<div dir="ltr">This is how we (successfully) use SoD rules in mp 3.6 in production:<div><br></div><div><u>Global policy rule in system configuration:</u></div><div>- Approvers are all users in SoD Approvers organization</div><div><br></div><div><div><globalPolicyRule></div><div><span style="white-space:pre"> </span><name>Segregation of Duties (SoD) approval</name></div><div><span style="white-space:pre"> </span><policyConstraints></div><div><span style="white-space:pre"> </span><situation></div><div><span style="white-space:pre"> </span><situation><a href="http://midpoint.evolveum.com/xml/ns/public/model/policy/situation#exclusionViolation">http://midpoint.evolveum.com/xml/ns/public/model/policy/situation#exclusionViolation</a></situation></div><div><span style="white-space:pre"> </span></situation></div><div><span style="white-space:pre"> </span></policyConstraints></div><div><span style="white-space:pre"> </span><policyActions></div><div><span style="white-space:pre"> </span><approval></div><div><span style="white-space:pre"> </span><compositionStrategy></div><div><span style="white-space:pre"> </span><order>30</order></div><div><span style="white-space:pre"> </span></compositionStrategy></div><div><span style="white-space:pre"> </span><approvalSchema></div><div><span style="white-space:pre"> </span><level></div><div><span style="white-space:pre"> </span><name>SoD</name></div><div><span style="white-space:pre"> </span><approverRef type="OrgType"></div><div><span style="white-space:pre"> </span><filter></div><div><span style="white-space:pre"> </span><q:equal></div><div><span style="white-space:pre"> </span><q:path>name</q:path></div><div><span style="white-space:pre"> </span><q:value>SoD Approvers</q:value></div><div><span style="white-space:pre"> </span></q:equal></div><div><span style="white-space:pre"> </span></filter></div><div><span style="white-space:pre"> </span><resolutionTime>run</resolutionTime></div><div><span style="white-space:pre"> </span></approverRef></div><div><span style="white-space:pre"> </span><evaluationStrategy>firstDecides</evaluationStrategy></div><div><span style="white-space:pre"> </span><outcomeIfNoApprovers>reject</outcomeIfNoApprovers></div><div><span style="white-space:pre"> </span><groupExpansion>onWorkItemCreation</groupExpansion></div><div><span style="white-space:pre"> </span></level></div><div><span style="white-space:pre"> </span></approvalSchema></div><div><span style="white-space:pre"> </span></approval></div><div><span style="white-space:pre"> </span></policyActions></div><div><span style="white-space:pre"> </span><focusSelector></div><div><span style="white-space:pre"> </span><type>UserType</type></div><div><span style="white-space:pre"> </span></focusSelector></div><div><span style="white-space:pre"> </span><targetSelector></div><div><span style="white-space:pre"> </span><type>RoleType</type><span style="white-space:pre"> </span><!-- no need to filter on roleType, as each role has to have SoD defined --></div><div><span style="white-space:pre"> </span></targetSelector></div><div><span style="white-space:pre"> </span></globalPolicyRule></div></div><div><br></div><div>Then each role (lets say RoleA, RoleB) has to have mutual exclusivity:</div><div><br></div><div><u>RoleA contains:</u></div><div><div><assignment id="1"></div><div><span style="white-space:pre"> </span><policyRule></div><div><span style="white-space:pre"> </span><policyConstraints></div><div><span style="white-space:pre"> </span><exclusion></div><div><span style="white-space:pre"> </span><targetRef type="c:RoleType"></div><div><span style="white-space:pre"> </span><filter></div><div><span style="white-space:pre"> </span><q:equal></div><div><span style="white-space:pre"> </span><q:path>c:name</q:path></div><div><span style="white-space:pre"> </span><q:value>RoleB</q:value></div><div><span style="white-space:pre"> </span></q:equal><span style="white-space:pre"> </span></div><div><span style="white-space:pre"> </span></filter></div><div><span style="white-space:pre"> </span></targetRef></div><div><span style="white-space:pre"> </span></exclusion></div><div><span style="white-space:pre"> </span></policyConstraints></div><div><span style="white-space:pre"> </span><policyActions></div><div><span style="white-space:pre"> </span></policyActions></div><div><span style="white-space:pre"> </span></policyRule></div><div><span style="white-space:pre"> </span></assignment></div></div><div><br></div><div><div><u>RoleB contains:</u></div><div><div><assignment id="1"></div><div><span style="white-space:pre"> </span><policyRule></div><div><span style="white-space:pre"> </span><policyConstraints></div><div><span style="white-space:pre"> </span><exclusion></div><div><span style="white-space:pre"> </span><targetRef type="c:RoleType"></div><div><span style="white-space:pre"> </span><filter></div><div><span style="white-space:pre"> </span><q:equal></div><div><span style="white-space:pre"> </span><q:path>c:name</q:path></div><div><span style="white-space:pre"> </span><q:value>RoleA</q:value></div><div><span style="white-space:pre"> </span></q:equal><span style="white-space:pre"> </span></div><div><span style="white-space:pre"> </span></filter></div><div><span style="white-space:pre"> </span></targetRef></div><div><span style="white-space:pre"> </span></exclusion></div><div><span style="white-space:pre"> </span></policyConstraints></div><div><span style="white-space:pre"> </span><policyActions></div><div><span style="white-space:pre"> </span></policyActions></div><div><span style="white-space:pre"> </span></policyRule></div><div><span style="white-space:pre"> </span></assignment></div></div></div><div><br></div><div>To see your SoD rules at work you need to use shoppping cart (Request role menu).</div><div><br></div><div>M.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="2" style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Martin Lízner</span><br>solution architect<br><br>gsm: [+420] 737 745 571<br>e-mail: <a href="mailto:martin.lizner@ami.cz" target="_blank">martin.lizner@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: [+420] 274 783 239<br>web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="" style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="8" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="8" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important"><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br><a href="http://www.skyidentity.com/" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-Sky.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="font-family:Arial,sans-serif;padding:0px;border:0px solid gray!important"><br></td></tr></tbody></table>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.</td></tr></tbody></table></div><br></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2017-09-04 14:54 GMT+02:00 Doler, Alexander Earl (LATCO - Buenos Aires) <span dir="ltr"><<a href="mailto:adoler@deloitte.com" target="_blank">adoler@deloitte.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_1228853624737513839WordSection1">
<p class="MsoNormal"><span style="color:#1f497d">Thanks for your response, Esteban!
