<div dir="ltr">Hello Pavol,<div><br></div><div>I have tested it today on midpoint 3.5.1 and it worked perfectly. Approver relation assignments are not checked by workflow and memeber ones are checked by policy rules.</div><div><br></div><div><div><useDefaultApprovalPolicyRules>never</useDefaultApprovalPolicyRules></div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span> <useLegacyApproversSpecification>never</useLegacyApproversSpecification></div></div><div><br></div><div>did the trick.</div><div><br></div><div>Thanks a lot.</div><div><br></div><div>Best Regards</div><div><br></div><div>Oskar Butovi4</div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-04-06 16:20 GMT+02:00 Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Although setting useLegacyApproversSpecificatio<wbr>n to "never" is
recommended (after you decided to use policy rules to drive
approvals), it will most probably not help in this case. I'd
suggest setting useDefaultApprovalPolicyRules to "never" as well,
although it will not probably help.</p>
<p>The problem is deep in the midPoint code, where assignments are
evaluated. I have fixed it for 3.6, but it would be very hard to
backport the fix to 3.5.x.</p>
<p>What exactly are you trying to achieve? Maybe we could find some
alternative way.<br>
</p><span class="">
<pre class="m_-5280265086554330895moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span><div><div class="h5"><div class="m_-5280265086554330895moz-cite-prefix">On 06.04.2017 16:02, Oskar Butovič -
AMI Praha a.s. wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Pavol,
<div><br>
</div>
<div>I Use policy rules. Follows example of one of my workflow
roles.</div>
<div><br>
</div>
<div>I have not set anything regarding <span style="font-size:12.8px"> </span><span style="font-size:12.8px">legacy approvers and default
approval policy rules. So this behaviour would stop if i
set </span><span style="color:rgb(51,51,51);font-family:arial,sans-serif;font-size:14px">useLegacyApproversSpecific<wbr>ation
to </span><span style="color:rgb(51,51,51);font-family:monospace;font-size:14px">never?</span></div>
<div><span style="color:rgb(51,51,51);font-family:monospace;font-size:14px"><br>
</span></div>
<div>------------------------------<wbr>------------------------------<wbr>----------------</div>
<div>
<div><role xmlns:apti="<a href="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/api-types-3</a>"
xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>"
xmlns:gen45="<a href="http://prism.evolveum.com/xml/ns/public/debug" target="_blank">http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>debug</a>"
xmlns:icfs="<a href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>connector/icf-1/resource-<wbr>schema-3</a>"
xmlns:q="<a href="http://prism.evolveum.com/xml/ns/public/query-3" target="_blank">http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>query-3</a>"
xmlns:ri="<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>resource/instance-3</a>"
xmlns:t="<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">http://prism.<wbr>evolveum.com/xml/ns/public/<wbr>types-3</a>"
xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/<wbr>2001/XMLSchema-instance</a>" </div>
<div>oid="refused-meta-role" version="10" xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.<wbr>evolveum.com/xml/ns/public/<wbr>common/common-3</a>"></div>
<div> <name>Refused Role</name></div>
<div> <inducement></div>
<div> <policyRule></div>
<div> <policyConstraints></div>
<div> <assignment/></div>
<div> </policyConstraints></div>
<div> <policyActions></div>
<div> <approval></div>
<div> <compositionStrategy></div>
<div> <order>2</order></div>
<div> </compositionStrategy></div>
<div> <approvalSchema></div>
<div> <level></div>
<div> <name>Automatic
refusal</name></div>
<div> <approverExpression></div>
<div> <script></div>
<div> <code></div>
<div> <span class="m_-5280265086554330895gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>log.warn("approving
new role with undefined workflow for user: " +
serachedUser.getName() + " automatically refusing.");</div>
<div> <span class="m_-5280265086554330895gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>//TODO
zastavit approve process v 3.5.1 bude mozne pouzit
outcomeIfNoApprovers</div>
<div> <span class="m_-5280265086554330895gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>return
"workflow-refuser-user";</div>
<div> </code></div>
<div> </script></div>
<div> </approverExpression></div>
<div>
<evaluationStrategy><wbr>firstDecides</<wbr>evaluationStrategy></div>
<div> </level></div>
<div> </approvalSchema></div>
<div> </approval></div>
<div> </policyActions></div>
<div> </policyRule></div>
<div> </inducement></div>
<div></role></div>
</div>
<div>------------------------------<wbr>------------------------------<wbr>--------</div>
<div><br>
</div>
<div><br>
</div>
<div>Best regards</div>
<div><br>
</div>
<div>Oskar Butovič</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-04-06 15:30 GMT+02:00 Pavol
Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello Oskar,</p>
<p>how are your approvals set up? Do you use policy rules?
