<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi Martin,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thank you for this detailed example. With this code, I was able to successfully initiate the SOD approval process.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks again,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Alex<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> midPoint [mailto:midpoint-bounces@lists.evolveum.com]
<b>On Behalf Of </b>Martin Lízner - AMI Praha a.s.<br>
<b>Sent:</b> miércoles, 6 de septiembre de 2017 3:00 p. m.<br>
<b>To:</b> midPoint General Discussion <midpoint@lists.evolveum.com><br>
<b>Subject:</b> Re: [midPoint] Approval processes in Segregation of Duties<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">This is how we (successfully) use SoD rules in mp 3.6 in production:<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><u>Global policy rule in system configuration:</u><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">- Approvers are all users in SoD Approvers organization<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><globalPolicyRule><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <name>Segregation of Duties (SoD) approval</name><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <policyConstraints><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <situation><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <situation><a href="http://midpoint.evolveum.com/xml/ns/public/model/policy/situation#exclusionViolation">http://midpoint.evolveum.com/xml/ns/public/model/policy/situation#exclusionViolation</a></situation><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </situation><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </policyConstraints><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <policyActions><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <approval><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <compositionStrategy><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <order>30</order><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </compositionStrategy><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <approvalSchema><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <level><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <name>SoD</name><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <approverRef type="OrgType"><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <filter><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <q:equal><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <q:path>name</q:path><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <q:value>SoD Approvers</q:value><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </q:equal><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </filter><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <resolutionTime>run</resolutionTime><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </approverRef><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <evaluationStrategy>firstDecides</evaluationStrategy><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <outcomeIfNoApprovers>reject</outcomeIfNoApprovers><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <groupExpansion>onWorkItemCreation</groupExpansion><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </level><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </approvalSchema><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </approval><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </policyActions><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <focusSelector><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <type>UserType</type><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </focusSelector><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <targetSelector><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <type>RoleType</type> <!-- no need to filter on roleType, as each role has to have SoD defined --><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </targetSelector><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </globalPolicyRule><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Then each role (lets say RoleA, RoleB) has to have mutual exclusivity:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><u>RoleA contains:</u><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><assignment id="1"><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <policyRule><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <policyConstraints><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <exclusion><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <targetRef type="c:RoleType"><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <filter><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <q:equal><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <q:path>c:name</q:path><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <q:value>RoleB</q:value><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </q:equal>
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </filter><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </targetRef><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </exclusion><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </policyConstraints><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <policyActions><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </policyActions><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </policyRule><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </assignment><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><u>RoleB contains:</u><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><assignment id="1"><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <policyRule><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <policyConstraints><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <exclusion><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <targetRef type="c:RoleType"><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <filter><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <q:equal><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <q:path>c:name</q:path><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <q:value>RoleA</q:value><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </q:equal>
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </filter><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </targetRef><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </exclusion><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </policyConstraints><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <policyActions><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </policyActions><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </policyRule><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> </assignment><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">To see your SoD rules at work you need to use shoppping cart (Request role menu).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">M.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td valign="bottom" style="padding:0cm 0cm 0cm 0cm">
<p><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">Martin Lízner</span></b><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:black"><br>
solution architect<br>
<br>
gsm: [+420] 737 745 571<br>
e-mail: <a href="mailto:martin.lizner@ami.cz" target="_blank">martin.lizner@ami.cz</a><o:p></o:p></span></p>
</td>
<td style="border:none;border-right:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 0cm;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important">
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana",sans-serif;color:black"> <o:p></o:p></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm;border:gray!important">
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana",sans-serif;color:black"> <o:p></o:p></span></p>
</td>
<td valign="bottom" style="padding:0cm 0cm 0cm 0cm;border:gray!important">
<p><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:black">AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: [+420] 274 783 239<br>
web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a><o:p></o:p></span></p>
</td>
<td style="border:none;border-right:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 0cm;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important">
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana",sans-serif;color:black"> <o:p></o:p></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm;border:gray!important">
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana",sans-serif;color:black"> <o:p></o:p></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm;border:gray!important">
<p style="mso-margin-top-alt:5.0pt;margin-right:6.0pt;margin-bottom:5.0pt;margin-left:6.0pt">
<span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:black;border:solid windowtext 1.0pt;padding:0cm"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="_x0000_i1025" src="cid:~WRD000.jpg" alt="Image removed by sender."></span><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
</td>
</tr>
<tr style="border:gray!important">
<td colspan="7" style="padding:0cm 0cm 0cm 0cm;border:gray!important"></td>
</tr>
<tr style="border:gray!important">
<td colspan="7" style="padding:0cm 0cm 0cm 0cm;border:gray!important">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border-width:0px!important;border-style:solid!important;width:482px!important">
<tbody>
<tr style="border:gray!important">
<td width="480" style="width:360.0pt;padding:0cm 0cm 0cm 0cm;border-width:0px!important;border-style:solid!important;width:482px!important">
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana",sans-serif;color:black"><br>
<a href="http://www.skyidentity.com/" target="_blank"><span style="border:solid windowtext 1.0pt;padding:0cm;text-decoration:none"><img border="0" width="100" height="100" style="width:1.0416in;height:1.0416in" id="_x0000_i1026" src="cid:~WRD000.jpg" alt="Image removed by sender. AMI Praha a.s."></span></a><o:p></o:p></span></p>
</td>
</tr>
<tr style="border:gray!important">
<td style="padding:0cm 0cm 0cm 0cm;border:gray!important"></td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:gray">Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2017-09-04 14:54 GMT+02:00 Doler, Alexander Earl (LATCO - Buenos Aires) <<a href="mailto:adoler@deloitte.com" target="_blank">adoler@deloitte.com</a>>:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D">Thanks for your response, Esteban!
