<div dir="ltr">Using ItemDeltas solved my problem. Thanks Pavol!</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 15, 2016 at 2:28 PM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p>Hello Florin,</p>
    there are actually two problems with approval schema levels:<br>
    <br>
    The first one is that - as you said - levels have no IDs. This is
    because of an omission to generate them when saving an object into
    the repository (PrismIdentifierGenerator class). Workaround is quite
    simple: when creating a role, just manually insert such identifiers
    into the XML representation.<br>
    <br>
    But, what is worse, is the second issue: multivalued prism
    structures are unsorted. ID is not a sorting key; it's just an
    identifier. So it's quite possible that ordering of multi-level
    approval schema gets swapped. This can occur on applying add/delete
    item deltas that address levels.<br>
    <br>
    Fortunately, workaround for both problems is quite simple: always
    execute <itemDelta> that replaces all the content of
    <approvalStructure>, e.g. like this:<br>
    <br>
    <font size="-1"><tt><apit:objectModification
xmlns:apit='<a href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/api-types-3</a>'
xmlns:c='<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>'
        xmlns='<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>'
        xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>types-3"</a>><br>
            <apit:itemDelta></tt><tt><br>
      </tt><tt>       
        <t:modificationType>replace</<wbr>t:modificationType></tt><tt><br>
      </tt><tt>        <t:path>c:approvalSchema</t:<wbr>path></tt><tt><br>
      </tt><tt>        <t:value></tt><tt><br>
      </tt><tt>            <name>Sample Complex Schema
        1</name></tt><tt><br>
      </tt><tt>            <description>A sample complex approval
        schema, involving the security administrator</description></tt><tt><br>
      </tt><tt>            <level></tt><tt><br>
      </tt><tt>                <name>Bosses</name></tt><tt><br>
      </tt><tt>                <description>At this level, either
        one of the company directors has to approve the
        assignment.</description></tt><tt><br>
      </tt><tt>                <approverRef
        oid="75f2806d-e31b-40c9-8133-<wbr>85ed4d9e6252"
        type="c:UserType"/></tt><tt><br>
      </tt><tt>                <approverRef
        oid="0e030e0c-a37d-47b2-bde8-<wbr>f8e61e4a2bfb"
        type="c:UserType"/></tt><tt><br>
      </tt><tt>               
        <evaluationStrategy><wbr>firstDecides</<wbr>evaluationStrategy></tt><tt><br>
      </tt><tt>            </level></tt><tt><br>
      </tt><tt>            <level></tt><tt><br>
      </tt><tt>                <name>Administrators</name></tt><tt><br>
      </tt><tt>                <description>At this level, system
        administrator as well as security manager must
        approve.</description></tt><tt><br>
      </tt><tt>                <approverRef
        oid="00000000-0000-0000-0000-<wbr>000000000002"
        type="c:UserType"/></tt><tt><br>
      </tt><tt>                <approverRef
        oid="c168470c-bfef-414f-88b5-<wbr>5d144f4f3d6c"
        type="c:UserType"/></tt><tt><br>
      </tt><tt>               
        <evaluationStrategy><wbr>allMustApprove</<wbr>evaluationStrategy></tt><tt><br>
      </tt><tt>            </level></tt><tt><br>
      </tt><tt>        </t:value></tt><tt><br>
      </tt><tt>    </apit:itemDelta><br>
        </</tt></font><font size="-1"><tt>apit:objectModification>
        <br>
        <br>
      </tt></font>Looking at your planned command line tool I think this
    could work. (Even if you'd need to apply deltas, it's possible to
    fetch current state, apply the delta yourself, and push the new
    state into midPoint. Except for race conditions, it should be OK.)<br>
    <br>
    Anyway, I've logged a jira issue for this (<a href="https://jira.evolveum.com/browse/MID-3350" target="_blank">MID-3350</a>).<br>
    <br>
    As for the plans for support editing approval schemas in GUI, I
    don't know. Maybe Radovan or Igor would.<br>
    <br>
    Best regards,<br>
    <pre cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre><div><div class="h5">
    <div>On 15.08.2016 22:38, Florin. Stingaciu
      wrote:<br>
    </div>
    </div></div><blockquote type="cite"><div><div class="h5">
      
      <div dir="ltr">Hello, 
        <div><br>
        </div>
        <div>I'm currently trying to set up a role such that it has
          multiple approvers in a firstDecides strategy. Everything
          works just fine when I directly edit the role object via the
          configuration tab (in browser editor). </div>
        <div><br>
        </div>
        <div>I'm actually trying to automate this process such that my
          admins can just call a tool from cmd line. Something like:</div>
        <div><br>
        </div>
        <div>midpoint_client -group _name_ -approvers _list_ -strategy
          _strategy_</div>
        <div><br>
        </div>
        <div>So far I've written a python client interfacing with
          midPoint via the REST API. If I'm adding a brand new approval
          workflow there's no problem, however if I have to modify or
          delete these programmatically, I can't. This is due to the
          fact that <level> under approvalSchema doesn't contain
          an ID. For example this is my item delta:</div>
        <div><br>
        </div>
        <div>
          <div>        <itemDelta></div>
          <div>               
            <t:modificationType>delete</t:<wbr>modificationType></div>
          <div>               
            <t:path>c:approvalSchema/<wbr>level/approverRef</t:path></div>
          <div>                <value
            oid="358a2151-f85d-4d92-8145-<wbr>e8228aa4faa6"
            type="c:UserType"></value></div>
          <div>        </itemDelta><br>
            <br>
            I'm wondering if there's any plan to expose approvalSchema
            operations directly in the GUI any time soon. Also any
            suggestions on getting around this programmatically (while
            still continuing to use the REST API) would be very
            appreciated. </div>
        </div>
        <div><br>
        </div>
        <div>Thanks, </div>
        <div>-F </div>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      </div></div><pre>______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </div>

<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>