<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello Илья,<br>
<br>
this is definitely a bug - or, more precisely, it is a preliminary
implementation.<br>
<br>
Perhaps the serious implementation should throw away support for
role assignments altogether, and instead of looking at org
assignments, it should consider parentOrgRef reference. That one
is computed by the model, and contains only valid assignments.
(With regards to administrative status, time validity, conditions
if org membership is induced e.g. by roles, and so on.)<br>
<br>
And the next level should be - perhaps configurable - looking at
"grand parent" orgs, "grand grand parent" orgs, etc. (I.e. parents
of parentOrgRef, and their parents, recursively.)<br>
<br>
It is not a big change, actually. Maybe an hour or two of work,
including testing. But the release of 3.2 is a few days ahead, and
we have a lot of work until that :(<br>
<br>
You can implement it yourself and submit a patch, if you wish.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
</div>
<blockquote
cite="mid:F82253638486D44DABA51EC404D48AF388A044@EX-MB1.solar.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"Стандартный HTML Знак";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTML
{mso-style-name:"Стандартный HTML Знак";
mso-style-priority:99;
mso-style-link:"Стандартный HTML";
font-family:Consolas;
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Hi
Pavol,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">I
looked into the WorkItemProvider.
createQueryForTasksRelatedToUser() method implementation,
particularly MiscDataUtil.</span><span lang="EN-US">
</span><span style="color:#1F497D" lang="EN-US">getGroupsForUser(),
and noticed that this method does not respect activation
parameters of the assignment. Is this a bug or a feature?
What exactly must be affected by activation settings and
what mustn’t?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:RU">From:</span></b><span
style="color:windowtext;mso-fareast-language:RU">
midPoint [<a class="moz-txt-link-freetext" href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>Дорофеев Илья<br>
<b>Sent:</b> Monday, July 27, 2015 2:24 PM<br>
<b>To:</b> midPoint General Discussion<br>
<b>Subject:</b> Re: [midPoint] Assign approval work item
to role<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Hi
Pavol,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Many
thanks for your in-depth response. Now the subject has
become much clearer to me. Earlier I didn’t notice "Work
items claimable by me" section and thought that assignees
are calculated immediately at the moment the work item is
created. Now it turns out that we have a list of possible
approvers synchronized with actual membership of a person in
a role, which, in turn, is pretty cool
</span><span style="font-family:Wingdings;color:#1F497D"
lang="EN-US">J</span><span style="color:#1F497D"
lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:RU"
lang="EN-US">From:</span></b><span
style="color:windowtext;mso-fareast-language:RU"
lang="EN-US"> midPoint [</span><span
style="color:windowtext;mso-fareast-language:RU"><a
moz-do-not-send="true"
href="mailto:midpoint-bounces@lists.evolveum.com"><span
lang="EN-US">mailto:midpoint-bounces@lists.evolveum.com</span></a></span><span
style="color:windowtext;mso-fareast-language:RU"
lang="EN-US">]
<b>On Behalf Of </b>Pavol Mederly<br>
<b>Sent:</b> Monday, July 27, 2015 2:01 PM<br>
<b>To:</b> </span><span
style="color:windowtext;mso-fareast-language:RU"><a
moz-do-not-send="true"
href="mailto:midpoint@lists.evolveum.com"><span
lang="EN-US">midpoint@lists.evolveum.com</span></a></span><span
style="color:windowtext;mso-fareast-language:RU"
lang="EN-US"><br>
<b>Subject:</b> Re: [midPoint] Assign approval work item
to role<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal">Ilija,<br>
<br>
back from the vacation. <br>
<br>
Created Org "wheel" with two users: admin1, admin2 (both
having Superuser role, not to bother with security).<br>
Created role "testrole" where approver == wheel.<br>
Attempted to create "testuser" with assigned "testrole".<br>
<br>
Work item was created, where candidate is wheel (org).<br>
<br>
<span style="mso-fareast-language:RU"><img
id="Рисунок_x0020_1"
src="cid:part3.03080701.06050100@evolveum.com"
alt="imap://mederly@mail.evolveum.com:993/fetch%3EUID%3E/INBOX%3E8765?header=quotebody&part=1.1.2&filename=image001.png"
border="0" height="292" width="827"></span><br>
After logging in as "admin1" - no "My work items", but one
"Work items claimable by me":<br>
<br>
<span style="mso-fareast-language:RU"><img
id="Рисунок_x0020_2"
src="cid:part4.00090509.00080606@evolveum.com"
alt="imap://mederly@mail.evolveum.com:993/fetch%3EUID%3E/INBOX%3E8765?header=quotebody&part=1.1.3&filename=image002.png"
border="0" height="173" width="1655"></span><br>
<br>
It can be claimed and released back, or directly processed.<br>
<br>
Implementation is such that this Activiti Task is created
like this - see the second row:<br>
<br>
<span style="mso-fareast-language:RU"><img
id="Рисунок_x0020_3"
src="cid:part5.08070201.05050008@evolveum.com"
alt="imap://mederly@mail.evolveum.com:993/fetch%3EUID%3E/INBOX%3E8765?header=quotebody&part=1.1.4&filename=image003.png"
border="0" height="107" width="944"></span><br>
<br>
I.e. its candidate group is in the form of "org:oid" where
oid is the midPoint OID of the "wheel" org.<br>
<br>
For implementation, see e.g.<br>
- PrepareApprover.execute (called from ItemApproval BPMN
process) - maps approverRef of type Role or Org to
"role:oid" or "org:oid" Activiti candidate group names<br>
- and then see ItemApproval BPMN process, userTask
id="loopLevels.loopApprovers.approve.withGroups" (lines
123-131)<br>
- WorkItemProvider. createQueryForTasksRelatedToUser
(searching for work items)<br>
<br>
Hope this helps,<br>
Pavol<br>
<br>
On 22. 7. 2015 9:15, Дорофеев Илья wrote:<span
style="font-size:12.0pt;mso-fareast-language:RU"><o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Pavol,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Thanks
