<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Rodrigo,</p>
<p>precisely speaking, resources do not listen to events. They just
contain a logic that midPoint uses to manage objects on "remote
systems". Logic is in the form of mappings: outbound mappings are
used to store data on these remote systems (i.e. to control the
outbound flow of data: from midPoint to remote resource), while
inbound mappings are used to gather data from these remote systems
(i.e. to control the inbound flow of data: from remote resource to
midPoint). Mappings are described here: <a
href="https://wiki.evolveum.com/display/midPoint/Mapping">https://wiki.evolveum.com/display/midPoint/Mapping</a>.<br>
</p>
<p>Mappings often contain custom code, typically in groovy. And yes,
it can be used to trigger a workflow when invoked. But mappings
are executed at various moments. For example, not only when a role
that induces resource assignment is assigned to the user (this is
the moment you are interested in). But also when user account is
changed. Or during recomputation or reconciliation. It could be
hacked somehow to distinguish between these cases, but it is
definitely not easy and requires quite a deep knowledge of
midPoint; plus a lot of experimentation ;)</p>
<p>The more cleaner way how to include custom logic to midPoint
processing is using <a
href="https://wiki.evolveum.com/display/midPoint/Scripting+Hooks">scripting
hooks</a>. Such a hook could try to detect that a role X1, X2,
... or Xn was added to a user and could trigger a workflow
operation by adding (another) role with an approver assigned to
the user. But I have not tried something like that yet.</p>
<p>The absolutely most clean way how to deal with your problem would
be to talk to Igor or Radovan about conditions that would allow us
to implement the missing functionality (<a
href="https://jira.evolveum.com/browse/MID-2457">MID-2457</a>),
or at least parts of it that you'd require. <br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 22.08.2016 15:10, Rodrigo Yanis
wrote:<br>
</div>
<blockquote
cite="mid:CADu-59EeLYqj48ccb43NLedOwVTBx4t1fDjyU-1mUMHAbs4Hfw@mail.gmail.com"
type="cite">
<div dir="ltr">Pavol, good day!
<div><br>
</div>
<div>I'm sorry if I wasn't clear enough. To answer your
questions; yes, that would be a standard midPoint resource
object indeed. From my understanding (please correct me if I'm
wrong), midPoint resources would be able to listen events
related to entitlements - and those entitlements, would be
linked to roles. As such, that would allow us to trigger
custom logic upon different entitlement-related events. My
primary concern is - would that standard midPoint resource be
able to trigger a workflow on an entitlement-related event? If
that's the case, then we might be able to tackle the cases
I've described before.</div>
<div><br>
</div>
<div>Let me know if this makes any sense to you.</div>
<div><br>
</div>
<div>Thanks for your help.</div>
<div>Regards,</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><b>Rodrigo Yanis.</b><br>
<img moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font face="arial,
helvetica, sans-serif"><br>
<a moz-do-not-send="true"
href="mailto:ryanis@identicum.com"
target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com/"
target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2016-08-22 4:14 GMT-03:00 Pavol Mederly
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello Rodrigo,</p>
<p>I'm afraid that I don't quite understand your
alternatives. For example, what do you mean by
"resource" in "a" and "b"? Is it a standard midPoint
resource object? How it could listen to events related
to user roles? Do you mean that it should have mappings
that would invoke Java code that would start
corresponding approval workflows? (Probably not.) <br>
</p>
<p>Similarly, I don't understand what you mean by
"exteriorizing" Position data structure.<br>
</p>
<p> Please, could you describe your ideas in more details?
