<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Florin,</p>
there are actually two problems with approval schema levels:<br>
<br>
The first one is that - as you said - levels have no IDs. This is
because of an omission to generate them when saving an object into
the repository (PrismIdentifierGenerator class). Workaround is quite
simple: when creating a role, just manually insert such identifiers
into the XML representation.<br>
<br>
But, what is worse, is the second issue: multivalued prism
structures are unsorted. ID is not a sorting key; it's just an
identifier. So it's quite possible that ordering of multi-level
approval schema gets swapped. This can occur on applying add/delete
item deltas that address levels.<br>
<br>
Fortunately, workaround for both problems is quite simple: always
execute <itemDelta> that replaces all the content of
<approvalStructure>, e.g. like this:<br>
<br>
<font size="-1"><tt><apit:objectModification
xmlns:apit='<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">http://midpoint.evolveum.com/xml/ns/public/common/api-types-3</a>'
xmlns:c='<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'
xmlns='<a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>'
xmlns:t=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/types-3">"http://prism.evolveum.com/xml/ns/public/types-3"</a>><br>
<apit:itemDelta></tt><tt><br>
</tt><tt>
<t:modificationType>replace</t:modificationType></tt><tt><br>
</tt><tt> <t:path>c:approvalSchema</t:path></tt><tt><br>
</tt><tt> <t:value></tt><tt><br>
</tt><tt> <name>Sample Complex Schema
1</name></tt><tt><br>
</tt><tt> <description>A sample complex approval
schema, involving the security administrator</description></tt><tt><br>
</tt><tt> <level></tt><tt><br>
</tt><tt> <name>Bosses</name></tt><tt><br>
</tt><tt> <description>At this level, either
one of the company directors has to approve the
assignment.</description></tt><tt><br>
</tt><tt> <approverRef
oid="75f2806d-e31b-40c9-8133-85ed4d9e6252"
type="c:UserType"/></tt><tt><br>
</tt><tt> <approverRef
oid="0e030e0c-a37d-47b2-bde8-f8e61e4a2bfb"
type="c:UserType"/></tt><tt><br>
</tt><tt>
<evaluationStrategy>firstDecides</evaluationStrategy></tt><tt><br>
</tt><tt> </level></tt><tt><br>
</tt><tt> <level></tt><tt><br>
</tt><tt> <name>Administrators</name></tt><tt><br>
</tt><tt> <description>At this level, system
administrator as well as security manager must
approve.</description></tt><tt><br>
</tt><tt> <approverRef
oid="00000000-0000-0000-0000-000000000002"
type="c:UserType"/></tt><tt><br>
</tt><tt> <approverRef
oid="c168470c-bfef-414f-88b5-5d144f4f3d6c"
type="c:UserType"/></tt><tt><br>
</tt><tt>
<evaluationStrategy>allMustApprove</evaluationStrategy></tt><tt><br>
</tt><tt> </level></tt><tt><br>
</tt><tt> </t:value></tt><tt><br>
</tt><tt> </apit:itemDelta><br>
</</tt></font><font size="-1"><tt>apit:objectModification>
<br>
<br>
</tt></font>Looking at your planned command line tool I think this
could work. (Even if you'd need to apply deltas, it's possible to
fetch current state, apply the delta yourself, and push the new
state into midPoint. Except for race conditions, it should be OK.)<br>
<br>
Anyway, I've logged a jira issue for this (<a
href="https://jira.evolveum.com/browse/MID-3350">MID-3350</a>).<br>
<br>
As for the plans for support editing approval schemas in GUI, I
don't know. Maybe Radovan or Igor would.<br>
<br>
Best regards,<br>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 15.08.2016 22:38, Florin. Stingaciu
wrote:<br>
</div>
<blockquote
cite="mid:CAMQHPY0y65FL-UBtFr_xV1oHDXOs214m9hY1Gsc8gXLjwMXp4g@mail.gmail.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html; charset=UTF-8">
<div dir="ltr">Hello,
<div><br>
</div>
<div>I'm currently trying to set up a role such that it has
multiple approvers in a firstDecides strategy. Everything
works just fine when I directly edit the role object via the
configuration tab (in browser editor). </div>
<div><br>
</div>
<div>I'm actually trying to automate this process such that my
admins can just call a tool from cmd line. Something like:</div>
<div><br>
</div>
<div>midpoint_client -group _name_ -approvers _list_ -strategy
_strategy_</div>
<div><br>
</div>
<div>So far I've written a python client interfacing with
midPoint via the REST API. If I'm adding a brand new approval
workflow there's no problem, however if I have to modify or
delete these programmatically, I can't. This is due to the
fact that <level> under approvalSchema doesn't contain
an ID. For example this is my item delta:</div>
<div><br>
</div>
<div>
<div> <itemDelta></div>
<div>
<t:modificationType>delete</t:modificationType></div>
<div>
<t:path>c:approvalSchema/level/approverRef</t:path></div>
<div> <value
oid="358a2151-f85d-4d92-8145-e8228aa4faa6"
type="c:UserType"></value></div>
<div> </itemDelta><br>
<br>
I'm wondering if there's any plan to expose approvalSchema
operations directly in the GUI any time soon. Also any
suggestions on getting around this programmatically (while
still continuing to use the REST API) would be very
appreciated. </div>
</div>
<div><br>
</div>
<div>Thanks, </div>
<div>-F </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>