[midPoint] AutomaticallyCompleted condition on role assignment
Nicolas Rossi
nrossi at identicum.com
Tue Feb 5 19:50:32 CET 2019
Of course Devin. At the beginning I thought the approval-metarole was
working but it wasn't. The approval flow was working because we have
manually assigned a user as approver to a role. There are a global policy
that assign as the approvers all users with the approver relation to a role
. So I had the expected behavior but with other policy rule. When I changed
the approverRef I noticed that the previous user was still the approver.
After that I realized that the approval-metarole was induced to the role
instead of assigned. That was the big mistake after all.
Anyway here is the configuration of my approval-metarole:
*<role>*
* <name>Custom Approval</name>*
* <inducement id="1">*
* <policyRule>*
* <policyConstraints>*
* <assignment id="2">*
* <operation>add</operation>*
* </assignment>*
* </policyConstraints>*
* <policyActions>*
* <approval id="3">*
* <compositionStrategy>*
* <order>10</order>*
* </compositionStrategy>*
* <approvalSchema>*
* <level>*
* <approverRef oid="00000000-0000-0000-0000-000000000002"
type="UserType" />*
* <evaluationStrategy>firstDecides</evaluationStrategy>*
* <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>*
* <automaticallyCompleted>*
* <script>*
* <code>*
* if(
basic.getPropertyValue(requester,"name").toString().equals("administrator"))
{*
* return
com.evolveum.midpoint.schema.constants.SchemaConstants.MODEL_APPROVAL_OUTCOME_APPROVE;*
* }*
* else {*
* return null;*
* }*
* </code>*
* </script>*
* </automaticallyCompleted>*
* </level>*
* </approvalSchema>*
* </approval>*
* </policyActions>*
* </policyRule>*
* </inducement>*
* <roleType>policy</roleType>*
*</role>*
Kind regards,
Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Oficina: +54 (11) 4552-3050
Móvil: +54 (911) 6041-3920
www.identicum.com
On Tue, Feb 5, 2019 at 3:12 PM Devin Rosenbauer <devin at identityworksllc.com>
wrote:
> So the rest of us can learn, can you summarize what was misconfigured? Was
> it that the inducement wasn't working?
>
> On Tue, Feb 5, 2019 at 1:02 PM Nicolas Rossi <nrossi at identicum.com> wrote:
>
>> Sorry guys. It was a misconfiguration on the role. It is working now.
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Oficina: +54 (11) 4552-3050
>> Móvil: +54 (911) 6041-3920
>> www.identicum.com
>>
>>
>> On Tue, Feb 5, 2019 at 12:16 PM Arnošt Starosta - AMI Praha a.s. <
>> arnost.starosta at ami.cz> wrote:
>>
>>> ok, sorry, i'm not that versed in assignment policy and thought that
>>> this inducement from metarole (without any orderConstraint) would check
>>> assignments for the role itself and not the user assignments.
>>>
>>> than i don't see the problem either. you can try tracing
>>> the com.evolveum.midpoint.wf.impl loggers, it may tell you more.
>>>
>>> good luck
>>>
>>> út 5. 2. 2019 v 15:17 odesílatel Nicolas Rossi <nrossi at identicum.com>
>>> napsal:
>>>
>>>> I already tried with the SchemaConstants and I got the same behavior.