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Unfortunately, even after changing the approver type to a user and specifying a user’s OID, as you suggested, no workflow is started and the incompatible role is still assigned immediately (however, it is important
that the approvers eventually be the members of an organization, and not a single user). The problem is that MidPoint seems to be ignoring reference to the approval altogether, as when I specify “enforcement,” it does indeed block the assignment of incompatible
roles. Maybe I am missing something further here?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Any ideas?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Regards,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Alex<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> midPoint [mailto:<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@<wbr>lists.evolveum.com</a>]
<b>On Behalf Of </b>Jeria, Esteban<br>
<b>Sent:</b> jueves, 31 de agosto de 2017 3:36 p. m.<br>
<b>To:</b> midPoint General Discussion <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>Subject:</b> Re: [midPoint] Approval processes in Segregation of Duties<u></u><u></u></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">Hola Alex,<u></u><u></u></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <u></u><u></u></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">I was working on exactly the same feature on last days, so I tested your code and I found an error on approverRef, the type should be an user<u></u><u></u></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <u></u><u></u></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><approverRef oid="(APPROVER OID)"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <wbr> relation="org:default"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <wbr> type="c:UserType"></<wbr>approverRef><u></u><u></u></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <u></u><u></u></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">otherwise your request goes to nobody. Actually you can probably found them under "Work items / All requests"<u></u><u></u></span></p>
<div>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">Once fixed, the approval workflow works properly.<u></u><u></u></span></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> <u></u><u></u></span></p>
<div>
<p><b><span lang="FR" style="font-size:10.5pt;font-family:"Calibri Light",sans-serif;color:blue;background:white">Esteban Jeria</span></b><span lang="FR" style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:#575a5d;background:white"><br>
</span><span lang="FR" style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:black;background:white">Conseiller
</span><b><span lang="FR" style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:red;background:white">CGI</span></b><span lang="FR" style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:black;background:white"> / </span><b><span style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:red;background:white">CGI</span></b><span style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:black;background:white">
Consultant</span><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><u></u><u></u></span></p>
<p><span style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:black;background:white">Sécurité - Gestion d'identité et des accès / Security - Identity and Access Management</span><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><u></u><u></u></span></p>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">
<hr size="2" width="100%" align="center">
</span></div>
<div id="m_1228853624737513839divRpF439293">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> Doler, Alexander Earl (LATCO - Buenos
Aires) [<a href="mailto:adoler@deloitte.com" target="_blank">adoler@deloitte.com</a>]<br>
<b>Sent:</b> August 30, 2017 1:14 PM<br>
<b>To:</b> midPoint General Discussion<br>
<b>Subject:</b> [midPoint] Approval processes in Segregation of Duties</span><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"><u></u><u></u></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:black">Hello,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black">I am trying to configure Segregation of Duties in MidPoint so that when incompatible roles are requested, an approval process is triggered. I am able to successfully block assignment of incompatible roles by specifying
“<enforcement>” in the policy actions. However, when I replace “enforcement” with “approval,” MidPoint seems to ignore any approval process specified and assigns the role. I noticed the tag “prune” is also ignored when specified here. I am using MidPoint version
3.6.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black">Here is my code:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <assignment id="7"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <policyRule><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <name>Exclude Role Assignment</name><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <policyConstraints><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <exclusion><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <targetRef oid="(ROLE OID)"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> relation="org:default"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> type="c:RoleType"></targetRef><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> </exclusion><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> </policyConstraints><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <policyActions><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <approval><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <compositionStrategy><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <order>10</order><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> </compositionStrategy><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <approvalSchema><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <level><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <name>Auditing Approval</name><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <approverRef oid="(APPROVER OID)"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <wbr> relation="org:default"<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <wbr> type="c:OrgType"></<wbr>approverRef><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <<wbr>evaluationStrategy><wbr>firstDecides</<wbr>evaluationStrategy><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <groupExpansion><wbr>onWorkItemCreation</<wbr>groupExpansion><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> </level><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> </approvalSchema><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> </approval><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> </policyActions><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> </policyRule><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> </assignment><u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black">Any thoughts on how to make this work?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black">Thank you,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:black">Alex<u></u><u></u></span></p>
</div>
</div>
</div>
</div>
</div></div></div>
</div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>