<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>I think I understand. One option (although maybe not the cleanest
      and nicest one) would be this:</p>
    <p>You could write a <a moz-do-not-send="true"
        href="https://wiki.evolveum.com/display/midPoint/Scripting+Hooks">scripting
        hook</a> that would detect when a user is added to the
      organization. The hook would be attached to the final state, so it
      would be activated only after the whole operation is executed. If
      the hook detects that the organization assignment was recently
      added, it would start a new operation of adding all the roles from
      the default set for that organization.</p>
    <p>The new operation would contain new assignments in its primary
      delta, so they could be approved or rejected, as necessary.</p>
    <p>But the approved roles would stay with the user indefinitely,
      even after he is unassigned from the organization. If you'd need
      to change this, you'd have to implement another hook that would
      take care of that.</p>
    <p>Hope this helps,<br>
    </p>
    <pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
    <div class="moz-cite-prefix">On 02.02.2018 14:45, Alcides Carlos de
      Moraes Neto wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAMLLNmm1XjTjSL2RFMXt37XO=RDuyMgyJq6bgvJfUcWzgKPTbA@mail.gmail.com">
      <div dir="ltr">
        <div>
          <div>Hi Pavol,<br>
            <br>
          </div>
          Thanks for the help. This is what I'm trying to accomplish: I
          want to be able to configure a set of roles to be a default
          set for an organization. For the roles I want to be applied
          every time, I can just use inducements, or mappings, from the
          OrgType, that's easy.<br>
        </div>
        <div>But I wanted some of the roles to be upon approval only,
          and I wanted the approval workflow to happen automatically, so
          as soon as the new employee is in the Org, his manager gets
          notified to approve his roles.<br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">2018-02-01 19:36 GMT-02:00 Pavol
          Mederly <span dir="ltr"><<a
              href="mailto:mederly@evolveum.com" target="_blank"
              moz-do-not-send="true">mederly@evolveum.com</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <p>Hello Alcides Carlos,</p>
              <p>yes, it is intended so. There are some conceptual
                reasons behind it, mainly along the line of how we
                should react to rejection.</p>
              <p>What's your use case? Why do you want to approve
                something that was given by the mapping?</p>
              <p>Best regards,<br>
              </p>
              <pre class="m_39755774036504307moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
              <div>
                <div class="h5">
                  <div class="m_39755774036504307moz-cite-prefix">On
                    01.02.2018 21:19, Alcides Carlos de Moraes Neto
                    wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div class="h5">
                    <div dir="ltr">
                      <div>
                        <div>Hello list,<br>
                          <br>
                        </div>
                        I have a role that has a policy rule for
                        approval by the user's manager. It works when I
                        assign the role to a user manually.<br>
                      </div>
                      <br>
                      However, I now have a mapping in user template for
                      this role. Assignments from this mapping do not
                      start the approval workflow. Is this intended? Is
                      there a way to require approval from role assigned
                      from mappings?<br>
                    </div>
                    <br>
                    <fieldset
                      class="m_39755774036504307mimeAttachmentHeader"></fieldset>
                    <br>
                  </div>
                </div>
                <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_39755774036504307moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="m_39755774036504307moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
              </blockquote>
              <br>
            </div>
            <br>
            ______________________________<wbr>_________________<br>
            midPoint mailing list<br>
            <a href="mailto:midPoint@lists.evolveum.com"
              moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
            <a
              href="http://lists.evolveum.com/mailman/listinfo/midpoint"
              rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>