<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Oskar,</p>
<p>currently I can think of only two solutions:</p>
<ol>
<li>using approverExpression, as you mentioned;</li>
<li>using global policy rules.</li>
</ol>
<p>Each global policy rule has two selectors that drive its
application: focusSelector and targetSelector. In your case,
targetSelector should point to the role(s) that have to be
approved. And focusSelector should point to to the user(s) to
which the role is to be assigned. One of possibilities how to
select objects is using organization membership, so this is
applicable to your situation.</p>
<p>The disadvantage of using global policy rules is that you have to
use one such rule for each approver. And you have to duplicate the
approval action information (or use some advanced composition
techniques to mix "bare" approval action information containing
only the approverRef with all the common settings that would come
through another assignment policy rule).</p>
<p>But, overall, your use case of defining an approver for
requester's org membership is interesting. You might create a jira
for that. However, in the current rush it is not very likely we'd
be able to implement it in 3.6.<br>
</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 20.03.2017 15:53, Oskar Butovič -
AMI Praha a.s. wrote:<br>
</div>
<blockquote
cite="mid:CAE8MtZDEqOCUYxbvSvUEF8PdbOBh6wUkXNAAxhJ_ccqde5jmNw@mail.gmail.com"
type="cite">
<div dir="ltr">Hello everybody,
<div><br>
</div>
<div>I need to define approver for role by org structure.</div>
<div><br>
</div>
<div>Users from each organization subtree have different
approver for same role.</div>
<div><br>
</div>
<div>Can it be done by org:approver? Following configuration
ignores organization membership of user which requests
approved role.</div>
<div><br>
</div>
<div>I have assignment on my approver:</div>
<div>
<div><assignment id="3"></div>
<div> <metadata></div>
<div>
<requestTimestamp>2017-03-20T14:38:40.330+01:00</requestTimestamp></div>
<div> <requestorRef
oid="00000000-0000-0000-0000-000000000002"
type="c:UserType"><!-- --></requestorRef></div>
<div>
<createTimestamp>2017-03-20T14:38:41.434+01:00</createTimestamp></div>
<div> <creatorRef
oid="00000000-0000-0000-0000-000000000002"
type="c:UserType"><!-- --></creatorRef></div>
<div> <createChannel><a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user">http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</a></createChannel></div>
<div> </metadata></div>
<div> <targetRef xmlns:org="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>"</div>
<div>
oid="e19d0f9f-7c57-4597-94a1-6e1de6676db9"</div>
<div> relation="org:approver"</div>
<div> type="c:RoleType"><!--
--></targetRef></div>
<div> <activation></div>
<div>
<effectiveStatus>enabled</effectiveStatus></div>
<div> </activation></div>
<div> <orgRef
oid="daf3c536-817f-460a-b2b4-a243e3ac8db5"
type="c:OrgType"><!-- --></orgRef></div>
<div> </assignment></div>
<div>------------------------------------------------------------------------------------------------</div>
<div><br>
</div>
<div>Next i have configured metarole and assigned it to role
e19d0f9f-7c57-4597-94a1-6e1de6676db9 . Metarole:</div>
<div>
<div><role xmlns:apti="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">http://midpoint.evolveum.com/xml/ns/public/common/api-types-3</a>"
xmlns:c="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"
xmlns:gen45="<a moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/debug">http://prism.evolveum.com/xml/ns/public/debug</a>"
xmlns:icfs="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>"
xmlns:q="<a moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>"
xmlns:ri="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"
xmlns:t="<a moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>"
xmlns:xsi="<a moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"
oid="org-approver-approved-meta-role" version="10" xmlns="<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"></div>
<div> <name>Org Approver Approved Role</name></div>
<div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span><inducement></div>
<div> <policyRule></div>
<div> <policyConstraints></div>
<div> <assignment/></div>
<div> </policyConstraints></div>
<div> <policyActions></div>
<div> <approval></div>
<div> <compositionStrategy></div>
<div> <order>40</order></div>
<div> </compositionStrategy></div>
<div> <approvalSchema></div>
<div> <level></div>
<div> <name>Org
Approvers</name></div>
<div>
<approverRelation>approver</approverRelation></div>
<div>
<evaluationStrategy>firstDecides</evaluationStrategy></div>
<div> </level></div>
<div> </approvalSchema></div>
<div> </approval></div>
<div> </policyActions></div>
<div> </policyRule></div>
<div> </inducement></div>
<div></role></div>
</div>
<div>------------------------------------------------------------------------------------------------<br>
</div>
<div><br>
</div>
<div>This seems to ignore orgRef in assignment. When I try
<approverRelation>org:approver</approverRelation>
midpoint thinks that org: is namespace prefix. (Undeclared
namespace prefix 'org' in 'org:approver'). Is there any
configurational way aroud or do I have to
make approverExpression script?</div>
<div><br>
</div>
<div><br>
</div>
<div>Best Regards</div>
<div><br>
</div>
<div>Oskar Butovič</div>
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<table
style="font-family:verdana,arial,helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px;border-style:solid;width:482px">
<tbody>
<tr style="padding:0px;margin:0px;border:0px
solid gray">
<td
style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px
solid gray">
<p><span
style="font-size:14px;font-weight:bold">Oskar
Butovič</span><br>
solution architect<br>
<br>
gsm: [+420] 774 480 101<br>
e-mail: <a moz-do-not-send="true"
href="mailto:oskar.butovic@ami.cz"
target="_blank">oskar.butovic@ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray gray;padding:0px"> </td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"> </td>
<td
style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px
solid gray">
<p>AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: [+420] 274 783 239<br>
web: <a moz-do-not-send="true"
href="http://www.ami.cz/"
target="_blank">www.ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray gray;padding:0px"> </td>
<td
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"> </td>
<td
style="color:rgb(0,0,0);font-family:arial,sans-serif;font-size:11px;margin:8px;width:116px;border:0px
solid gray">
<p><img moz-do-not-send="true"
src="http://www.ami.cz/images/podpis/ami_logo.gif"
alt="AMI Praha a.s." style="border:
0px;"></p>
</td>
</tr>
<tr style="padding:0px;margin:0px;border:0px
solid gray">
<td colspan="7"
style="color:rgb(0,0,0);font-family:verdana,arial,helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px
solid gray"><br>
<a moz-do-not-send="true"
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"
target="_blank"><img
moz-do-not-send="true"
src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png"
alt="AMI Praha a.s." style="border:
0px; width: 480px; height: 82px;"></a></td>
</tr>
<tr style="padding:0px;margin:0px;border:0px
solid gray">
<td colspan="7"
style="color:rgb(128,128,128);font-family:arial,sans-serif;font-size:11px;padding:0px;border:0px
solid gray"><br>
Textem tohoto e-mailu podepisující
neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud
bude uzavřena, musí mít výhradně
písemnou formu.<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>