We'd be glad to help you.<span class="HOEnZb"><font
color="#888888"><br>
</font></span></p>
<span class="HOEnZb"><font color="#888888">
<pre cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</font></span>
<div>
<div class="h5">
<div>On 19.08.2016 23:22, Rodrigo Yanis wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Pavol,
<div><br>
</div>
<div>Thanks for your insight - yes, the case that
you describe is one of the cases that we're
facing here, but not the only one. The other
scenario that we would like to represent is
described by the following flow:</div>
<div><br>
</div>
<div>1. A user is provisioned by a set or roles
X1,X2,X3,...,Xn that are inherited as he gets a
value in an attribute that has those roles
linked (calling that attribute, eg. Position)</div>
<div>2. Role Xn approver (that is, the owner of an
external resource Xn) gets an approval activity
for that role to be provisioned in MP as well as
a notification indicating that this should be
manually applied into resource Xn.</div>
<div>3. Role Xn approver, approves such request,
provisioning the user with role Xn, as he also
perform this task on his respective domain.</div>
<div><br>
</div>
<div>I understand the difficulty here comes in (1)
as we cannot trigger an approval workflow per
each linked role to that particular Position.</div>
<div><br>
</div>
<div>So we came up with these alternatives -
please let me know what's your perspective on
them;</div>
<div>By priority and "cleanliness" order,</div>
<div>a. To implement a MP resource which would
perform on the Java API level, prior having
linked roles to entitlements, having this
resource to listen the events related to these
entitlements and then execute an approval
workflow for granting that entitlement to that
user.</div>
<div>b. Same as (a), but instead, it would be a
resource working on the MP REST level.</div>
<div>c. (Ugly) To exteriorize the Position data
structure (all linked roles, with their
respective owners) + delegate the manual task
notifications and calls to initialize a workflow
in MP to an external database, having a MP DB
resource listening to entitlement changes for
event handling.</div>
<div><br>
</div>
<div>Let me know if there's something I'm not
being clear about.</div>
<div><br>
</div>
<div>Very grateful for your assistance.</div>
<div><br>
</div>
<div>Thanks.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif"><b>Rodrigo
Yanis.</b><br>
<img
moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font
face="arial, helvetica,
sans-serif"><br>
<a moz-do-not-send="true"
href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2016-08-19 16:11
GMT-03:00 Pavol Mederly <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pavol.mederly@evolveum.com"
target="_blank">pavol.mederly@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>
<div style="font-family:times new roman,new
york,times,serif;font-size:12pt;color:#000000">
<div>Rodrigo,<br>
</div>
<div><br>
</div>
<div>use of workflows in midPoint is
currently limited to approving requested
changes. So, today there's no way of
starting a workflow that would present a
user a work item like "hey you, please
do this and then click 'Done'". We plan
to implement a "manual provisioning" but
it requires a nontrivial amount of
effort, see <a moz-do-not-send="true"
href="https://jira.evolveum.com/browse/MID-2457"
target="_blank">https://jira.evolveum.com/brow<wbr>se/MID-2457</a>.<br>
</div>
<div><br>
</div>
<div>But maybe there's a hack possible.
Workflows can be used to approve a
change. For example, midPoint is able to
approve a role assignment addition (out
of the box). Or an attribute change
(with some custom coding). </div>
<div><br>
</div>
<div>If I understand your situation
correctly, maybe you could do it like
this:<br>
</div>
<div>
<ol>
<li>You have a resource X that
requires manual intervention by an
administrator in order to assign
role X1 to an account on this
resource.<br>
</li>
<li>So, you can create a midPoint role
RoleX1, with approver defined to be
the resource administrator.<br>
</li>
<li>If someone assigns RoleX1 to a
midPoint user, an approval workflow
process is started, notifying the
resource administrator that he has
to "approve" assignment of RoleX1 to
midPoint user.<br>
</li>
<li>At this point, he knows he has to
manually assign role X1 on X to
user's account.<br>
</li>
<li>So he does it, and marks the
assignment as "Approved".<br>
</li>
<li>The assignment of RoleX1 is then
added to the user, so he knows that
everything is done (in particular
that the role X1 on resource X was
added to him).<br>
</li>
</ol>
<div>Does this make sense to you?<br>
</div>
<div><br>
</div>
<div>Best regards,<br>
</div>
<div>Pavol<br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<hr>
<div
style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From:
</b>"Rodrigo Yanis" <<a
moz-do-not-send="true"
href="mailto:ryanis@identicum.com"
target="_blank">ryanis@identicum.com</a>><br>
<b>To: </b>"midPoint General
Discussion" <<a
moz-do-not-send="true"
href="mailto:midpoint@lists.evolveum.com"
target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>Sent: </b>Friday, August 19, 2016
8:48:20 PM<br>
<b>Subject: </b>Re: [midPoint] - Manual
tasks notifications
<div>
<div><br>
<div><br>
</div>
<div dir="ltr">Bringing this up
again - Do you know of a way for
Midpoint to, aside from sending
that notification upon an
attribute change, to also trigger
an internal Workflow that would
allow us to keep track of the
manual workload? In this scenario,
the user gets the notification for
the manual task, on parallel, a
workflow is triggered to trace the
start of a manual task, and would
be manually updated by the user
throughout the change process.
