<div dir="ltr">Pavol, good day!<div><br></div><div>I'm sorry if I wasn't clear enough. To answer your questions; yes, that would be a standard midPoint resource object indeed. From my understanding (please correct me if I'm wrong), midPoint resources would be able to listen events related to entitlements - and those entitlements, would be linked to roles. As such, that would allow us to trigger custom logic upon different entitlement-related events. My primary concern is - would that standard midPoint resource be able to trigger a workflow on an entitlement-related event? If that's the case, then we might be able to tackle the cases I've described before.</div><div><br></div><div>Let me know if this makes any sense to you.</div><div><br></div><div>Thanks for your help.</div><div>Regards,</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><b>Rodrigo Yanis.</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br></font>Jorge Newbery 3226<br>Tel: +54 (11) 4824-9971<font face="arial, helvetica, sans-serif"><br><a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br><a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2016-08-22 4:14 GMT-03:00 Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello Rodrigo,</p>
<p>I'm afraid that I don't quite understand your alternatives. For
example, what do you mean by "resource" in "a" and "b"? Is it a
standard midPoint resource object? How it could listen to events
related to user roles? Do you mean that it should have mappings
that would invoke Java code that would start corresponding
approval workflows? (Probably not.) <br>
</p>
<p>Similarly, I don't understand what you mean by "exteriorizing"
Position data structure.<br>
</p>
<p> Please, could you describe your ideas in more details? We'd be
glad to help you.<span class="HOEnZb"><font color="#888888"><br>
</font></span></p><span class="HOEnZb"><font color="#888888">
<pre cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></font></span><div><div class="h5">
<div>On 19.08.2016 23:22, Rodrigo Yanis
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Pavol,
<div><br>
</div>
<div>Thanks for your insight - yes, the case that you describe
is one of the cases that we're facing here, but not the only
one. The other scenario that we would like to represent is
described by the following flow:</div>
<div><br>
</div>
<div>1. A user is provisioned by a set or roles X1,X2,X3,...,Xn
that are inherited as he gets a value in an attribute that has
those roles linked (calling that attribute, eg. Position)</div>
<div>2. Role Xn approver (that is, the owner of an external
resource Xn) gets an approval activity for that role to be
provisioned in MP as well as a notification indicating that
this should be manually applied into resource Xn.</div>
<div>3. Role Xn approver, approves such request, provisioning
the user with role Xn, as he also perform this task on his
respective domain.</div>
<div><br>
</div>
<div>I understand the difficulty here comes in (1) as we cannot
trigger an approval workflow per each linked role to that
particular Position.</div>
<div><br>
</div>
<div>So we came up with these alternatives - please let me know
what's your perspective on them;</div>
<div>By priority and "cleanliness" order,</div>
<div>a. To implement a MP resource which would perform on the
Java API level, prior having linked roles to entitlements,
having this resource to listen the events related to these
entitlements and then execute an approval workflow for
granting that entitlement to that user.</div>
<div>b. Same as (a), but instead, it would be a resource working
on the MP REST level.</div>
<div>c. (Ugly) To exteriorize the Position data structure (all
linked roles, with their respective owners) + delegate the
manual task notifications and calls to initialize a workflow
in MP to an external database, having a MP DB resource
listening to entitlement changes for event handling.</div>
<div><br>
</div>
<div>Let me know if there's something I'm not being clear about.</div>
<div><br>
</div>
<div>Very grateful for your assistance.</div>
<div><br>
</div>
<div>Thanks.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><b>Rodrigo Yanis.</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font face="arial,
helvetica, sans-serif"><br>
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2016-08-19 16:11 GMT-03:00 Pavol
Mederly <span dir="ltr"><<a href="mailto:pavol.mederly@evolveum.com" target="_blank">pavol.mederly@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000">
<div>Rodrigo,<br>
</div>
<div><br>
</div>
<div>use of workflows in midPoint is currently limited