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D">Unfortunately, even after changing the approver type to a user and specifying a user’s OID, as you suggested, no workflow is started and the incompatible
role is still assigned immediately (however, it is important that the approvers eventually be the members of an organization, and not a single user). The problem is that MidPoint seems to be ignoring reference to the approval altogether, as when I specify
“enforcement,” it does indeed block the assignment of incompatible roles. Maybe I am missing something further here?</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D">Any ideas?</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D">Regards,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D">Alex</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b> midPoint [mailto:<a href="mailto:midpoint-bounces@lists.evolveum.com" target="_blank">midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>Jeria, Esteban<br>
<b>Sent:</b> jueves, 31 de agosto de 2017 3:36 p. m.<br>
<b>To:</b> midPoint General Discussion <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>><br>
<b>Subject:</b> Re: [midPoint] Approval processes in Segregation of Duties<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">Hola Alex,</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> </span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">I was working on exactly the same feature on last days, so I tested your code and I found an error on approverRef, the type should be an user</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> </span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"><approverRef oid="(APPROVER OID)"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> relation="org:default"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> type="c:UserType"></approverRef></span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> </span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">otherwise your request goes to nobody. Actually you can probably found them under "Work items / All requests"</span><o:p></o:p></p>
<div>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">Once fixed, the approval workflow works properly.</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> </span><o:p></o:p></p>
<div>
<p><b><span lang="FR" style="font-size:10.5pt;font-family:"Calibri Light",sans-serif;color:blue;background:white">Esteban Jeria</span></b><span lang="FR" style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:#575A5D;background:white"><br>
</span><span lang="FR" style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:black;background:white">Conseiller
</span><b><span lang="FR" style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:red;background:white">CGI</span></b><span lang="FR" style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:black;background:white"> / </span><b><span style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:red;background:white">CGI</span></b><span style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:black;background:white">
Consultant</span><o:p></o:p></p>
<p><span style="font-size:9.5pt;font-family:"Calibri Light",sans-serif;color:black;background:white">Sécurité - Gestion d'identité et des accès / Security - Identity and Access Management</span><o:p></o:p></p>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="color:black">
<hr size="2" width="100%" align="center">
</span></div>
<div id="m_1228853624737513839divRpF439293">
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black"> Doler, Alexander
Earl (LATCO - Buenos Aires) [<a href="mailto:adoler@deloitte.com" target="_blank">adoler@deloitte.com</a>]<br>
<b>Sent:</b> August 30, 2017 1:14 PM<br>
<b>To:</b> midPoint General Discussion<br>
<b>Subject:</b> [midPoint] Approval processes in Segregation of Duties</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Hello,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">I am trying to configure Segregation of Duties in MidPoint so that when incompatible roles are requested, an approval process is triggered. I am able to
successfully block assignment of incompatible roles by specifying “<enforcement>” in the policy actions. However, when I replace “enforcement” with “approval,” MidPoint seems to ignore any approval process specified and assigns the role. I noticed the tag
“prune” is also ignored when specified here. I am using MidPoint version 3.6.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Here is my code:</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <assignment id="7"></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <policyRule></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <name>Exclude Role Assignment</name></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <policyConstraints></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <exclusion></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <targetRef oid="(ROLE OID)"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> relation="org:default"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> type="c:RoleType"></targetRef></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </exclusion></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </policyConstraints></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <policyActions></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <approval></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <compositionStrategy></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <order>10</order></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </compositionStrategy></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <approvalSchema></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <level></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <name>Auditing Approval</name></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <approverRef oid="(APPROVER OID)"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> relation="org:default"</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> type="c:OrgType"></approverRef></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <evaluationStrategy>firstDecides</evaluationStrategy></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> <groupExpansion>onWorkItemCreation</groupExpansion></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </level></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </approvalSchema></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </approval></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </policyActions></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </policyRule></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </assignment></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Any thoughts on how to make this work?</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Thank you,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Alex</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>