<div><br>
</div>
<div>Is this "Workflow" idea
somewhat plausible? </div>
<div><br>
</div>
<div>Thanks a lot. <br>
</div>
</div>
<div class="gmail_extra"><br
clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><span
style="font-family:arial,helvetica,sans-serif" face="arial, helvetica,
sans-serif"><b>Rodrigo
Yanis.</b><br>
<img
moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
</span>Jorge
Newbery 3226<br>
Tel: +54 (11)
4824-9971<span
style="font-family:arial,helvetica,sans-serif" face="arial, helvetica,
sans-serif"><br>
<a
moz-do-not-send="true"
href="mailto:ryanis@identicum.com" target="_blank"><span
style="color:#0b5394"
color="#0b5394">ryanis@identicum.com</span></a><br>
<a
moz-do-not-send="true"
href="http://www.identicum.com/" target="_blank"><span
style="color:#0b5394"
color="#0b5394">www.identicum.com</span></a></span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2016-08-19
15:32 GMT-03:00 Rodrigo Yanis <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ryanis@identicum.com"
target="_blank">ryanis@identicum.com</a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">Excellent.
We'll surely try this out.
<div><br>
</div>
<div>Thanks guys.</div>
</div>
<div class="gmail_extra"><span><br
clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><span
style="font-family:arial,helvetica,sans-serif" face="arial, helvetica,
sans-serif"><b>Rodrigo
Yanis.</b><br>
<img
moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
</span>Jorge
Newbery 3226<br>
Tel: +54 (11)
4824-9971<span
style="font-family:arial,helvetica,sans-serif" face="arial, helvetica,
sans-serif"><br>
<a
moz-do-not-send="true"
href="mailto:ryanis@identicum.com" target="_blank"><span
style="color:#0b5394"
color="#0b5394">ryanis@identicum.com</span></a><br>
<a
moz-do-not-send="true"
href="http://www.identicum.com/" target="_blank"><span
style="color:#0b5394"
color="#0b5394">www.identicum.com</span></a></span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</span>
<div>
<div>
<div class="gmail_quote">2016-08-19
15:29 GMT-03:00 Jason
Everling <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:jeverling@bshp.edu" target="_blank">jeverling@bshp.edu</a>></span>:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">I can
say that the
workaround works
quite well! Have
been using it for
almost a year now
in production
without issue and
without having any
"missed"
notifications not
going out.
<div><br>
</div>
<div>Thanks Pavol
for adding that
functionality
sometime ago as
it has proved
invaluable for
us!</div>
</div>
<div
class="gmail_extra"><br
clear="all">
<div>
<div>
<div dir="ltr">JASON</div>
</div>
</div>
<div>
<div> <br>
<div
class="gmail_quote">On
Fri, Aug 19,
2016 at 1:11
PM, Pavol
Mederly <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:pavol.mederly@evolveum.com"
target="_blank">pavol.mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div
style="font-family:times
new roman,new
york,times,serif;font-size:12pt;color:#000000">
<div>Hello
Rodrigo,<br>
</div>
<div><br>
</div>
<div>please
see <a
moz-do-not-send="true"
href="https://jira.evolveum.com/browse/MID-2237" target="_blank">https://jira.evolveum.com/brow<wbr>se/MID-2237</a>
for a
discussion on
this
requirement.
