<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Patrick,</p>
<p>you are correct; for "assignment-related" approvals the target
variable is what you need. I'll update the wiki page.</p>
<p>As for the metarole, you can try this:</p>
<p><tt><role oid="8e42a67e-2203-4c6a-ae1f-bd5bb97fa698"
xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>></tt><tt><br>
</tt><tt> <name>Approvals metarole</name></tt><tt><br>
</tt><tt> <inducement id="1"></tt><tt><br>
</tt><tt> <focusMappings></tt><tt><br>
</tt><tt> <mapping></tt><tt><br>
</tt><tt> <strength>strong</strength></tt><tt><br>
</tt><tt> <expression></tt><tt><br>
</tt><tt> <value></tt><tt><br>
</tt><tt> <name>Sample Complex Schema
1</name></tt><tt><br>
</tt><tt> <description>A sample
complex approval schema, involving the security
administrator</description></tt><tt><br>
</tt><tt> <level></tt><tt><br>
</tt><tt>
<name>Bosses</name></tt><tt><br>
</tt><tt> <description>At this
level, either one of the company directors has to approve the
assignment.</description></tt><tt><br>
</tt><tt> <approverRef
oid="75f2806d-e31b-40c9-8133-85ed4d9e6252" type="UserType"></tt><tt><br>
</tt><tt> <description>Big
boss #1 approval</description></tt><tt><br>
</tt><tt> </approverRef></tt><tt><br>
</tt><tt> <approverRef
oid="0e030e0c-a37d-47b2-bde8-f8e61e4a2bfb" type="UserType"></tt><tt><br>
</tt><tt> <description>Big
boss #2 approval</description></tt><tt><br>
</tt><tt> </approverRef></tt><tt><br>
</tt><tt>
<evaluationStrategy>firstDecides</evaluationStrategy></tt><tt><br>
</tt><tt> </level></tt><tt><br>
</tt><tt> <level></tt><tt><br>
</tt><tt>
<name>Administrators</name></tt><tt><br>
</tt><tt> <description>At this
level, system administrator as well as security manager must
approve.</description></tt><tt><br>
</tt><tt> <approverRef
oid="00000000-0000-0000-0000-000000000002" type="UserType"></tt><tt><br>
</tt><tt>
<description>Administrator approval</description></tt><tt><br>
</tt><tt> </approverRef></tt><tt><br>
</tt><tt> <approverRef
oid="c168470c-bfef-414f-88b5-5d144f4f3d6c" type="UserType"></tt><tt><br>
</tt><tt>
<description>Security Manager approval</description></tt><tt><br>
</tt><tt> </approverRef></tt><tt><br>
</tt><tt>
<evaluationStrategy>allMustApprove</evaluationStrategy></tt><tt><br>
</tt><tt> </level></tt><tt><br>
</tt><tt> </value></tt><tt><br>
</tt><tt> </expression></tt><tt><br>
</tt><tt> <target></tt><tt><br>
</tt><tt>
<path>approvalSchema</path></tt><tt><br>
</tt><tt> </target></tt><tt><br>
</tt><tt> </mapping></tt><tt><br>
</tt><tt> </focusMappings></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt><tt></role></tt><tt><br>
</tt></p>
<p>After assigning this metarole to any role R1 and recomputing R1,
the role R1 gets approvalSchema from the metarole.</p>
<p>Note that each change in metarole should be followed by
recomputation of affected roles.<br>
</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 20.09.2016 18:59, <a class="moz-txt-link-abbreviated" href="mailto:pdbogen@cernu.us">pdbogen@cernu.us</a>
wrote:<br>
</div>
<blockquote cite="mid:20160920165937.GV1942@cernu.us" type="cite">
<pre wrap="">I answered my own question here, at least the first part.
It turns out I can iterate through this.binding.variables, like so:
this.binding.variables.each { k,v ->
log.error( '{} = {}', k, v )
}
This results in:
requester = user:00000000-0000-0000-0000-000000000002(administrator)
actor = user:00000000-0000-0000-0000-000000000002(administrator)
log = com.evolveum.midpoint.model.common.expression.functions.LogExpressionFunctions@94e81ac
objectDelta = ObjectDelta(UserType:fdab341e-862f-4550-ad00-05b21f70b3cd,MODIFY: ContainerDelta( / {.../common/common-3}assignment, ADD))
context = javax.script.SimpleScriptContext@1ea75835
midpoint = com.evolveum.midpoint.model.impl.expr.MidpointFunctionsImpl@27aa6baa
basic = com.evolveum.midpoint.model.common.expression.functions.BasicExpressionFunctions@54456a85
object = user:fdab341e-862f-4550-ad00-05b21f70b3cd(mark)
target = role:082e00c2-4f33-4d69-ba13-498a3f006e4b(active)
out = java.io.PrintWriter@297bc240
..and so it looks like I'll be able to use `target` to make the decisions I
want.
Still not sure about whether I can induce different schema, but hopefully this
knowledge will be useful for others.
Can we update the wiki page
(<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Some+examples">https://wiki.evolveum.com/display/midPoint/Some+examples</a>) to fully describe
the context available to approver expressions?
Thanks!
- Patrick
On Mon, Sep 19, 2016 at 10:27:18AM -0700, <a class="moz-txt-link-abbreviated" href="mailto:pdbogen@cernu.us">pdbogen@cernu.us</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Howdy!
I'm working on building up my approval workflow, which will look like this:
* For all role additions,
* If Administrator is requester, auto-approve (done)
* Look up user's manager via custom user schema extension attribute, and
require their approval (done)
* For sensitive roles,
* Require approval from one of specific set of users
Because I want this to be based on a role attribute `sensitive` (which I'll
extend the schema for), I thought I'd implement this as two levels; where the
second level includes an automaticallyApproved when `sensitive` is NOT set.
This requires me to identify the role that's being changed so that I can
obtain the value of the extension attribute; but the only documentation I can
find that discusses the context provided to approval expressions
(<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Some+examples">https://wiki.evolveum.com/display/midPoint/Some+examples</a>) lists only `object`
and `requester` as populated into the script environment.
So main question then, is- how can I access information about the role being
added in an approverExpression?
(Secondary question- can I `induce` an approval schema via a meta-role?)
Thanks!
--
.
Patrick Bogen .
...
</pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>