<html>Hello,<br /><br />I use the same think, you end user need to have authorization for read userType information (name min). If it dosen't, he canno't get the manager of the org.<br /><br /> <authorization><br /> <name>RE-READ-OtherUserName</name><br /> <description><br /> Allow to read name of all user, needed by workflow process<br /> </description><br /> <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action><br /> <object><br /> <type>UserType</type><br /> </object><br /> <c:item>name</c:item><br /> </authorization><br /><br /><br /><br />Other way, you can change the runas of your approver metarole<br /><br /><approverExpression><br /> <description>Get user's managers from parent Org</description><br /> <span style="color:#c0392b;"><runAsRef oid="00000000-0000-0000-0000-000000000002" /></span><br /> <script xsi:type="c:ScriptExpressionEvaluatorType"><br /> <code><br /> log.info("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n")<br /> log.error("Target : {}",target)<br /> log.error("Target OID : {}", target.parentOrgRef.oid[0])<br /> approvers = midpoint.getManagersOfOrg(target.parentOrgRef.oid[0])<br /> log.info("Approvers : {}", approvers)<br /> approvers.oid<br /> </code><br /> </script><br /> </approverExpression><br /><br /><br />--<p>Cordialement.</p><table class="MsoNormalTable" style="width:100.0%;border:none;border-top:solid #00BBDF 3.0pt" width="100%" cellspacing="0" cellpadding="0" border="1"><tbody><tr><td style="border: medium none; padding: 0cm; width: 301px;" valign="top"><table class="MsoNormalTable" style="margin-left: 7.5pt;" width="274" height="332" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="padding:0cm 0cm 0cm 0cm" valign="top"><p class="MsoNormal" style="margin-top:7.5pt;mso-margin-bottom-alt:auto"><b><span style="font-size:11.5pt;color:#1F497D;mso-fareast-language:FR">Sylvaire-Kevin TIPA</span></b><br /><i><span style="font-size:10.0pt;color:gray;mso-fareast-language:FR">Infrastructure</span></i></p></td></tr><tr><td style="padding:3.75pt 0cm 3.75pt 0cm" valign="top"><b><span style="font-size:10.0pt;color:gray;mso-fareast-language:FR">THALES SERVICES SAS</span></b><br /><span style="font-size:10.0pt;color:gray;mso-fareast-language:FR">44 Quai Charles de Gaulle<br />CS 20100<br />69463 Lyon Cedex 06</span></td></tr><tr><td style="border:none;border-top:dotted #BFBFBF 1.0pt;padding:3.75pt 0cm 0cm 0cm" valign="top"><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;color:gray;mso-fareast-language:FR"><a href="http://www.thalesgroup.com/"><span style="color:gray">www.thalesgroup.com</span></a></span></p></td></tr></tbody></table></td><td style="border: medium none; padding: 0cm; width: 481px;" valign="top"><p class="MsoNormal" style="text-align:right" align="right"><img style="width: 174px; height: 22px;" class="decoded" alt="Thales group" src="https://www.thalesgroup.com/sites/all/themes/thales_front/images/logo.png" /></p></td></tr></tbody></table><br />-------- Message original --------<br />Sujet: [midPoint] Approval by Org Manager - strange behavior<br />Date: Mercredi 11 Avril 2018 21:19 CEST<br />De: Wojciech Staszewski <wojciech.staszewski@diagnostyka.pl><br />Répondre à: midPoint General Discussion <midpoint@lists.evolveum.com><br />Pour: midPoint General Discussion <midpoint@lists.evolveum.com><br /><br /><br /> <blockquote type="cite" cite="b7e7d58f-1245-2459-1449-295649fc05b1@diagnostyka.pl">Hello!<br /><br />I have a role with approval by Org Manager.<br /><br />- If I (The SuperUser) assign this role to a common user, the workflow<br />is starting and manager gets a work item to do.<br />- If the user itself is requesting for the same role using SelfService,<br />the approval tasks is rejected automatically with "no approvers found"<br />message.<br /><br />The approval metarole inducement, this is Ctrl+C & Ctrl+V from Evolveum<br />example, except evaluationStrategy:<br /><br /> <inducement id="2"><br /> <policyRule><br /> <policyConstraints><br /> <assignment id="1"/><br /> </policyConstraints><br /> <policyActions><br /> <approval id="3"><br /> <compositionStrategy><br /> <order>10</order><br /> </compositionStrategy><br /> <approvalSchema><br /> <level id="4"><br /> <name>Approval by organization managers (first<br />decides)</name><br /> <approverExpression><br /> <script<br />xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<br /> xsi:type="c:ScriptExpressionEvaluatorType"><br /> <br /><code>midpoint.getManagersOidsExceptUser(object)</code><br /> </script><br /> </approverExpression><br /> <evaluationStrategy>firstDecides</evaluationStrategy><br /> <outcomeIfNoApprovers>reject</outcomeIfNoApprovers><br /> </level><br /> </approvalSchema><br /> </approval><br /> </policyActions><br /> </policyRule><br /> <activation><br /> <administrativeStatus>enabled</administrativeStatus><br /> </activation><br /> </inducement><br /><br />The user is a member of two Org Units. Only one of them has a manager.<br />But I unassign the user from one OU, that has no manager and this not<br />helped.<br /><br />V 3.7.1.<br />Any ideas? Thanks!<br />Wojciech Staszewski<br />_______________________________________________<br />midPoint mailing list<br />midPoint@lists.evolveum.com<br />http://lists.evolveum.com/mailman/listinfo/midpoint</blockquote><br /> </html>