItemApprovalProcessInterface):
>>> About to start approval process instance 'Assigning role "Role with
>>> Approval" to user "andressa.silva at customer.com"'
>>>
>>> 2019-02-04 18:01:22,747 [] [pool-4-thread-29] DEBUG
>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.ItemApprovalProcessInterface):
>>> Approval schema XML:
>>>
>>> <value xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>>
>>>        xmlns:c="
>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>
>>>        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>>
>>>        xmlns:org="
>>> http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>>
>>>        xmlns:icfs="
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>> "
>>>
>>>        xmlns:ri="
>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>>>
>>>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>
>>>        xsi:type="c:ApprovalSchemaType">
>>>
>>>    <stage xmlns="
>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>>>
>>>       <number>1</number>
>>>
>>>       <approverRef oid="53579500-962e-4b81-a946-7099bb077b8b"
>>>
>>>                    relation="org:default"
>>>
>>>                    type="c:UserType"><!-- nrossi --></approverRef>
>>>
>>>       <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
>>>
>>>       <groupExpansion>byClaimingWorkItem</groupExpansion>
>>>
>>>    </stage>
>>>
>>> </value>
>>>
>>> 2019-02-04 18:01:22,763 [] [pool-4-thread-29] DEBUG
>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.ItemApprovalProcessInterface):
>>> Attached rules:
>>>
>>> <value xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>>
>>>        xmlns:c="
>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>
>>>        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>>
>>>        xmlns:org="
>>> http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>>
>>>        xmlns:icfs="
>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>> "
>>>
>>>        xmlns:ri="
>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>>>
>>>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>
>>>        xsi:type="c:SchemaAttachedPolicyRulesType"/>
>>>
>>> 2019-02-04 18:01:22,953 [] [pool-4-thread-29] DEBUG
>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.InitializeLoopThroughApproversInStage):
>>> Approval process instance Assigning role "Role with Approval" to user "
>>> andressa.silva at customer.com <andressa.silva at decolar.com>" (id 9803),
>>> stage 1:null: predetermined outcome: null, approvers:
>>> [com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType at 9a18f61[_referenceValue=PRV(oid=53579500-962e-4b81-a946-7099bb077b8b,
>>> targetType={.../common/common-3}UserType,
>>> relation={.../common/org-3}default)]]
>>>
>>> 2019-02-04 18:01:23,149 [] [pool-4-thread-29] DEBUG
>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.PrepareForTaskCreation):
>>> Creating work item for
>>> assignee=UserType:53579500-962e-4b81-a946-7099bb077b8b,
>>> candidateGroups=null, additionalInformation='[]'
>>>
>>> The metarole is induced to the role that needs to be approved. It's
>>> working because the user defined as ApproverRef on the metarole receives
>>> the work item to approve it when the role is requested.
>>>
>>>
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Oficina: +54 (11) 4552-3050
>>> Móvil: +54 (911) 6041-3920
>>> www.identicum.com
>>>
>>>
>>> On Tue, Feb 5, 2019 at 6:26 AM Arnošt Starosta - AMI Praha a.s. <
>>> arnost.starosta at ami.cz> wrote:
>>>
>>>> Hi Nicolas,
>>>>
>>>> i use SchemaConstants.MODEL_APPROVAL_OUTCOME_* as return values, maybe
>>>> your 'approve' string is not exactly the same thing?
>>>>
>>>> The debug message is logged?
>>>>
>>>> And is it really induced to the user object? I don't see any focusType
>>>> and/or orderConstraint in your inducement.
>>>>
>>>> arnost
>>>>
>>>>
>>>> po 4. 2. 2019 v 23:10 odesílatel Nicolas Rossi <nrossi at identicum.com>
>>>> napsal:
>>>>
>>>>> Hi guys,
>>>>>
>>>>> I was trying to bypass an approval step using the
>>>>> automaticallyComplete configuration on an approval-metarole. I can't get it
>>>>> to work. It is ignored even when it returns always "approve". Sample
>>>>> here
>>>>> <https://github.com/Evolveum/midpoint/blob/1c1975fa450bbee741314c2822c5715ebf68f6b2/model/workflow-impl/src/test/resources/policy/assignments/role-role25-very-complex-approval.xml>
>>>>> .
