<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Although setting useLegacyApproversSpecification to "never" is
recommended (after you decided to use policy rules to drive
approvals), it will most probably not help in this case. I'd
suggest setting useDefaultApprovalPolicyRules to "never" as well,
although it will not probably help.</p>
<p>The problem is deep in the midPoint code, where assignments are
evaluated. I have fixed it for 3.6, but it would be very hard to
backport the fix to 3.5.x.</p>
<p>What exactly are you trying to achieve? Maybe we could find some
alternative way.<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 06.04.2017 16:02, Oskar Butovič -
AMI Praha a.s. wrote:<br>
</div>
<blockquote
cite="mid:CAE8MtZBjFqpqSv5FgxcH8X-56WSdXUNZM3=MgnirX1_bBiAuBQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hello Pavol,
<div><br>
</div>
<div>I Use policy rules. Follows example of one of my workflow
roles.</div>
<div><br>
</div>
<div>I have not set anything regarding <span
style="font-size:12.8px"> </span><span
style="font-size:12.8px">legacy approvers and default
approval policy rules. So this behaviour would stop if i
set </span><span
style="color:rgb(51,51,51);font-family:arial,sans-serif;font-size:14px">useLegacyApproversSpecification
to </span><span
style="color:rgb(51,51,51);font-family:monospace;font-size:14px">never?</span></div>
<div><span
style="color:rgb(51,51,51);font-family:monospace;font-size:14px"><br>
</span></div>
<div>----------------------------------------------------------------------------</div>
<div>
<div><role xmlns:apti="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">http://midpoint.evolveum.com/xml/ns/public/common/api-types-3</a>"
xmlns:c="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"
xmlns:gen45="<a moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/debug">http://prism.evolveum.com/xml/ns/public/debug</a>"
xmlns:icfs="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3</a>"
xmlns:q="<a moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/query-3">http://prism.evolveum.com/xml/ns/public/query-3</a>"
xmlns:ri="<a moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">http://midpoint.evolveum.com/xml/ns/public/resource/instance-3</a>"
xmlns:t="<a moz-do-not-send="true"
href="http://prism.evolveum.com/xml/ns/public/types-3">http://prism.evolveum.com/xml/ns/public/types-3</a>"
xmlns:xsi="<a moz-do-not-send="true"
href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>" </div>
<div>oid="refused-meta-role" version="10" xmlns="<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"></div>
<div> <name>Refused Role</name></div>
<div> <inducement></div>
<div> <policyRule></div>
<div> <policyConstraints></div>
<div> <assignment/></div>
<div> </policyConstraints></div>
<div> <policyActions></div>
<div> <approval></div>
<div> <compositionStrategy></div>
<div> <order>2</order></div>
<div> </compositionStrategy></div>
<div> <approvalSchema></div>
<div> <level></div>
<div> <name>Automatic
refusal</name></div>
<div> <approverExpression></div>
<div> <script></div>
<div> <code></div>
<div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>log.warn("approving
new role with undefined workflow for user: " +
serachedUser.getName() + " automatically refusing.");</div>
<div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>//TODO
zastavit approve process v 3.5.1 bude mozne pouzit
outcomeIfNoApprovers</div>
<div> <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>return
"workflow-refuser-user";</div>
<div> </code></div>
<div> </script></div>
<div> </approverExpression></div>
<div>
<evaluationStrategy>firstDecides</evaluationStrategy></div>
<div> </level></div>
<div> </approvalSchema></div>
<div> </approval></div>
<div> </policyActions></div>
<div> </policyRule></div>
<div> </inducement></div>
<div></role></div>
</div>
<div>--------------------------------------------------------------------</div>
<div><br>
</div>
<div><br>
</div>
<div>Best regards</div>
<div><br>
</div>
<div>Oskar Butovič</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-04-06 15:30 GMT+02:00 Pavol
Mederly <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello Oskar,</p>
<p>how are your approvals set up? Do you use policy rules?
