[midPoint] How to suppress manager approval of role, when the manager requests the role

Sven Feyerabend Sven.Feyerabend at stuvus.uni-stuttgart.de
Mon Apr 24 14:13:28 CEST 2023 

Hi Patrik,

I solved this by using a custom query and checking if the actor is also 
an approver:


<approverExpression>

     <script>

         <code>

         import com.evolveum.midpoint.xml.ns._public.common.common_3.*;

         import com.evolveum.midpoint.schema.constants.RelationTypes;

         import com.evolveum.midpoint.schema.util.ObjectTypeUtil;

         import java.util.stream.Collectors;

         prismContext = midpoint.getPrismContext();

         actorOid = actor.getOid();

         approverQuery = prismContext.queryFor(UserType.class)

                 .ref(FocusType.F_PARENT_ORG_REF, OrgType.COMPLEX_TYPE, RelationTypes.MANAGER.getRelation(), target.getOid()).all()

                 .build();

         List approvers = midpoint.searchObjects(UserType.class, approverQuery);

         for(approver in approvers){

             if(approver.getOid() == actorOid){

                 return null;

             }

         }

         return approvers.stream().map(obj -> ObjectTypeUtil.createObjectRef(obj,prismContext)).collect(Collectors.toList());

         </code>

     </script>

</approverExpression>


This may not be the best solution, but I didn't find a better one.
So if someone knows a better way, feel free to correct me.

Kind Regards
Sven

Am 18.04.23 um 15:21 schrieb Patrik Sidler via midPoint:
> Hi Community,
>
> I have an issue and do not know how to get this solved.
>
> We have several roles created that have a "Manager Approval" metarole assigned to it.
>
> <role oid="5a9ece69-86ca-4e29-8457-c080287dac35">
>      <name>Manager Approval Metarole</name>
>      <inducement id="10">
>          <policyRule>
>              <policyConstraints>
>                  <assignment id="11">
>                      <operation>add</operation>
>                  </assignment>
>              </policyConstraints>
>              <policyActions>
>                  <approval id="12">
>                      <compositionStrategy>
>                          <order>10</order>
>                      </compositionStrategy>
>                      <approvalSchema>
>                          <stage id="13">
>                              <name>Line managers</name>
>                              <approverExpression>
>                                  <script>
>                                      <code>midpoint.getManagersOidsExceptUser(object)</code>
>                                  </script>
>                              </approverExpression>
>                              <evaluationStrategy>firstDecides</evaluationStrategy>
>                              <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
>                          </stage>
>                      </approvalSchema>
>                  </approval>
>              </policyActions>
>          </policyRule>
>      </inducement>
> </role>
>
> Whenever one those roles are requested by someone, the manager of the person that receives the role has to approve the assignment.
> So far so good.
> But now, when my manager requests this role for me, he also has to approve this request.
> How can I suppress this approval step when the requester and the approver are the same person?
>
> Thank you in advance for your help.
>
> Best regards,
>
> Patrik Sidler
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230424/9fee40d7/attachment.htm>

More information about the midPoint mailing list