[midPoint] Override default approval policy

[Jussi Jokela]

I'm having difficulties overriding my "default approver" policy. I have two
metaroles, one for default approver and one for "high risk systems" (for
example) and
and the default approver is inherited from another metarole which is used
when creating new roles and the high risk metarole is assigned when the
created role requires it.

The high risk metarole has the <mergeOverwriting>true</mergeOverwriting>
but it does not seem to have effect. When the default approver and high
risk system metaroles are induced to
created role, both policy stages require manual approval when the desired
outcome is just to approve the high risk system (all must approve) as it
has lower order (higher priority).

Here are the code snippets for both policy metaroles and the metarole that
includes the default approver policy:
































































*    <displayName>Metarole: High risk systems</displayName>    <inducement
id="1">        <policyRule>            <policyConstraints>
<assignment>                    <operation>add</operation>
</assignment>            </policyConstraints>            <policyActions>
            <approval id="3">                    <compositionStrategy>
                  <order>5</order>
<mergeOverwriting>true</mergeOverwriting>
</compositionStrategy>                    <approvalSchema>
      <stage id="4">                            <name>Security</name>
                      <approverRef relation="org:default"
type="c:OrgType">                                <filter>
                  <q:text>name="High_risk_systems"</q:text>
                </filter>
<resolutionTime>run</resolutionTime>
</approverRef>
<evaluationStrategy>allMustApprove</evaluationStrategy>
        <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
            <groupExpansion>onWorkItemCreation</groupExpansion>
            </stage>                    </approvalSchema>
</approval>            </policyActions>        </policyRule>
</inducement>    <displayName>Default approver</displayName>    <inducement
id="1">        <policyRule>            <policyConstraints>
<assignment>                    <operation>add</operation>
</assignment>            </policyConstraints>            <policyActions>
            <approval id="16">                    <compositionStrategy>
                    <order>50</order>
</compositionStrategy>                    <approvalSchema>
      <stage id="17">                            <name>Default
approver</name>                            <approverRef
relation="org:default" type="c:OrgType">
<filter>                                    <q:text>name="Default
approver"</q:text>                                </filter>
                <resolutionTime>run</resolutionTime>
    </approverRef>
<evaluationStrategy>firstDecides</evaluationStrategy>
      <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
          <groupExpansion>onWorkItemCreation</groupExpansion>
          </stage>                    </approvalSchema>
</approval>            </policyActions>        </policyRule>
</inducement>*



* <inducement id="59">        <targetRef
oid="7c1a3009-b456-40e6-a160-be32f70c1c7c" (default approver)
relation="org:default" type="c:RoleType"/>    </inducement>*


Hope my goal is clear. :)


Best regards,
Jussi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250226/81ad7911/attachment.htm>