What are your settings regarding legacy approvers and
default approval policy rules? (see <a
moz-do-not-send="true"
href="https://wiki.evolveum.com/pages/viewpage.action?pageId=24084761"
target="_blank">https://wiki.evolveum.com/<wbr>pages/viewpage.action?pageId=<wbr>24084761</a>).</p>
<p>Because, unfortunately, there are some problems with
policy-based approvals for non-default relations in
3.5.x (see MID-3799, #1).</p>
<pre class="m_-4199529265480017251moz-signature" cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>
<div class="h5">
<div class="m_-4199529265480017251moz-cite-prefix">On
06.04.2017 15:12, Oskar Butovič - AMI Praha a.s.
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">Hello everybody,
<div><br>
</div>
<div>I have stumbled across some strange approval
workflow behaviour.</div>
<div><br>
</div>
<div>When I am assigning roles with relation
member everything works fine, exactly as
configured.</div>
<div><br>
</div>
<div>But when i try to assign members weird stuff
starts to happen. </div>
<div>Example: </div>
<div>- no or any workflow is configured for role
via assigned metaroles</div>
<div>1) I assign role R1 as approver to user U1</div>
<div> a) everything executes ok and role is
assigned as approver relation</div>
<div>2) I assign role R1 as approver to user U2</div>
<div> a) midpoint ignores any workflow
configured on metaroles (approverExpressions are
not executed at all)<br clear="all">
<div> b) approval task for user U1 is
created.</div>
<div><br>
</div>
<div>Why this might happen and how it could be
changed? Part 2.b is especially bothersome. It
might cause that confusing workflow
notifications are sent during initial or
following workflow approver configuration.</div>
<div><br>
</div>
<div>Best Regards</div>
<div><br>
</div>
<div>Oskar Butovič</div>
<div><br>
</div>
-- <br>
<div
class="m_-4199529265480017251gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<table
style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important">
<tbody>
<tr
style="padding:0px;margin:0px;border:0px
solid gray!important">
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px
solid gray!important">
<p><span
style="font-size:14px;font-weight:bold">Oskar
Butovič</span><br>
solution architect<br>
<br>
gsm: <a
moz-do-not-send="true"
href="tel:+420%20774%20480%20101" value="+420774480101" target="_blank">[+420]
774 480 101</a><br>
e-mail: <a
moz-do-not-send="true"
href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray!important"> </td>
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px
solid gray!important">
<p>AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: <a
moz-do-not-send="true"
href="tel:+420%20274%20783%20239" value="+420274783239" target="_blank">[+420]
274 783 239</a><br>
web: <a
moz-do-not-send="true"
href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray!important"> </td>
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px
solid
gray!important;width:116px">
<p><img
moz-do-not-send="true"
src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s."
style="border:0px"></p>
</td>
</tr>
<tr
style="padding:0px;margin:0px;border:0px
solid gray!important">
<td colspan="7"
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px
solid gray!important"><br>
<a moz-do-not-send="true"
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"
target="_blank"><img
moz-do-not-send="true"
src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI
Praha a.s."
style="border:0px;width:480px!important;height:82px!important"></a></td>
</tr>
<tr
style="padding:0px;margin:0px;border:0px
solid gray!important">
<td colspan="7"
style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px
solid gray!important"><br>
Textem tohoto e-mailu
podepisující neslibuje
uzavřít ani neuzavírá za
společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá
smlouva, pokud bude
uzavřena, musí mít
výhradně písemnou formu.<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset
class="m_-4199529265480017251mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-4199529265480017251moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-4199529265480017251moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
<div>
</div>--
<div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Oskar Butovič</span>
solution architect
gsm: [+420] 774 480 101
e-mail: <a moz-do-not-send="true" href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important"><p>AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: <a moz-do-not-send="true" href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px"><p><img moz-do-not-send="true" src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important">
<a moz-do-not-send="true" href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img moz-do-not-send="true" src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important">
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.
</td></tr></tbody></table></div></div></div></div></div></div></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body></html>