to approving requested changes. So, today there's no
way of starting a workflow that would present a user a
work item like "hey you, please do this and then click
'Done'". We plan to implement a "manual provisioning"
but it requires a nontrivial amount of effort, see <a href="https://jira.evolveum.com/browse/MID-2457" target="_blank">https://jira.evolveum.com/brow<wbr>se/MID-2457</a>.<br>
</div>
<div><br>
</div>
<div>But maybe there's a hack possible. Workflows can be
used to approve a change. For example, midPoint is
able to approve a role assignment addition (out of the
box). Or an attribute change (with some custom
coding). </div>
<div><br>
</div>
<div>If I understand your situation correctly, maybe you
could do it like this:<br>
</div>
<div>
<ol>
<li>You have a resource X that requires manual
intervention by an administrator in order to
assign role X1 to an account on this resource.<br>
</li>
<li>So, you can create a midPoint role RoleX1, with
approver defined to be the resource administrator.<br>
</li>
<li>If someone assigns RoleX1 to a midPoint user, an
approval workflow process is started, notifying
the resource administrator that he has to
"approve" assignment of RoleX1 to midPoint user.<br>
</li>
<li>At this point, he knows he has to manually
assign role X1 on X to user's account.<br>
</li>
<li>So he does it, and marks the assignment as
"Approved".<br>
</li>
<li>The assignment of RoleX1 is then added to the
user, so he knows that everything is done (in
particular that the role X1 on resource X was
added to him).<br>
</li>
</ol>
<div>Does this make sense to you?<br>
</div>
<div><br>
</div>
<div>Best regards,<br>
</div>
<div>Pavol<br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<hr>
<div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From:
</b>"Rodrigo Yanis" <<a href="mailto:ryanis@identicum.com" target="_blank">ryanis@identicum.com</a>><br>
<b>To: </b>"midPoint General Discussion" <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>Sent: </b>Friday, August 19, 2016 8:48:20 PM<br>
<b>Subject: </b>Re: [midPoint] - Manual tasks
notifications
<div>
<div><br>
<div><br>
</div>
<div dir="ltr">Bringing this up again - Do you
know of a way for Midpoint to, aside from
sending that notification upon an attribute
change, to also trigger an internal Workflow
that would allow us to keep track of the manual
workload? In this scenario, the user gets the
notification for the manual task, on parallel, a
workflow is triggered to trace the start of a
manual task, and would be manually updated by
the user throughout the change process.
<div><br>
</div>
<div>Is this "Workflow" idea somewhat
plausible? </div>
<div><br>
</div>
<div>Thanks a lot. <br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><span style="font-family:arial,helvetica,sans-serif" face="arial, helvetica,
sans-serif"><b>Rodrigo
Yanis.</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
</span>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<span style="font-family:arial,helvetica,sans-serif" face="arial, helvetica,
sans-serif"><br>
<a href="mailto:ryanis@identicum.com" target="_blank"><span style="color:#0b5394" color="#0b5394">ryanis@identicum.com</span></a><br>
<a href="http://www.identicum.com/" target="_blank"><span style="color:#0b5394" color="#0b5394">www.identicum.com</span></a></span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2016-08-19 15:32
GMT-03:00 Rodrigo Yanis <span dir="ltr"><<a href="mailto:ryanis@identicum.com" target="_blank">ryanis@identicum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Excellent. We'll surely try
this out.
<div><br>
</div>
<div>Thanks guys.</div>
</div>
<div class="gmail_extra"><span><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><span style="font-family:arial,helvetica,sans-serif" face="arial, helvetica,
sans-serif"><b>Rodrigo
Yanis.</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
</span>Jorge
Newbery 3226<br>
Tel: +54 (11)
4824-9971<span style="font-family:arial,helvetica,sans-serif" face="arial,
helvetica,
sans-serif"><br>
<a href="mailto:ryanis@identicum.com" target="_blank"><span style="color:#0b5394" color="#0b5394">ryanis@identicum.com</span></a><br>
<a href="http://www.identicum.com/" target="_blank"><span style="color:#0b5394" color="#0b5394">www.identicum.com</span></a></span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</span>
<div>
<div>
<div class="gmail_quote">2016-08-19
15:29 GMT-03:00 Jason Everling <span dir="ltr"><<a href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I can say that the
workaround works quite well!
