<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Anand,<br>
<br>
On 01/05/2015 02:54 PM, Anand Kothekar wrote:<br>
</div>
<blockquote
cite="mid:CAHUT-CR=8UNhew0tN8eryZ0dvHGsyNc_Wo1JRsLDfRP28hgA9g@mail.gmail.com"
type="cite">
<div dir="ltr"><span style="font-size:12.8000001907349px">A Very
Happy New Year To You All.</span><br>
</div>
</blockquote>
<br>
Thanks. And a happy new year to you and all on this list.<br>
<br>
<blockquote
cite="mid:CAHUT-CR=8UNhew0tN8eryZ0dvHGsyNc_Wo1JRsLDfRP28hgA9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px"><b>Please provide me
assistance for following queries :-</b></div>
<div>
<ul>
<li><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">I
have a requirement where I need to </span><b
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">raise
Approval Request</b><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">
at the time of </span><b
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">Account/Resource
Assignment to Role</b><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">
in midpoint.</span></li>
</ul>
</div>
</div>
</blockquote>
<br>
In midPoint there is no difference between "operation" and
"request". E.g. a "request" to add assignment to a user is just a
simple operation to add assignment to user object. MidPoint
configuration will then decide whether this operation needs to be
routed through an approval process - which makes it a "request" in
the workflow sense. But on the Model API level all the requests are
just normal operations. Therefore in your case the "request" is just
an operation that adds assignment to role.<br>
<br>
However there may be one issue. Currently the workflow code is built
to intercept only operations on users. Or that is the only thing
that we have tested so far. MidPoint architecture allows to
intercept operations on all objects. But I'm not sure how much
generic is the current "hook" code (as we call it) that actually
does the intercept. Maybe Pavol can provide more information here.<br>
<br>
<blockquote
cite="mid:CAHUT-CR=8UNhew0tN8eryZ0dvHGsyNc_Wo1JRsLDfRP28hgA9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<ul>
<li><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">Is
it possible to </span><b
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">Assign
A Manager To User</b><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">
(Manager will handle Approval Requests Of multiple
users).</span></li>
</ul>
</div>
</div>
</blockquote>
<br>
There are two ways how to do this:<br>
<br>
1: Use the organizational structure. Assign user to the org unit and
assign a manager for the org unit. This is perhaps the most
systematic way. Then when you need a manager of a specific user you
need to write an expression that retrieves user's org unit, finds
the manager and returns it. The expression can also check for the
case that unit does not have a manager and it needs to go one unit
up, etc. The trick is how to assign a manager to the org unit. And
there are also two options:<br>
<br>
a: The architecturally clean way is to use "relation" parameter in
midPoint object references. This is designed especially for this
case. Every object reference in midPoint can have a "relation" which
is an optional qname/uri that can specify how the references objects
relate. This can be particularly useful with parentOrgRef reference
that forms the organizational structure. The default (empty)
relation is interpreted in a way that the user is a member of the
org unit. But you can use different relation values to represent a
manager, business owner or any similar concept. This can
theoretically be used to specify many managers for a particular org
unit, pass manager changes through proper approvals, etc. The good
news is that the relation is designed to be easily indexed and our
search queries are also designed to handle it so it is likely to
scale. The bad news is that I'm not sure how much of this is
actually implemented. There may also be issues how to express the
relation in an assignment.<br>
<br>
b: The less clean but perhaps more practical solution is to use
extended attributes in OrgType to store the reference to the manager
of the org unit. This is simpler and it will work well in some
cases. But there may be scalability/flexibility limitations.<br>
<br>
2: Do not use organizational structure at all. Use extended
attribute of UserType to specify the manager of each user directly.
This is what commercial IDM systems typically do. It is simple, but
there is a huge amount of inherent drawbacks in this approach.<br>
<br>
Whatever way you choose please keep this in mind: We are using
organizational structure quite a lot in existing midPoint
deployments. Therefore this part is fairly well tested. But we use
it for delegated administration/authorizations and for
synchronization. We currently do not have any midPoint deployment
where the organizational structure is used to specify managers and
used for approvals. We have found that our current customers are
quite happy with approvals based only on roles. However midPoint was
designed for this (case 1a) and it should theoretically work.
However this was never tested and as the wise saying goes: "In
theory there is no difference between theory and practice. But in
practice there is a whole lot of difference." ... so proceed with
care. There is also very little of this pre-configured and there are
almost no samples.<br>
<br>
As always you have the usual options:
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a><br>
<br>
We have one current customer that is considering investment in the
midPoint organizational structure management. If the customer
decides for this then we will test (and fix) the use of "relation"
for specifying org managers (case 1a). But currently we have do have
any indication when (or if) this is going to happen.<br>
<br>
<blockquote
cite="mid:CAHUT-CR=8UNhew0tN8eryZ0dvHGsyNc_Wo1JRsLDfRP28hgA9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<ul>
<li><span
style="font-family:arial,helvetica,sans-serif;font-size:12.8000001907349px">If
yes then how we can force Managers to Approve Resource
requests on Role Assignments .</span></li>
</ul>
</div>
</div>
</blockquote>
<br>
Each role has an approverExpression property. A user who is the
result of this expression will be an approver for this particular
role. This is the place where you can put an expression that
determines the manager. Or alternatively you can modify the approval
workflow (BPMN) and explicitly determine the approvers there.<br>
<br>
<blockquote
cite="mid:CAHUT-CR=8UNhew0tN8eryZ0dvHGsyNc_Wo1JRsLDfRP28hgA9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<ul>
<li><span
style="font-family:arial,helvetica,sans-serif;font-size:12.8000001907349px">Handling
Multi-Level Approvals (from User's Manager and Manager's
Manager).</span><br>
</li>
</ul>
</div>
</div>
</blockquote>
<br>
We support multi-level approvals in roles. See the approvalSchema
property in the role. But I'm not sure if this can be coupled with
the approverExpression result or you will need to modify the
workflow to get this. Maybe Pavol can provide more details here.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
</body>
</html>