[midPoint] Policy Constraints and User Templates

Mon Oct 19 19:46:15 CEST 2020

Pavol,
Thanks for the link and information. This explanation makes sense - the
question of what the expected behavior would be in the event the approval
is rejected is a critical one.

Given this explanation, in such scenarios, we may opt instead to trigger an
approval workflow via policy constraints instead on the user attribute
field - pausing the process before the default user template mapping ever
takes place. Of course, this with the understanding that we cannot truly
stop the mapping since the mapping is automated via configuration - but
that we would at least be injecting a review step when needed.  Business
rules would need to be in place for the approver to go directly to the
source system to make necessary changes.

Appreciate the feedback!

Brandon Powers
Exclamation Labs
300 Washington Street
Cumberland, MD 21502
888.545.5008 or 301.722.5008 ext 144
fax 301.722.2183
brandon at exclamationlabs.com
www.exclamationlabs.com <brandon at exclamationlabs.com>

On Mon, Oct 12, 2020 at 9:46 AM Pavol Mederly via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hello Brandon,
>
> if I remember correctly, this question was opened once or twice (in the
> last years), for example here:
>
> https://lists.evolveum.com/pipermail/midpoint/2017-December/004293.html
>
> The basic question (posed also in the above mentioned thread) is: what
> should midPoint do if there would be a rejection of the role assignment?
>
> To keep things consistent, the change would need to affect even the source
> resource. So it would stop propagating the value to specific user
> attribute, and then to the role assignment.
>
> Or, such a rejection would need to set up a flag that would be respected
> by the mappings involved (inbound mapping providing user attribute or
> template mapping providing the role assignment), so that they would start
> ignoring the data coming from the source resource. But this is definitely
> not a standard behavior of midPoint approvals component.
>
> Hope this helps,
>
> Pavol Mederly
> Software developerevolveum.com
>
> On 12/10/2020 15:18, Brandon Powers via midPoint wrote:
>
> Hello all,
>
> We are interested in approval workflows for assignments that are applied
> to users automatically via default user template mappings (utilizing
> assignmentTargetSearch).  So far, we've been unsuccessful in finding a way
> to trigger the approval policy constraint when the assignment is made
> automatically via an object template mapping (the approval workflow does
> kick off when *manually* assigning the org/role, however).
>
> I've had a lot of trouble finding any documentation on the matter to
> determine if this is supported or not, so I wanted to reach out and see if
> anyone could offer any insight on the matter? Perhaps there is undocumented
> functionality that allows this, or a speicifc approach that should be taken.
>
> For more context, we have auto assignments via the default user template
> to assign orgs based on the value of a specific user attribute which is
> defined from one of our resource's inbound mappings.
>
> Any insight on the matter from anyone is greatly appreciated!
>
> Brandon Powers
> Exclamation Labs
> 300 Washington Street
> Cumberland, MD 21502
> 888.545.5008 or 301.722.5008 ext 144 <301.722.5008+ext+144>
> fax 301.722.2183
> brandon at exclamationlabs.com
> www.exclamationlabs.com <brandon at exclamationlabs.com>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201019/f8ad6a9b/attachment.htm>