<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
This is exactly the point.<br>
<br>
The original idea was to use "secondary approvals" by system
administrators so they will be aware of all the accounts that are
created on their systems. We have used similar approach in
first-generation (pre-midpoint) IDM deployments. But in fact, as
far as I know, it was never used in practice as it was quite
useless. The problem is if system administrator rejects secondary
delta, but primary delta is executed. The result is a situation
that violates the policy: roles says that there should be an
account, but the account is not there. So midPoint will try to
create the account again and again.<br>
<br>
Early in midPoint design and development we though that "secondary
approvals" might be needed. We were not sure. So we have designed
midPoint to allow for this option sometime in the future. It was
just an architectural construct with just a partial
implementation. It was never fully implemented. But up until now
there was no demand to this features. Therefore we had no plans to
finish the implementation. In fact we were thinking about phasing
out the secondary approval option altogether.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 12/14/2017 12:51 PM, Pavol Mederly wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ade29216-1db9-9e3c-3a58-e3b7066b7599@evolveum.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>Hello Oskar,</p>
<p>the crucial question is: what should midPoint do if such a
secondary change would get rejected?<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 14.12.2017 11:34, Oskar Butovič -
AMI Praha a.s. wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAE8MtZCSmm6puNLFMv4eDBV=LOUat=PV7v-T=obUhg9pevpfvQ@mail.gmail.com">
<div dir="ltr">Hello everybody,
<div><br>
</div>
<div>I was wondering whether I can enforce executing approval
workflow upon assignment which is in the secondary delta.
Eg. role assignment synchronized from an external system or
role assigned by object template based on some attribute
values.</div>
<div><br>
</div>
<div>I have some ideas:</div>
<div>- can it be configured by policy rules alone?</div>
<div>- can it be done by generalChangeProcessor <a
href="https://wiki.evolveum.com/display/midPoint/How+to+develop+your+own+approval+processes+-+case+3:+using+general+change+processor"
moz-do-not-send="true">https://wiki.evolveum.com/display/midPoint/How+to+develop+your+own+approval+processes+-+case+3:+using+general+change+processor</a>
?</div>
<div>- If all else fails would moving the assignment delta
from secondary to primary via hook do the trick?</div>
<div><br>
</div>
<div>Could any of those ideas work?</div>
<div><br>
</div>
<div>Best Regards</div>
<div>Oskar Butovič</div>
<div>-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<table
style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px;border-style:solid;width:482px">
<tbody>
<tr
style="padding:0px;margin:0px;border:0px
solid gray">
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px
solid gray">
<p><span
style="font-size:14px;font-weight:bold">Oskar
Butovič</span><br>
solution architect<br>
<br>
gsm: [+420] 774 480 101<br>
e-mail: <a
href="mailto:oskar.butovic@ami.cz"
target="_blank"
moz-do-not-send="true">oskar.butovic@ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray
gray;padding:0px"> </td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"> </td>
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px
solid gray">
<p>AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel.: [+420] 274 783 239<br>
web: <a href="http://www.ami.cz/"
target="_blank"
moz-do-not-send="true">www.ami.cz</a></p>
</td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-width:0px
1px 0px
0px;border-style:solid;border-color:gray
rgb(204,204,204) gray
gray;padding:0px"> </td>
<td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
solid gray"> </td>
<td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;width:116px;border:0px
solid gray">
<p><img
src="http://www.ami.cz/images/podpis/ami_logo.gif"
alt="AMI Praha a.s."
style="border: 0px;"
moz-do-not-send="true"></p>
</td>
</tr>
<tr
style="padding:0px;margin:0px;border:0px
solid gray">
<td colspan="7"
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px
solid gray"><br>
<a
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"
target="_blank"
moz-do-not-send="true"><img
src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png"
alt="AMI Praha a.s."
style="border: 0px; width: 480px;
height: 82px;"
moz-do-not-send="true"></a></td>
</tr>
<tr
style="padding:0px;margin:0px;border:0px
solid gray">
<td colspan="7"
style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px
solid gray"><br>
Textem tohoto e-mailu podepisující
neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva,
pokud bude uzavřena, musí mít výhradně
písemnou formu.<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>