for the answer. I am sorry but the assignment to members
of an org. unit didn’t work either. None of the members of
the org. unit are offered a work item. I looked through
the code and didn’t find any mentions of mapping between
midPoint and Activiti groups. So, when an Activiti task is
assigned to a candidate group
org:c96bf133-10f6-4ed0-9c88-cb3c69bb27ec, the Activiti
engine doesn’t really know the actual users of the group,
and the task is basically assigned to no one.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Could
you show me that piece of code responsible for this
behavior in case I’m wrong?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Ilya</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="mso-fareast-language:RU" lang="EN-US">From:</span></b><span
style="mso-fareast-language:RU" lang="EN-US"> midPoint
[<a moz-do-not-send="true"
href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>P</span><span
style="mso-fareast-language:RU">avol Mederly<br>
<b>Sent:</b> Tuesday, July 21, 2015 4:44 PM<br>
<b>To:</b> midPoint General Discussion<br>
<b>Subject:</b> Re: [midPoint] Assign approval work
item to role</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Ilya,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I've implemented this quite a long
ago, so I'm having a little trouble remembering the
current status. ;)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">But as described here: <a
moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Current+status+and+future+plans:">https://wiki.evolveum.com/display/midPoint/Current+status+and+future+plans:</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><em><span
style="font-family:"Calibri","sans-serif"">#7:
Ability to define approver not as an individual
only, but also as a member of an org. unit; allowing
to claim/release a work item. Currently this feature
is limited to "direct" members, i.e. not to members
of subordinate org. units. (Temporarily, it is
possible to use a role as an approver as well, but
this also applies only to users that have directly
assigned this role - and perhaps support for this
will be dropped in the future, see the following <a
moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/Roles+and+Orgs">discussion
on roles and orgs</a>.)</span></em><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">So, the assignment to members of an
org. unit works, but in a special mode: each of the
members is offered the work item. (I.e. not assigned
directly.) He/she may claim it, and work on it.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">As written above, I would suggest not
using roles for this, but org. units instead. (Note that
org. unit is a very general term. It may well correspond
to an arbitrary group of people.)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Hope this helps,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Pavol<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr align="center" size="2" width="100%">
</div>
<div>
<p class="MsoNormal"><b><span
style="font-family:"Helvetica","sans-serif""
lang="EN-US">From:
</span></b><span
style="font-family:"Helvetica","sans-serif""
lang="EN-US">"</span><span
style="font-family:"Helvetica","sans-serif"">Дорофеев
Илья</span><span
style="font-family:"Helvetica","sans-serif""
lang="EN-US">" <</span><span
style="font-family:"Helvetica","sans-serif""><a
moz-do-not-send="true"
href="mailto:i.dorofeev@solarsecurity.ru"><span
lang="EN-US">i.dorofeev@solarsecurity.ru</span></a></span><span
style="font-family:"Helvetica","sans-serif""
lang="EN-US">><br>
<b>To: </b>"midPoint General Discussion" <</span><span
style="font-family:"Helvetica","sans-serif""><a
moz-do-not-send="true"
href="mailto:midpoint@lists.evolveum.com"><span
lang="EN-US">midpoint@lists.evolveum.com</span></a></span><span
style="font-family:"Helvetica","sans-serif""
lang="EN-US">><br>
<b>Sent: </b>Tuesday, July 21, 2015 12:24:56 PM<br>
<b>Subject: </b>[midPoint] Assign approval work item
to role</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-family:"Helvetica","sans-serif""
lang="EN-US"> </span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span lang="EN-US">Hi,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I have just come
across a problem of assigning approval work item to a
role.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><role></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> <approverRef
oid="1ae3ab25-188f-4685-a073-fe522c55e057"
type="c:RoleType"><!-- resource_owner
--></approverRef></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"></role></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">I expected that
the created workitem(s) would be assigned to all the
users included in the ‘resource_owner’ role. Is this
not implemented yet?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:RU"
lang="EN-US">Regards, Ilya</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica","sans-serif";mso-fareast-language:RU"><br>
</span><span
style="font-size:12.0pt;font-family:"Helvetica","sans-serif";mso-fareast-language:RU"
lang="EN-US">_______________________________________________<br>
midPoint mailing list<br>
</span><span
style="font-size:12.0pt;font-family:"Helvetica","sans-serif";mso-fareast-language:RU"><a
moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"><span
lang="EN-US">midPoint@lists.evolveum.com</span></a></span><span
style="font-size:12.0pt;font-family:"Helvetica","sans-serif";mso-fareast-language:RU"
lang="EN-US"><br>
</span><span
style="font-size:12.0pt;font-family:"Helvetica","sans-serif";mso-fareast-language:RU"><a
moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"><span
lang="EN-US">http://lists.evolveum.com/mailman/listinfo/midpoint</span></a></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"> </span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><o:p> </o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif";mso-fareast-language:RU"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>