[midPoint] Dynamic Role Approval Authority

Pavol Mederly mederly at evolveum.com
Wed Feb 17 10:23:42 CET 2021


Hello Keith, 

it's long time (almost years) I last touched the approvals so my answer is not guaranteed to be 100% complete. 

Generally, you can use dynamic filters (using expressions) in the approverRef item in the approval schema. These are evaluated at [ https://github.com/Evolveum/midpoint/blob/739c93db806cdd55af6c177e613ffba9212e5d8e/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java#L122-L127 | https://github.com/Evolveum/midpoint/blob/739c93db806cdd55af6c177e613ffba9212e5d8e/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java#L122-L127 ] . Unfortunately, it looks like there is no role variable at your disposal there. 

An alternative would be to use approverExpression item in the stage definition. You could try that, and e.g. list all available groovy variables to see if there is something useful there. 

A third - and maybe preferred - way is to abandon "owner" custom attribute and use a custom relation instead. So instead of role -> user link you would have user -> role link, differentiated by specific relation in the targetRef. This is how approvals are done in midPoint regularly. 

Hope this helps, 
Pavol 


From: "Keith LeValley via midPoint" <midpoint at lists.evolveum.com> 
To: midpoint at lists.evolveum.com 
Cc: "Keith LeValley" <klevalley2 at davenport.edu> 
Sent: Monday, February 15, 2021 8:23:33 PM 
Subject: [midPoint] Dynamic Role Approval Authority 

I might be on a little bit of a fishing expedition with this one so if I am way off base please point me in the right direction. 
I am trying to set up a "meta-role" that will dynamically assign an approval authority process based on an attribute within the role assigned to the meta-role. So I created a custom attribute for roles called "owner" and I want to assign a role name that will act as the approval authority. I started with the example shown below below: 
<inducement> 
<policyRule> 
<policyConstraints> 
<assignment/> 
</policyConstraints> 
<policyActions> 
<approval> 
<compositionStrategy> 
<order>20</order> 
</compositionStrategy> 
<approvalSchema> 
<stage> 
<name>Security</name> 
<approverRef relation="org:default" type="c:RoleType"> 
<filter> 
<q:equal> 
<q:path>name</q:path> 
<q:value>csc</q:value> 
</q:equal> 
</filter> 
<resolutionTime>run</resolutionTime> 
</approverRef> 
<evaluationStrategy>firstDecides</evaluationStrategy> 
<outcomeIfNoApprovers>reject</outcomeIfNoApprovers> 
<groupExpansion>onWorkItemCreation</groupExpansion> 
</stage> 
</approvalSchema> 
</approval> 
</policyActions> 
</policyRule> 
</inducement> 


So I plug this into my "meta-role" and any role assigned to it now requires approval from the group/role named "csc". The problem is this is still static, so I am hoping to somehow take the example above and turn it into something like this below: 

<filter> 
<q:equal> 
<q:path>name</q:path> 
<q:value>$owner</q:value> 
</q:equal> 
</filter> 

The above doesn't work and I am not sure this is even possible. 

-- 
Keith LeValley 
Identity Services Architect , Davenport University 
phone: (616) 732-1102 
[ mailto:klevalley2 at davenport.edu | klevalley2 at davenport.edu ] 

_______________________________________________ 
midPoint mailing list 
midPoint at lists.evolveum.com 
https://lists.evolveum.com/mailman/listinfo/midpoint 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210217/df3d427f/attachment.htm>


More information about the midPoint mailing list