<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello Anand,<br>
<br>
I'm back from the vacation. I have a couple of notes to the
questions you have raised:<br>
<br>
<blockquote cite="mid:54ABDD8F.4060902@evolveum.com" type="cite">
<blockquote
cite="mid:CAHUT-CR=8UNhew0tN8eryZ0dvHGsyNc_Wo1JRsLDfRP28hgA9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="font-size:12.8000001907349px"><b>Please provide me
assistance for following queries :-</b></div>
<div>
<ul>
<li><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">I
have a requirement where I need to </span><b
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">raise
Approval Request</b><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">
at the time of </span><b
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">Account/Resource
Assignment to Role</b><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">
in midpoint.</span></li>
</ul>
</div>
</div>
</blockquote>
(...)<br>
However there may be one issue. Currently the workflow code is
built to intercept only operations on users. Or that is the only
thing that we have tested so far. MidPoint architecture allows to
intercept operations on all objects. But I'm not sure how much
generic is the current "hook" code (as we call it) that actually
does the intercept. Maybe Pavol can provide more information here.<br>
</blockquote>
<br>
The core workflow hook code is fairly generic, so it should work
well with roles.<br>
<br>
However, as Radovan said, all scenarios where workflows have been
used (at least what we know about) were related to users. <br>
<br>
Therefore now I'm preparing a sample that will show how to implement
your role-related scenario. During that effort I'll identify missing
pieces in midPoint workflow module that are needed for the scenario,
if there are any.<br>
<br>
However, the scenario preparation might take a week or a little more
because there are some
other urgent fixes that have to be done, related to upcoming
midPoint release.<br>
<br>
<blockquote cite="mid:54ABDD8F.4060902@evolveum.com" type="cite">
<blockquote
cite="mid:CAHUT-CR=8UNhew0tN8eryZ0dvHGsyNc_Wo1JRsLDfRP28hgA9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<ul>
<li><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">Is
it possible to </span><b
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">Assign
A Manager To User</b><span
style="font-size:12.8000001907349px;font-family:arial,helvetica,sans-serif">
(Manager will handle Approval Requests Of multiple
users).</span></li>
</ul>
</div>
</div>
</blockquote>
</blockquote>
(...)<br>
<br>
There is a sample #3 in <a
href="https://wiki.evolveum.com/display/midPoint/Some+examples">https://wiki.evolveum.com/display/midPoint/Some+examples</a>
that deals with this situation. It uses the Radovan's solution #1a:<br>
<blockquote cite="mid:54ABDD8F.4060902@evolveum.com" type="cite"> <br>
1: Use the organizational structure. Assign user to the org unit
and assign a manager for the org unit. This is perhaps the most
systematic way. Then when you need a manager of a specific user
you need to write an expression that retrieves user's org unit,
finds the manager and returns it. The expression can also check
for the case that unit does not have a manager and it needs to go
one unit up, etc. The trick is how to assign a manager to the org
unit. And there are also two options:<br>
<br>
a: The architecturally clean way is to use "relation" parameter in
midPoint object references. This is designed especially for this
case. Every object reference in midPoint can have a "relation"
which is an optional qname/uri that can specify how the references
objects relate. This can be particularly useful with parentOrgRef
reference that forms the organizational structure. The default
(empty) relation is interpreted in a way that the user is a member
of the org unit. But you can use different relation values to
represent a manager, business owner or any similar concept. This
can theoretically be used to specify many managers for a
particular org unit, pass manager changes through proper
approvals, etc. The good news is that the relation is designed to
be easily indexed and our search queries are also designed to
handle it so it is likely to scale. The bad news is that I'm not
sure how much of this is actually implemented. There may also be
issues how to express the relation in an assignment.<br>
<br>
</blockquote>
Please have a look at it. Most probably you would have to
extend/tweak it to match your requirements.<br>
<br>
<blockquote cite="mid:54ABDD8F.4060902@evolveum.com" type="cite">
<blockquote
cite="mid:CAHUT-CR=8UNhew0tN8eryZ0dvHGsyNc_Wo1JRsLDfRP28hgA9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<ul>
<li><span
style="font-family:arial,helvetica,sans-serif;font-size:12.8000001907349px">If
yes then how we can force Managers to Approve Resource
requests on Role Assignments .</span></li>
</ul>
</div>
</div>
</blockquote>
<br>
Each role has an approverExpression property. A user who is the
result of this expression will be an approver for this particular
role. This is the place where you can put an expression that
determines the manager. Or alternatively you can modify the
approval workflow (BPMN) and explicitly determine the approvers
there.<br>
</blockquote>
Here I do not understand the overall context: what exactly should
the user's manager approve? Because if you want to modify a role by
changing its resource assignment, there is no user - and so no
user's manager - you can refer to.<br>
<br>
Or do you mean consulting all managers of all users that would be
touched by the proposed change in the role?<br>
<br>
Could you describe a more detailed scenario for me please?<br>
<blockquote cite="mid:54ABDD8F.4060902@evolveum.com" type="cite">
<blockquote
cite="mid:CAHUT-CR=8UNhew0tN8eryZ0dvHGsyNc_Wo1JRsLDfRP28hgA9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<ul>
<li><span
style="font-family:arial,helvetica,sans-serif;font-size:12.8000001907349px">Handling
Multi-Level Approvals (from User's Manager and
Manager's Manager).</span><br>
</li>
</ul>
</div>
</div>
</blockquote>
We support multi-level approvals in roles. See the approvalSchema
property in the role. But I'm not sure if this can be coupled with
the approverExpression result or you will need to modify the
workflow to get this. Maybe Pavol can provide more details here.<br>
</blockquote>
Yes, it can be combined. You can provide an approvalSchema with e.g.
5 levels. On each level there can be an approverExpression, giving
user's managers for that level. I.e.<br>
<br>
- on level 1 there will be an expression giving user's immediate
manager(s): <code class="java plain">midpoint.getManagersOidsExceptUser(object)<br>
</code>- on level 2 there will be an expression giving managers' of
these manager(s): (such expression does not exist yet, you would
have to create your own)<br>
- ...<br>
<br>
However, there are some issues with this approach:<br>
<br>
<ol>
<li>The approval schema is fixed, so you would have to provide the
number of levels that would cover your most complex scenario.
(It's basically a matter of copy & paste - ugly but
working.)</li>
<li>Everything is OK unless a user (or anyone in the hierarchy)
has more managers, either because his organization has more
managers or because he is a member of more organizations. The
question then is - which manager should approve the request? Or
should all the managers approve? See also the notes at the end
of the samples page I referred to above (<a
href="https://wiki.evolveum.com/display/midPoint/Some+examples">https://wiki.evolveum.com/display/midPoint/Some+examples</a>).
In the hierarchical case as you described, the situation is even
more complex: on level 2, all users "grand-managers" should
approve, or only managers of the manager that approved the
request (assuming one manager's approval is sufficient)?<br>
</li>
</ol>
So the situation should be specified in more details.<br>
<br>
Nevertheless, as Radovan said, you can always implement your own
BPMN approval process. Then you will not be limited by standard
ItemApproval process that uses above-described approvers and
approval schemas.<br>
<br>
Or, if you could describe your requirements more clearly and if they
would be quite generic, we could perhaps implement a standard
solution for this. Something like org-aware generic ItemApproval
process. (Subject to usual conditions as Radovan pointed to: <a
class="moz-txt-link-freetext"
href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a>).<br>
<br>
Hope this helps. If you would have any questions, please don't
hesitate to ask here.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
</body>
</html>