
<div dir="ltr">Using ItemDeltas solved my problem. Thanks Pavol!</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 15, 2016 at 2:28 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  
  <div bgcolor="#FFFFFF" text="#000000">

    <p>Hello Florin,</p>

    there are actually two problems with approval schema levels:<br>

    <br>

    The first one is that - as you said - levels have no IDs. This is

    because of an omission to generate them when saving an object into

    the repository (PrismIdentifierGenerator class). Workaround is quite

    simple: when creating a role, just manually insert such identifiers

    into the XML representation.<br>

    <br>

    But, what is worse, is the second issue: multivalued prism

    structures are unsorted. ID is not a sorting key; it's just an

    identifier. So it's quite possible that ordering of multi-level

    approval schema gets swapped. This can occur on applying add/delete

    item deltas that address levels.<br>

    <br>

    Fortunately, workaround for both problems is quite simple: always

    execute <itemDelta> that replaces all the content of

    <approvalStructure>, e.g. like this:<br>

    <br>

    <font size="-1"><tt><apit:objectModification

xmlns:apit='<a href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/api-types-3</a>'

xmlns:c='<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>'

        xmlns='<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>'

        xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>types-3"</a>><br>

            <apit:itemDelta></tt><tt><br>

      </tt><tt>       

        <t:modificationType>replace</<wbr>t:modificationType></tt><tt><br>

      </tt><tt>        <t:path>c:approvalSchema</t:<wbr>path></tt><tt><br>

      </tt><tt>        <t:value></tt><tt><br>

      </tt><tt>            <name>Sample Complex Schema

        1</name></tt><tt><br>

      </tt><tt>            <description>A sample complex approval

        schema, involving the security administrator</description></tt><tt><br>

      </tt><tt>            <level></tt><tt><br>

      </tt><tt>                <name>Bosses</name></tt><tt><br>

      </tt><tt>                <description>At this level, either

        one of the company directors has to approve the

        assignment.</description></tt><tt><br>

      </tt><tt>                <approverRef

        oid="75f2806d-e31b-40c9-8133-<wbr>85ed4d9e6252"

        type="c:UserType"/></tt><tt><br>

      </tt><tt>                <approverRef

        oid="0e030e0c-a37d-47b2-bde8-<wbr>f8e61e4a2bfb"

        type="c:UserType"/></tt><tt><br>

      </tt><tt>               

        <evaluationStrategy><wbr>firstDecides</<wbr>evaluationStrategy></tt><tt><br>

      </tt><tt>            </level></tt><tt><br>

      </tt><tt>            <level></tt><tt><br>

      </tt><tt>                <name>Administrators</name></tt><tt><br>

      </tt><tt>                <description>At this level, system

        administrator as well as security manager must

        approve.</description></tt><tt><br>

      </tt><tt>                <approverRef

        oid="00000000-0000-0000-0000-<wbr>000000000002"

        type="c:UserType"/></tt><tt><br>

      </tt><tt>                <approverRef

        oid="c168470c-bfef-414f-88b5-<wbr>5d144f4f3d6c"

        type="c:UserType"/></tt><tt><br>

      </tt><tt>               

        <evaluationStrategy><wbr>allMustApprove</<wbr>evaluationStrategy></tt><tt><br>

      </tt><tt>            </level></tt><tt><br>

      </tt><tt>        </t:value></tt><tt><br>

      </tt><tt>    </apit:itemDelta><br>

        </</tt></font><font size="-1"><tt>apit:objectModification>

        <br>

        <br>

      </tt></font>Looking at your planned command line tool I think this

    could work. (Even if you'd need to apply deltas, it's possible to

    fetch current state, apply the delta yourself, and push the new

    state into midPoint. Except for race conditions, it should be OK.)<br>

    <br>

    Anyway, I've logged a jira issue for this (<a href="https://jira.evolveum.com/browse/MID-3350" target="_blank">MID-3350</a>).<br>

    <br>

    As for the plans for support editing approval schemas in GUI, I

    don't know. Maybe Radovan or Igor would.<br>

    <br>

    Best regards,<br>

    <pre cols="72">Pavol Mederly

Software developer

<a href="http://evolveum.com" target="_blank">evolveum.com</a>

</pre><div><div class="h5">

    <div>On 15.08.2016 22:38, Florin. Stingaciu

      wrote:<br>

    </div>

    </div></div><blockquote type="cite"><div><div class="h5">

      
      <div dir="ltr">Hello, 

        <div><br>

        </div>

        <div>I'm currently trying to set up a role such that it has

          multiple approvers in a firstDecides strategy. Everything

          works just fine when I directly edit the role object via the

          configuration tab (in browser editor). </div>

        <div><br>

        </div>

        <div>I'm actually trying to automate this process such that my

          admins can just call a tool from cmd line. Something like:</div>

        <div><br>

        </div>

        <div>midpoint_client -group _name_ -approvers _list_ -strategy

          _strategy_</div>

        <div><br>

        </div>

        <div>So far I've written a python client interfacing with

          midPoint via the REST API. If I'm adding a brand new approval

          workflow there's no problem, however if I have to modify or

          delete these programmatically, I can't. This is due to the

          fact that <level> under approvalSchema doesn't contain

          an ID. For example this is my item delta:</div>

        <div><br>

        </div>

        <div>

          <div>        <itemDelta></div>

          <div>               

            <t:modificationType>delete</t:<wbr>modificationType></div>

          <div>               

            <t:path>c:approvalSchema/<wbr>level/approverRef</t:path></div>

          <div>                <value

            oid="358a2151-f85d-4d92-8145-<wbr>e8228aa4faa6"

            type="c:UserType"></value></div>

          <div>        </itemDelta><br>

            <br>

            I'm wondering if there's any plan to expose approvalSchema

            operations directly in the GUI any time soon. Also any

            suggestions on getting around this programmatically (while

            still continuing to use the REST API) would be very

            appreciated. </div>

        </div>

        <div><br>

        </div>

        <div>Thanks, </div>

        <div>-F </div>

      </div>

      <br>

      <fieldset></fieldset>

      <br>

      </div></div><pre>______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

    <br>

  </div>


<br>______________________________<wbr>_________________<br>

midPoint mailing list<br>

<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>

<br></blockquote></div><br></div>