>>>> The debug message is not logged. Even when I change it to log.error. This
>>>> is the operation log I get:
>>>>
>>>> 2019-02-04 18:01:22,678 [] [pool-4-thread-29] DEBUG
>>>> (com.evolveum.midpoint.model.impl.lens.Clockwork): Allow
>>>> assignment/unassignment to user:b1ddb76d-769a-4937-a88b-dd6c2798a79b(
>>>> andressa.silva at customer.com) becasue access to assignment
>>>> container/properties is explicitly allowed
>>>>
>>>> 2019-02-04 18:01:22,745 [] [pool-4-thread-29] DEBUG
>>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.ItemApprovalProcessInterface):
>>>> About to start approval process instance 'Assigning role "Role with
>>>> Approval" to user "andressa.silva at customer.com"'
>>>>
>>>> 2019-02-04 18:01:22,747 [] [pool-4-thread-29] DEBUG
>>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.ItemApprovalProcessInterface):
>>>> Approval schema XML:
>>>>
>>>> <value xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>>>
>>>> xmlns:c="
>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>
>>>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>>>
>>>> xmlns:org="
>>>> http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>>>
>>>> xmlns:icfs="
>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>>> "
>>>>
>>>> xmlns:ri="
>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>>>>
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>
>>>> xsi:type="c:ApprovalSchemaType">
>>>>
>>>> <stage xmlns="
>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>>>>
>>>> <number>1</number>
>>>>
>>>> <approverRef oid="53579500-962e-4b81-a946-7099bb077b8b"
>>>>
>>>> relation="org:default"
>>>>
>>>> type="c:UserType"><!-- nrossi --></approverRef>
>>>>
>>>> <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
>>>>
>>>> <groupExpansion>byClaimingWorkItem</groupExpansion>
>>>>
>>>> </stage>
>>>>
>>>> </value>
>>>>
>>>> 2019-02-04 18:01:22,763 [] [pool-4-thread-29] DEBUG
>>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.ItemApprovalProcessInterface):
>>>> Attached rules:
>>>>
>>>> <value xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>>>
>>>> xmlns:c="
>>>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>>>
>>>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>>>
>>>> xmlns:org="
>>>> http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>>>>
>>>> xmlns:icfs="
>>>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>>>> "
>>>>
>>>> xmlns:ri="
>>>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>>>>
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>
>>>> xsi:type="c:SchemaAttachedPolicyRulesType"/>
>>>>
>>>> 2019-02-04 18:01:22,953 [] [pool-4-thread-29] DEBUG
>>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.InitializeLoopThroughApproversInStage):
>>>> Approval process instance Assigning role "Role with Approval" to user "
>>>> andressa.silva at customer.com <andressa.silva at decolar.com>" (id 9803),
>>>> stage 1:null: predetermined outcome: null, approvers:
>>>> [com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType at 9a18f61[_referenceValue=PRV(oid=53579500-962e-4b81-a946-7099bb077b8b,
>>>> targetType={.../common/common-3}UserType,
>>>> relation={.../common/org-3}default)]]
>>>>
>>>> 2019-02-04 18:01:23,149 [] [pool-4-thread-29] DEBUG
>>>> (com.evolveum.midpoint.wf.impl.processes.itemApproval.PrepareForTaskCreation):
>>>> Creating work item for
>>>> assignee=UserType:53579500-962e-4b81-a946-7099bb077b8b,
>>>> candidateGroups=null, additionalInformation='[]'
>>>>
>>>> The metarole is induced to the role that needs to be approved. It's
>>>> working because the user defined as ApproverRef on the metarole receives
>>>> the work item to approve it when the role is requested.
>>>>
>>>>
>>>>
>>>>
>>>> Ing Nicolás Rossi
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Oficina: +54 (11) 4552-3050
>>>> Móvil: +54 (911) 6041-3920
>>>> www.identicum.com
>>>>
>>>>
>>>> On Tue, Feb 5, 2019 at 6:26 AM Arnošt Starosta - AMI Praha a.s. <
>>>> arnost.starosta at ami.cz> wrote:
>>>>
>>>>> Hi Nicolas,
>>>>>
>>>>> i use SchemaConstants.MODEL_APPROVAL_OUTCOME_* as return values, maybe
>>>>> your 'approve' string is not exactly the same thing?
>>>>>
>>>>> The debug message is logged?
>>>>>
>>>>> And is it really induced to the user object? I don't see any focusType
>>>>> and/or orderConstraint in your inducement.
>>>>>
>>>>> arnost
>>>>>
>>>>>
>>>>> po 4. 2. 2019 v 23:10 odesílatel Nicolas Rossi <nrossi at identicum.com>
>>>>> napsal:
>>>>>
>>>>>> Hi guys,
>>>>>>
>>>>>> I was trying to bypass an approval step using the
>>>>>> automaticallyComplete configuration on an approval-metarole. I can't get it
>>>>>> to work. It is ignored even when it returns always "approve". Sample
>>>>>> here
>>>>>> <https://github.com/Evolveum/midpoint/blob/1c1975fa450bbee741314c2822c5715ebf68f6b2/model/workflow-impl/src/test/resources/policy/assignments/role-role25-very-complex-approval.xml>
>>>>>> .
