[midPoint] Dynamic Role Approval Authority
Keith LeValley
klevalley2 at davenport.edu
Mon Feb 15 20:23:33 CET 2021
I might be on a little bit of a fishing expedition with this one so if I am
way off base please point me in the right direction.
I am trying to set up a "meta-role" that will dynamically assign an
approval authority process based on an attribute within the role assigned
to the meta-role. So I created a custom attribute for roles called "owner"
and I want to assign a role name that will act as the approval authority.
I started with the example shown below below:
<inducement>
<policyRule>
<policyConstraints>
<assignment/>
</policyConstraints>
<policyActions>
<approval>
<compositionStrategy>
<order>20</order>
</compositionStrategy>
<approvalSchema>
<stage>
<name>Security</name>
<approverRef relation="org:default"
type="c:RoleType">
<filter>
<q:equal>
<q:path>name</q:path>
<q:value>csc</q:value>
</q:equal>
</filter>
<resolutionTime>run</resolutionTime>
</approverRef>
<evaluationStrategy>firstDecides</evaluationStrategy>
<outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
<groupExpansion>onWorkItemCreation</groupExpansion>
</stage>
</approvalSchema>
</approval>
</policyActions>
</policyRule>
</inducement>
So I plug this into my "meta-role" and any role assigned to it now requires
approval from the group/role named "csc". The problem is this is still
static, so I am hoping to somehow take the example above and turn it into
something like this below:
<filter>
<q:equal>
<q:path>name</q:path>
<q:value>$owner</q:value>
</q:equal>
</filter>
The above doesn't work and I am not sure this is even possible.
--
Keith LeValley
Identity Services Architect, Davenport University
phone: (616) 732-1102
klevalley2 at davenport.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210215/815f58ab/attachment.htm>
More information about the midPoint
mailing list