[midPoint] Policy constraints based on requester

Ivan Noris ivan.noris at evolveum.com
Wed Aug 24 15:36:42 CEST 2022 

Hi Jussi,


we are using the following setup in MidPoint Advanced Training:


- the roles which are requestable, may have one or several metaroles 
assigned; these metaroles contain policy rules

- one policy is for manager approval; one policy is for role approver 
approval; last one is for security officer approval (anyone who is 
member of organization called SECURITY)


The security officer approval is optional; it only happens if archetype 
of the user for which the request is done is not Employee. This is done 
in inducement condition (blue font below).


(So this is not requester, but requestee. Anyway I will share it.)


<inducement>
         <policyRule>
             <policyConstraints>
                 <assignment>
                     <operation>add</operation>
                 </assignment>
             </policyConstraints>
             <policyActions>
                 <approval>
                     <compositionStrategy>
                         <order>100</order>
                     </compositionStrategy>
                     <approvalSchema>
                         <stage>
                             <name>Security Officer (any)</name>
                             <approverRef type="OrgType">
                                 <filter>
                                     <q:equal>
<q:path>name</q:path>
<q:value>SECURITY</q:value>
                                     </q:equal>
                                 </filter>
<resolutionTime>run</resolutionTime>
                             </approverRef>
<evaluationStrategy>firstDecides</evaluationStrategy>
<groupExpansion>onWorkItemCreation</groupExpansion>
<outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
                             <!-- FIXME if there are no approvers, 
request is rejected -->
                         </stage>
                     </approvalSchema>
                 </approval>
             </policyActions>
         </policyRule>
<condition>
             <expression>
                 <script>
                     <code>!midpoint.hasArchetype(focus, 
"7135e68c-ee53-11e8-8025-170b77da3fd6") <!-- Employee --></code>
                 </script>
             </expression>
         </condition>
     </inducement>


Hope this helps at least somehow.


Best regards,

Ivan


On 24. 8. 2022 13:23, Jussi Jokela via midPoint wrote:
> Hi everyone,
>
> Is it possible to use policy constraints that are based on the 
> requester? For example, if creating an assignment request and the 
> requester is superuser, the approval process should be skipped and the 
> request is automatically approved. I didn't find any documentation or 
> examples how to achieve this, atleast anything that is not deprecated.
>
>
> Thanks in advance.
>
>
> Best regards,
> Jussi Jokela
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Expert Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220824/793f9226/attachment-0001.htm>

More information about the midPoint mailing list