>>>>>>
>>>>>> Here is my metarole code:
>>>>>>
>>>>>> <role>
>>>>>>
>>>>>> <name>Sample Approval</name>
>>>>>>
>>>>>> <inducement id="1">
>>>>>>
>>>>>> <policyRule>
>>>>>>
>>>>>> <policyConstraints>
>>>>>>
>>>>>> <assignment id="2">
>>>>>>
>>>>>> <operation>add</operation>
>>>>>>
>>>>>> </assignment>
>>>>>>
>>>>>> </policyConstraints>
>>>>>>
>>>>>> <policyActions>
>>>>>>
>>>>>> <approval id="3">
>>>>>>
>>>>>> <compositionStrategy>
>>>>>>
>>>>>> <order>10</order>
>>>>>>
>>>>>> </compositionStrategy>
>>>>>>
>>>>>> <approvalSchema>
>>>>>>
>>>>>> <stage>
>>>>>>
>>>>>> <approverRef oid="53579500-962e-4b81-a946-7099bb077b8b" type=
>>>>>> "UserType" />
>>>>>>
>>>>>> <automaticallyCompleted>
>>>>>>
>>>>>> <script>
>>>>>>
>>>>>> <code>
>>>>>>
>>>>>> log.debug("AutomaticallyCompleted condition");
>>>>>>
>>>>>> return 'approve';
>>>>>>
>>>>>> </code>
>>>>>>
>>>>>> </script>
>>>>>>
>>>>>> </automaticallyCompleted>
>>>>>>
>>>>>> </stage>
>>>>>>
>>>>>> </approvalSchema>
>>>>>>
>>>>>> </approval>
>>>>>>
>>>>>> </policyActions>
>>>>>>
>>>>>> </policyRule>
>>>>>>
>>>>>> </inducement>
>>>>>>
>>>>>> <roleType>policy</roleType>
>>>>>>
>>>>>> </role>
>>>>>>
>>>>>> When I assign a role containing the metarole, the selected approver
>>>>>> receives the work item, so the metarole is working but the
>>>>>> automaticallyCompleted configuration is being ignored.
>>>>>>
>>>>>> Any thoughts ?
>>>>>>
>>>>>>
>>>>>> Ing Nicolás Rossi
>>>>>> Identicum S.A.
>>>>>> Jorge Newbery 3226
>>>>>> Oficina: +54 (11) 4552-3050
>>>>>> Móvil: +54 (911) 6041-3920
>>>>>> www.identicum.com
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Arnošt Starosta*
>>>>> solution architect
>>>>>
>>>>> gsm: [+420] 603 794 932
>>>>> e‑mail: arnost.starosta at ami.cz
>>>>>
>>>>> *AMI Praha a.s.*
>>>>> Pláničkova 11, 162 00 Praha 6
>>>>>
>>>>> tel.: [+420] 274 783 239 | web: www.ami.cz
>>>>>
>>>>> [image: AMI Praha a.s.]
>>>>>
>>>>> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
>>>>> za společnost AMI Praha a.s.
>>>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>>>> výhradně písemnou formu.
>>>>>
>>>>> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
>>>>> obsahovat důvěrné nebo osobní
>>>>> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
>>>>> zveřejňování, zprostředkování
>>>>> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
>>>>> neoprávněně, informujte o tom prosím
>>>>> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
>>>>> všech jeho příloh. Nakládáním
>>>>> s neoprávněně získanými informacemi se vystavujete riziku právního
>>>>> postihu.
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>
>>>
>>> --
>>>
>>> *Arnošt Starosta*
>>> solution architect
>>>
>>> gsm: [+420] 603 794 932
>>> e‑mail: arnost.starosta at ami.cz
>>>
>>> *AMI Praha a.s.*
>>> Pláničkova 11, 162 00 Praha 6
>>>
>>> tel.: [+420] 274 783 239 | web: www.ami.cz
>>>
>>> [image: AMI Praha a.s.]
>>>
>>> Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
>>> za společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>> výhradně písemnou formu.
>>>
>>> Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může
>>> obsahovat důvěrné nebo osobní
>>> informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
>>> zveřejňování, zprostředkování
>>> nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail
>>> neoprávněně, informujte o tom prosím
>>> odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
>>> všech jeho příloh. Nakládáním
>>> s neoprávněně získanými informacemi se vystavujete riziku právního
>>> postihu.
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> --
> Devin Rosenbauer
> Principal Consultant
> Identity Works LLC
> +1 585 210 3201
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190205/97fdc152/attachment.htm>
More information about the midPoint
mailing list