Although it is
not
implemented
yet, there is
a simple
workaround
described
there. It is
based on using
<em>event.isRelatedToItem</em>
method.<br>
</div>
<div><br>
</div>
<div>Best
regards,<br>
</div>
<div>Pavol<br>
</div>
<div><br>
</div>
<hr>
<div
style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From:
</b>"Rodrigo
Yanis" <<a
moz-do-not-send="true" href="mailto:ryanis@identicum.com"
target="_blank">ryanis@identicum.com</a>><br>
<b>To: </b><a
moz-do-not-send="true" href="mailto:midpoint@lists.evolveum.com"
target="_blank">midpoint@lists.evolveum.com</a><br>
<b>Sent: </b>Friday,
August 19,
2016 7:20:11
PM<br>
<b>Subject: </b>[midPoint]
 - Manual
tasks
notifications
<div>
<div><br>
<div><br>
</div>
<div dir="ltr">Hello
everyone,
<div><br>
</div>
<div>We have
the need to
push a
notification <span
style="text-decoration:underline">only</span> when a particular
attribute is
changed in a
user in
midPoint. This
attribute
would be
linked to a
set of roles
that the user
would inherit
in midPoint
only, hence
the need to
inform a
sysadmin to
perform a
manual role
redefinition
in connected
applications.</div>
<div><br>
</div>
<div>Is it
possible to
trigger a
notification
like this?
Should this be
done in the
context of a
midPoint
resource?<br
clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div>Thank you
in advance!</div>
<div dir="ltr"><br>
</div>
<div dir="ltr"><span
style="font-family:arial,helvetica,sans-serif"><b>Rodrigo Yanis.</b><br>
<img
moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
</span>Jorge
Newbery 3226<br>
Tel: <a
moz-do-not-send="true"
href="tel:%2B54%20%2811%29%204824-9971" target="_blank">+54 (11)
4824-9971</a><span
style="font-family:arial,helvetica,sans-serif"><br>
<a
moz-do-not-send="true"
href="mailto:ryanis@identicum.com" target="_blank"><span
style="color:#0b5394">ryanis@identicum.com</span></a><br>
<a
moz-do-not-send="true"
href="http://www.identicum.com/" target="_blank"><span
style="color:#0b5394">www.identicum.com</span></a></span><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
______________________________<wbr>_________________<br>
midPoint
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a
moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
</div>
<div><br>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a
moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer"
target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<span
style="font-size:small"
size="2"><br>
<div><br>
</div>
CONFIDENTIALITY
NOTICE:<br>
This e-mail
together with any
attachments is
proprietary and
confidential;
intended for only
the recipient(s)
named above and
may contain
information that
is privileged. You
should not retain,
copy or use this
e-mail or any
attachments for
any purpose, or
disclose all or
any part of the
contents to any
person. Any views
or opinions
expressed in this
e-mail are those
of the author and
do not represent
those of the
Baptist School of
Health
Professions. If
you have received
this e-mail in
error, or are not
the named
recipient(s), you
are hereby
notified that any
review,
dissemination,
distribution or
copying of this
communication is
prohibited by the
sender and to do
so might
constitute a
violation of the
Electronic
Communications
Privacy Act, 18
U.S.C. section
2510-2521. Please
immediately notify
the sender and
delete this e-mail
and any
attachments from
your computer. </span><br>
<div><br>
</div>
______________________________<wbr>_________________<br>
midPoint mailing
list<br>
<a
moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a
moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer"
target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
</div>
</div>
</div>
<div><br>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body></html>