[midPoint] How to suppress manager approval of role, when the manager requests the role

Patrik Sidler patrik.sidler at itconcepts.ch
Fri Apr 28 08:48:44 CEST 2023


Hi Sven,

Thank you for your Code snippet. I have used it, but it did not worked for me because this query did not returned the org managers for me.
But in the meantime, one of my colleagues (thank you Marie) has created a solution for me that works perfect for “Manager Approval”.


<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
      oid="5a9ece69-86ca-4e29-8457-c080287dac35">
    <name>Manager Approval Metarole</name>
    <description>Manager Approval is Metarole, used to find the manager that has to approve the request</description>
    <displayName>Manager Approval Metarole</displayName>
    <inducement id="10">
        <policyRule>
            <policyConstraints>
                <assignment id="11">
                    <operation>add</operation>
                </assignment>
            </policyConstraints>
            <policyActions>
                <approval id="12">
                    <compositionStrategy>
                        <order>10</order>
                    </compositionStrategy>
                    <approvalSchema>
                        <stage id="13">
                            <name>Line managers</name>

                            <!-- Autoapproval if requestor is manager of target user -->
                            <automaticallyCompleted>
                                <script>
                                    <code>
                                        actorOid = actor.getOid()
                                        managerOids = midpoint.getManagersOidsExceptUser(object)
                                        for (managerOid in managerOids) {
                                            if (managerOid == actorOid) {
                                                return com.evolveum.midpoint.schema.constants.SchemaConstants.MODEL_APPROVAL_OUTCOME_APPROVE;
                                            }
                                        }
                                        return null
                                    </code>
                                </script>
                            </automaticallyCompleted>

                            <!—Find all managers for approval -->
                            <approverExpression>
                                <script>
                                    <code>midpoint.getManagersOidsExceptUser(object)</code>
                                </script>
                            </approverExpression>
                            <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
                        </stage>
                    </approvalSchema>
                </approval>
            </policyActions>
        </policyRule>
    </inducement>
</role>

Thanky you again for your help.
Regards Patrik

Von: midPoint <midpoint-bounces at lists.evolveum.com> Im Auftrag von Sven Feyerabend via midPoint
Gesendet: Montag, 24. April 2023 14:13
An: Patrik Sidler via midPoint <midpoint at lists.evolveum.com>
Cc: Sven Feyerabend <Sven.Feyerabend at stuvus.uni-stuttgart.de>
Betreff: Re: [midPoint] How to suppress manager approval of role, when the manager requests the role


Hi Patrik,

I solved this by using a custom query and checking if the actor is also an approver:



<approverExpression>

    <script>

        <code>

        import com.evolveum.midpoint.xml.ns._public.common.common_3.*;

        import com.evolveum.midpoint.schema.constants.RelationTypes;

        import com.evolveum.midpoint.schema.util.ObjectTypeUtil;

        import java.util.stream.Collectors;



        prismContext = midpoint.getPrismContext();



        actorOid = actor.getOid();



        approverQuery = prismContext.queryFor(UserType.class)

                .ref(FocusType.F_PARENT_ORG_REF, OrgType.COMPLEX_TYPE, RelationTypes.MANAGER.getRelation(), target.getOid()).all()

                .build();



        List approvers = midpoint.searchObjects(UserType.class, approverQuery);



        for(approver in approvers){

            if(approver.getOid() == actorOid){

                return null;

            }

        }



        return approvers.stream().map(obj -> ObjectTypeUtil.createObjectRef(obj,prismContext)).collect(Collectors.toList());



        </code>

    </script>

</approverExpression>


This may not be the best solution, but I didn't find a better one.
So if someone knows a better way, feel free to correct me.

Kind Regards
Sven

Am 18.04.23 um 15:21 schrieb Patrik Sidler via midPoint:

Hi Community,



I have an issue and do not know how to get this solved.



We have several roles created that have a "Manager Approval" metarole assigned to it.



<role oid="5a9ece69-86ca-4e29-8457-c080287dac35">

    <name>Manager Approval Metarole</name>

    <inducement id="10">

        <policyRule>

            <policyConstraints>

                <assignment id="11">

                    <operation>add</operation>

                </assignment>

            </policyConstraints>

            <policyActions>

                <approval id="12">

                    <compositionStrategy>

                        <order>10</order>

                    </compositionStrategy>

                    <approvalSchema>

                        <stage id="13">

                            <name>Line managers</name>

                            <approverExpression>

                                <script>

                                    <code>midpoint.getManagersOidsExceptUser(object)</code>

                                </script>

                            </approverExpression>

                            <evaluationStrategy>firstDecides</evaluationStrategy>

                            <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>

                        </stage>

                    </approvalSchema>

                </approval>

            </policyActions>

        </policyRule>

    </inducement>

</role>



Whenever one those roles are requested by someone, the manager of the person that receives the role has to approve the assignment.

So far so good.

But now, when my manager requests this role for me, he also has to approve this request.

How can I suppress this approval step when the requester and the approver are the same person?



Thank you in advance for your help.



Best regards,



Patrik Sidler

_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230428/a7b3bad5/attachment-0001.htm>


More information about the midPoint mailing list