>>>>>
>>>>> Here is my metarole code:
>>>>>
>>>>> <role>
>>>>>
>>>>> <name>Sample Approval</name>
>>>>>
>>>>> <inducement id="1">
>>>>>
>>>>> <policyRule>
>>>>>
>>>>> <policyConstraints>
>>>>>
>>>>> <assignment id="2">
>>>>>
>>>>> <operation>add</operation>
>>>>>
>>>>> </assignment>
>>>>>
>>>>> </policyConstraints>
>>>>>
>>>>> <policyActions>
>>>>>
>>>>> <approval id="3">
>>>>>
>>>>> <compositionStrategy>
>>>>>
>>>>> <order>10</order>
>>>>>
>>>>> </compositionStrategy>
>>>>>
>>>>> <approvalSchema>
>>>>>
>>>>> <stage>
>>>>>
>>>>> <approverRef oid="53579500-962e-4b81-a946-7099bb077b8b" type=
>>>>> "UserType" />
>>>>>
>>>>> <automaticallyCompleted>
>>>>>
>>>>> <script>
>>>>>
>>>>> <code>
>>>>>
>>>>> log.debug("AutomaticallyCompleted condition");
>>>>>
>>>>> return 'approve';
>>>>>
>>>>> </code>
>>>>>
>>>>> </script>
>>>>>
>>>>> </automaticallyCompleted>
>>>>>
>>>>> </stage>
>>>>>
>>>>> </approvalSchema>
>>>>>
>>>>> </approval>
>>>>>
>>>>> </policyActions>
>>>>>
>>>>> </policyRule>
>>>>>
>>>>> </inducement>
>>>>>
>>>>> <roleType>policy</roleType>
>>>>>
>>>>> </role>
>>>>>
>>>>> When I assign a role containing the metarole, the selected approver
>>>>> receives the work item, so the metarole is working but the
>>>>> automaticallyCompleted configuration is being ignored.
>>>>>
>>>>> Any thoughts ?
>>>>>
>>>>>
>>>>> Ing Nicolás Rossi
>>>>> Identicum S.A.
>>>>> Jorge Newbery 3226
>>>>> Oficina: +54 (11) 4552-3050
>>>>> Móvil: +54 (911) 6041-3920
>>>>> www.identicum.com
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> *Arnošt Starosta*
>>>> solution architect
>>>>
>>>> gsm: [+420] 603 794 932
>>>> e‑mail: arnost.starosta at ami.cz
>>>>
>>>> *AMI Praha a.s.*
>>>> Pláničkova 11, 162 00 Praha 6
>>>>
>>>> tel.: [+420] 274 783 239 | web: www.ami.cz
>>>>
>>>> [image: AMI Praha a.s.]
>>>>
>>>> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
>>>> za společnost AMI Praha a.s.
>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>> výhradně písemnou formu.
>>>>
>>>> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
>>>> obsahovat důvěrné nebo osobní
>>>> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
>>>> zveřejňování, zprostředkování
>>>> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
>>>> neoprávněně, informujte o tom prosím
>>>> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
>>>> všech jeho příloh. Nakládáním
>>>> s neoprávněně získanými informacemi se vystavujete riziku právního
>>>> postihu.
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
>>
>> --
>>
>> *Arnošt Starosta*
>> solution architect
>>
>> gsm: [+420] 603 794 932
>> e‑mail: arnost.starosta at ami.cz
>>
>> *AMI Praha a.s.*
>> Pláničkova 11, 162 00 Praha 6
>>
>> tel.: [+420] 274 783 239 | web: www.ami.cz
>>
>> [image: AMI Praha a.s.]
>>
>> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
>> za společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
>> obsahovat důvěrné nebo osobní
>> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
>> zveřejňování, zprostředkování
>> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
>> neoprávněně, informujte o tom prosím
>> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
>> všech jeho příloh. Nakládáním
>> s neoprávněně získanými informacemi se vystavujete riziku právního
>> postihu.
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 
Devin Rosenbauer
Principal Consultant
Identity Works LLC
+1 585 210 3201
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190205/c80af829/attachment.htm>


More information about the midPoint mailing list