What are your settings regarding legacy approvers and
default approval policy rules? (see <a href="https://wiki.evolveum.com/pages/viewpage.action?pageId=24084761" target="_blank">https://wiki.evolveum.com/page<wbr>s/viewpage.action?pageId=24084<wbr>761</a>).</p>
<p>Because, unfortunately, there are some problems with
policy-based approvals for non-default relations in
3.5.x (see MID-3799, #1).</p>
<pre class="m_-5280265086554330895m_-4199529265480017251moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>
<div class="m_-5280265086554330895h5">
<div class="m_-5280265086554330895m_-4199529265480017251moz-cite-prefix">On
06.04.2017 15:12, Oskar Butovič - AMI Praha a.s.
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_-5280265086554330895h5">
<div dir="ltr">Hello everybody,
<div><br>
</div>
<div>I have stumbled across some strange approval
workflow behaviour.</div>
<div><br>
</div>
<div>When I am assigning roles with relation
member everything works fine, exactly as
configured.</div>
<div><br>
</div>
<div>But when i try to assign members weird stuff
starts to happen. </div>
<div>Example: </div>
<div>- no or any workflow is configured for role
via assigned metaroles</div>
<div>1) I assign role R1 as approver to user U1</div>
<div> a) everything executes ok and role is
assigned as approver relation</div>
<div>2) I assign role R1 as approver to user U2</div>
<div> a) midpoint ignores any workflow
configured on metaroles (approverExpressions are
not executed at all)<br clear="all">
<div> b) approval task for user U1 is
created.</div>
<div><br>
</div>
<div>Why this might happen and how it could be
changed? Part 2.b is especially bothersome. It
might cause that confusing workflow
notifications are sent during initial or
following workflow approver configuration.</div>
<div><br>
</div>
<div>Best Regards</div>
<div><br>
</div>
<div>Oskar Butovič</div>
<div><br>
</div>
-- <br>
<div class="m_-5280265086554330895m_-4199529265480017251gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important">
<tbody>
<tr style="padding:0px;margin:0px;border:0px solid gray!important">
<td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important">
<p><span style="font-size:14px;font-weight:bold">Oskar
Butovič</span><br>
solution architect<br>
<br>
gsm: <a href="tel:+420%20774%20480%20101" value="+420774480101" target="_blank">[+420]
774 480 101</a><br>
e-mail: <a href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a></p>
</td>
<td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td>
<td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td>
<td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important">
<p>AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: <a href="tel:+420%20274%20783%20239" value="+420274783239" target="_blank">[+420]
274 783 239</a><br>
web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p>
</td>
<td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td>
<td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td>
<td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px">
<p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p>
</td>
</tr>
<tr style="padding:0px;margin:0px;border:0px solid gray!important">
<td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br>
<a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI
Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td>
</tr>
<tr style="padding:0px;margin:0px;border:0px solid gray!important">
<td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important"><br>
Textem tohoto e-mailu
podepisující neslibuje
uzavřít ani neuzavírá za
společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá
smlouva, pokud bude
uzavřena, musí mít
výhradně písemnou formu.<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_-5280265086554330895m_-4199529265480017251mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-5280265086554330895m_-4199529265480017251moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-5280265086554330895m_-4199529265480017251moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
<div>
</div>--
<div class="m_-5280265086554330895gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Oskar Butovič</span>
solution architect
gsm: <a href="tel:+420%20774%20480%20101" value="+420774480101" target="_blank">[+420] 774 480 101</a>
e-mail: <a href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important"><p>AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: <a href="tel:+420%20274%20783%20239" value="+420274783239" target="_blank">[+420] 274 783 239</a>
web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important">
<a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important">
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.
</td></tr></tbody></table></div></div></div></div></div></div></div>
</div>
<fieldset class="m_-5280265086554330895mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-5280265086554330895moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-5280265086554330895moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Oskar Butovič</span><br>solution architect<br><br>gsm: [+420] 774 480 101<br>e-mail: <a href="mailto:oskar.butovic@ami.cz" target="_blank">oskar.butovic@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px solid gray!important"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: [+420] 274 783 239<br>web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important;width:116px"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="AMI Praha a.s." style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br><a href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important"><br>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<br><br></td></tr></tbody></table></div></div></div></div></div></div></div>
</div>