Have been using it for almost a
year now in production without
issue and without having any
"missed" notifications not going
out.
<div><br>
</div>
<div>Thanks Pavol for adding
that functionality sometime
ago as it has proved
invaluable for us!</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<div>
<div>
<br>
<div class="gmail_quote">On
Fri, Aug 19, 2016 at 1:11
PM, Pavol Mederly <span dir="ltr"><<a href="mailto:pavol.mederly@evolveum.com" target="_blank">pavol.mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div style="font-family:times new roman,new york,times,serif;font-size:12pt;color:#000000">
<div>Hello Rodrigo,<br>
</div>
<div><br>
</div>
<div>please see <a href="https://jira.evolveum.com/browse/MID-2237" target="_blank">https://jira.evolveum.com/brow<wbr>se/MID-2237</a>
for a discussion
on this
requirement.
Although it is not
implemented yet,
there is a simple
workaround
described there.
It is based on
using <em>event.isRelatedToItem</em>
method.<br>
</div>
<div><br>
</div>
<div>Best regards,<br>
</div>
<div>Pavol<br>
</div>
<div><br>
</div>
<hr>
<div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From:
</b>"Rodrigo
Yanis" <<a href="mailto:ryanis@identicum.com" target="_blank">ryanis@identicum.com</a>><br>
<b>To: </b><a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a><br>
<b>Sent: </b>Friday,
August 19, 2016
7:20:11 PM<br>
<b>Subject: </b>[midPoint]
- Manual tasks
notifications
<div>
<div><br>
<div><br>
</div>
<div dir="ltr">Hello
everyone,
<div><br>
</div>
<div>We have
the need to
push a
notification <span style="text-decoration:underline">only</span> when a particular
attribute is
changed in a
user in
midPoint. This
attribute
would be
linked to a
set of roles
that the user
would inherit
in midPoint
only, hence
the need to
inform a
sysadmin to
perform a
manual role
redefinition
in connected
applications.</div>
<div><br>
</div>
<div>Is it
possible to
trigger a
notification
like this?
Should this be
done in the
context of a
midPoint
resource?<br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div>Thank you
in advance!</div>
<div dir="ltr"><br>
</div>
<div dir="ltr"><span style="font-family:arial,helvetica,sans-serif"><b>Rodrigo Yanis.</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
</span>Jorge
Newbery 3226<br>
Tel: <a href="tel:%2B54%20%2811%29%204824-9971" target="_blank">+54 (11)
4824-9971</a><span style="font-family:arial,helvetica,sans-serif"><br>
<a href="mailto:ryanis@identicum.com" target="_blank"><span style="color:#0b5394">ryanis@identicum.com</span></a><br>
<a href="http://www.identicum.com/" target="_blank"><span style="color:#0b5394">www.identicum.com</span></a></span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
______________________________<wbr>_________________<br>
midPoint mailing
list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
</div>
<div><br>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<span style="font-size:small" size="2"><br>
<div><br>
</div>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only
the recipient(s) named above and
may contain information that is
privileged. You should not
retain, copy or use this e-mail
or any attachments for any
purpose, or disclose all or any
part of the contents to any
person. Any views or opinions
expressed in this e-mail are
those of the author and do not
represent those of the Baptist
School of Health Professions. If
you have received this e-mail in
error, or are not the named
recipient(s), you are hereby
notified that any review,
dissemination, distribution or
copying of this communication is
prohibited by the sender and to
do so might constitute a
violation of the Electronic
Communications Privacy Act, 18
U.S.C. section 2510-2521. Please
immediately notify the sender
and delete this e-mail and any
attachments from your computer.
</span><br>
<div><br>
</div>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
</div>
</div>
</div>
<div><br>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>