<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Hi,<br>
      <br>
      This is exactly the point.<br>
      <br>
      The original idea was to use "secondary approvals" by system
      administrators so they will be aware of all the accounts that are
      created on their systems. We have used similar approach in
      first-generation (pre-midpoint) IDM deployments. But in fact, as
      far as I know, it was never used in practice as it was quite
      useless. The problem is if system administrator rejects secondary
      delta, but primary delta is executed. The result is a situation
      that violates the policy: roles says that there should be an
      account, but the account is not there. So midPoint will try to
      create the account again and again.<br>
      <br>
      Early in midPoint design and development we though that "secondary
      approvals" might be needed. We were not sure. So we have designed
      midPoint to allow for this option sometime in the future. It was
      just an architectural construct with just a partial
      implementation. It was never fully implemented. But up until now
      there was no demand to this features. Therefore we had no plans to
      finish the implementation. In fact we were thinking about phasing
      out the secondary approval option altogether.<br>
      <br>
      <pre class="moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
evolveum.com
</pre>
      <br>
      <br>
      On 12/14/2017 12:51 PM, Pavol Mederly wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:ade29216-1db9-9e3c-3a58-e3b7066b7599@evolveum.com">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <p>Hello Oskar,</p>
      <p>the crucial question is: what should midPoint do if such a
        secondary change would get rejected?<br>
      </p>
      <pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
      <div class="moz-cite-prefix">On 14.12.2017 11:34, Oskar Butovič -
        AMI Praha a.s. wrote:<br>
      </div>
      <blockquote type="cite"
cite="mid:CAE8MtZCSmm6puNLFMv4eDBV=LOUat=PV7v-T=obUhg9pevpfvQ@mail.gmail.com">
        <div dir="ltr">Hello everybody,
          <div><br>
          </div>
          <div>I was wondering whether I can enforce executing approval
            workflow upon assignment which is in the secondary delta.
            Eg. role assignment synchronized from an external system or
            role assigned by object template based on some attribute
            values.</div>
          <div><br>
          </div>
          <div>I have some ideas:</div>
          <div>- can it be configured by policy rules alone?</div>
          <div>- can it be done by generalChangeProcessor <a
href="https://wiki.evolveum.com/display/midPoint/How+to+develop+your+own+approval+processes+-+case+3:+using+general+change+processor"
              moz-do-not-send="true">https://wiki.evolveum.com/display/midPoint/How+to+develop+your+own+approval+processes+-+case+3:+using+general+change+processor</a>
            ?</div>
          <div>- If all else fails would moving the assignment delta
            from secondary to primary via hook do the trick?</div>
          <div><br>
          </div>
          <div>Could any of those ideas work?</div>
          <div><br>
          </div>
          <div>Best Regards</div>
          <div>Oskar Butovič</div>
          <div>-- <br>
            <div class="gmail_signature">
              <div dir="ltr">
                <div>
                  <div dir="ltr">
                    <div>
                      <div dir="ltr">
                        <div dir="ltr">
                          <table
style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px;border-style:solid;width:482px">
                            <tbody>
                              <tr
                                style="padding:0px;margin:0px;border:0px
                                solid gray">
                                <td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;width:160px;vertical-align:bottom;padding:0px;border:0px
                                  solid gray">
                                  <p><span
                                      style="font-size:14px;font-weight:bold">Oskar
                                      Butovič</span><br>
                                    solution architect<br>
                                    <br>
                                    gsm: [+420] 774 480 101<br>
                                    e-mail: <a
                                      href="mailto:oskar.butovic@ami.cz"
                                      target="_blank"
                                      moz-do-not-send="true">oskar.butovic@ami.cz</a></p>
                                </td>
                                <td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-width:0px
                                  1px 0px
                                  0px;border-style:solid;border-color:gray
                                  rgb(204,204,204) gray
                                  gray;padding:0px">   </td>
                                <td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
                                  solid gray">   </td>
                                <td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;width:123px;border:0px
                                  solid gray">
                                  <p>AMI Praha a.s.<br>
                                    Pláničkova 11<br>
                                    162 00 Praha 6<br>
                                    tel.: [+420] 274 783 239<br>
                                    web: <a href="http://www.ami.cz/"
                                      target="_blank"
                                      moz-do-not-send="true">www.ami.cz</a></p>
                                </td>
                                <td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-width:0px
                                  1px 0px
                                  0px;border-style:solid;border-color:gray
                                  rgb(204,204,204) gray
                                  gray;padding:0px">   </td>
                                <td
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px
                                  solid gray">   </td>
                                <td
style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;width:116px;border:0px
                                  solid gray">
                                  <p><img
                                      src="http://www.ami.cz/images/podpis/ami_logo.gif"
                                      alt="AMI Praha a.s."
                                      style="border: 0px;"
                                      moz-do-not-send="true"></p>
                                </td>
                              </tr>
                              <tr
                                style="padding:0px;margin:0px;border:0px
                                solid gray">
                                <td colspan="7"
style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px
                                  solid gray"><br>
                                  <a
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"
                                    target="_blank"
                                    moz-do-not-send="true"><img
                                      src="http://www.ami.cz/images/podpis/AMI-podpis-IdM_1.png"
                                      alt="AMI Praha a.s."
                                      style="border: 0px; width: 480px;
                                      height: 82px;"
                                      moz-do-not-send="true"></a></td>
                              </tr>
                              <tr
                                style="padding:0px;margin:0px;border:0px
                                solid gray">
                                <td colspan="7"
style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px
                                  solid gray"><br>
                                  Textem tohoto e-mailu podepisující
                                  neslibuje uzavřít ani neuzavírá za
                                  společnost AMI Praha a.s.<br>
                                  jakoukoliv smlouvu. Každá smlouva,
                                  pokud bude uzavřena, musí mít výhradně
                                  písemnou formu.<br>
                                  <br>
                                </td>
                              </tr>
                            </tbody>
                          </table>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <br>
  </body>
</html>