[midPoint] Override default approval policy

[Jussi Jokela]

Hello again,

Seems like the code snippets were badly formatted in my previous
message, here they are again and hopefully more readable, as I wish
someone could help me with this:

<displayName>Metarole: High risk systems</displayName>
    <inducement id="1">
        <policyRule>
            <policyConstraints>
                <assignment>
                    <operation>add</operation>
                </assignment>
            </policyConstraints>
            <policyActions>
                <approval id="3">
                    <compositionStrategy>
                        <order>5</order>
                        <mergeOverwriting>true</mergeOverwriting>
                    </compositionStrategy>
                    <approvalSchema>
                        <stage id="4">
                            <name>Security</name>
                            <approverRef relation="org:default"
type="c:OrgType">
                                <filter>
                                    <q:text>name="High_risk_systems"</q:text>
                                </filter>
                                <resolutionTime>run</resolutionTime>
                            </approverRef>

<evaluationStrategy>allMustApprove</evaluationStrategy>
                            <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
                            <groupExpansion>onWorkItemCreation</groupExpansion>
                        </stage>
                    </approvalSchema>
                </approval>
            </policyActions>
        </policyRule>
    </inducement>

   <displayName>Default approver</displayName>
    <inducement id="1">
        <policyRule>
            <policyConstraints>
                <assignment>
                    <operation>add</operation>
                </assignment>
            </policyConstraints>
            <policyActions>
                <approval id="16">
                    <compositionStrategy>
                        <order>50</order>
                    </compositionStrategy>
                    <approvalSchema>
                        <stage id="17">
                            <name>Default approver</name>
                            <approverRef relation="org:default"
type="c:OrgType">
                                <filter>
                                    <q:text>name="Default approver"</q:text>
                                </filter>
                                <resolutionTime>run</resolutionTime>
                            </approverRef>

<evaluationStrategy>firstDecides</evaluationStrategy>
                            <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
                            <groupExpansion>onWorkItemCreation</groupExpansion>
                        </stage>
                    </approvalSchema>
                </approval>
            </policyActions>
        </policyRule>
    </inducement>

<inducement id="59">
        <targetRef oid="7c1a3009-b456-40e6-a160-be32f70c1c7c" (default
approver) relation="org:default" type="c:RoleType"/>
    </inducement>


Br,
Jussi


ke 26.2.2025 klo 15.27 Jussi Jokela (jussi.jokela92 at gmail.com) kirjoitti:
>
>
> I'm having difficulties overriding my "default approver" policy. I have two metaroles, one for default approver and one for "high risk systems" (for example) and
> and the default approver is inherited from another metarole which is used when creating new roles and the high risk metarole is assigned when the created role requires it.
>
> The high risk metarole has the <mergeOverwriting>true</mergeOverwriting> but it does not seem to have effect. When the default approver and high risk system metaroles are induced to
> created role, both policy stages require manual approval when the desired outcome is just to approve the high risk system (all must approve) as it has lower order (higher priority).
>
> Here are the code snippets for both policy metaroles and the metarole that includes the default approver policy:
>
>     <displayName>Metarole: High risk systems</displayName>
>     <inducement id="1">
>         <policyRule>
>             <policyConstraints>
>                 <assignment>
>                     <operation>add</operation>
>                 </assignment>
>             </policyConstraints>
>             <policyActions>
>                 <approval id="3">
>                     <compositionStrategy>
>                         <order>5</order>
>                         <mergeOverwriting>true</mergeOverwriting>
>                     </compositionStrategy>
>                     <approvalSchema>
>                         <stage id="4">
>                             <name>Security</name>
>                             <approverRef relation="org:default" type="c:OrgType">
>                                 <filter>
>                                     <q:text>name="High_risk_systems"</q:text>
>                                 </filter>
>                                 <resolutionTime>run</resolutionTime>
>                             </approverRef>
>                             <evaluationStrategy>allMustApprove</evaluationStrategy>
>                             <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
>                             <groupExpansion>onWorkItemCreation</groupExpansion>
>                         </stage>
>                     </approvalSchema>
>                 </approval>
>             </policyActions>
>         </policyRule>
>     </inducement>
>
>    <displayName>Default approver</displayName>
>     <inducement id="1">
>         <policyRule>
>             <policyConstraints>
>                 <assignment>
>                     <operation>add</operation>
>                 </assignment>
>             </policyConstraints>
>             <policyActions>
>                 <approval id="16">
>                     <compositionStrategy>
>                         <order>50</order>
>                     </compositionStrategy>
>                     <approvalSchema>
>                         <stage id="17">
>                             <name>Default approver</name>
>                             <approverRef relation="org:default" type="c:OrgType">
>                                 <filter>
>                                     <q:text>name="Default approver"</q:text>
>                                 </filter>
>                                 <resolutionTime>run</resolutionTime>
>                             </approverRef>
>                             <evaluationStrategy>firstDecides</evaluationStrategy>
>                             <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
>                             <groupExpansion>onWorkItemCreation</groupExpansion>
>                         </stage>
>                     </approvalSchema>
>                 </approval>
>             </policyActions>
>         </policyRule>
>     </inducement>
>
> <inducement id="59">
>         <targetRef oid="7c1a3009-b456-40e6-a160-be32f70c1c7c" (default approver) relation="org:default" type="c:RoleType"/>
>     </inducement>
>
>
> Hope my goal is clear. :)
>
>
> Best regards,
> Jussi