<div dir="ltr">Pavol,<div>Thanks for the link and information. This explanation makes sense - the question of what the expected behavior would be in the event the approval is rejected is a critical one.</div><div><br></div><div>Given this explanation, in such scenarios, we may opt instead to trigger an approval workflow via policy constraints instead on the user attribute field - pausing the process before the default user template mapping ever takes place. Of course, this with the understanding that we cannot truly stop the mapping since the mapping is automated via configuration - but that we would at least be injecting a review step when needed. Business rules would need to be in place for the approver to go directly to the source system to make necessary changes.</div><div><br></div><div>Appreciate the feedback!<br clear="all"><div><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div style="text-align:left"><br></div><div style="text-align:left">Brandon Powers</div><div><div style="text-align:left"><span>Exclamation Labs</span></div><span><div style="text-align:left">300 Washington Street</div></span><span><div style="text-align:left">Cumberland, MD 21502</div></span><div><a value="+18885455008" style="color:rgb(17,85,204)" href="tel:888.545.5008" target="_blank">888.545.5008</a><span style="color:rgb(34,34,34)"> or </span><a value="+13017225008" style="color:rgb(17,85,204)" href="tel:301.722.5008+ext+144" target="_blank">301.722.5008 ext 144</a></div><span><div style="text-align:left">fax <a value="+13017222183" style="color:rgb(17,85,204)">301.722.2183</a></div></span><div><a href="mailto:brandon@exclamationlabs.com" style="color:rgb(17,85,204)" target="_blank">brandon@exclamationlabs.com</a></div><span><div style="text-align:left"><a href="mailto:brandon@exclamationlabs.com" style="color:rgb(17,85,204);font-size:13px" target="_blank">www.exclamationlabs.com</a></div></span></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Oct 12, 2020 at 9:46 AM Pavol Mederly via midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello Brandon,</p>
<p>if I remember correctly, this question was opened once or twice
(in the last years), for example here:</p>
<p><a href="https://lists.evolveum.com/pipermail/midpoint/2017-December/004293.html" target="_blank">https://lists.evolveum.com/pipermail/midpoint/2017-December/004293.html</a></p>
<p>The basic question (posed also in the above mentioned thread) is:
what should midPoint do if there would be a rejection of the role
assignment?</p>
<p>To keep things consistent, the change would need to affect even
the source resource. So it would stop propagating the value to
specific user attribute, and then to the role assignment.</p>
<p>Or, such a rejection would need to set up a flag that would be
respected by the mappings involved (inbound mapping providing user
attribute or template mapping providing the role assignment), so
that they would start ignoring the data coming from the source
resource. But this is definitely not a standard behavior of
midPoint approvals component.</p>
<p>Hope this helps,<br>
</p>
<pre cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>On 12/10/2020 15:18, Brandon Powers via
midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hello all,</div>
<div><br>
</div>
<div>We are interested in approval workflows for assignments
that are applied to users automatically via default user
template mappings (utilizing assignmentTargetSearch). So far,
we've been unsuccessful in finding a way to trigger the
approval policy constraint when the assignment is made
automatically via an object template mapping (the approval
workflow does kick off when <i>manually</i> assigning the
org/role, however). </div>
<div><br>
</div>
<div>I've had a lot of trouble finding any documentation on the
matter to determine if this is supported or not, so I wanted
to reach out and see if anyone could offer any insight on the
matter? Perhaps there is undocumented functionality that
allows this, or a speicifc approach that should be taken.</div>
<div><br>
</div>
<div>For more context, we have auto assignments via the default
user template to assign orgs based on the value of a specific
user attribute which is defined from one of our resource's
inbound mappings.</div>
<div><br>
</div>
<div>Any insight on the matter from anyone is greatly
appreciated!</div>
<div>
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div style="text-align:left"><br>
</div>
<div style="text-align:left">Brandon Powers</div>
<div>
<div style="text-align:left"><span>Exclamation
Labs</span></div>
<span>
<div style="text-align:left">300 Washington
Street</div>
</span><span>
<div style="text-align:left">Cumberland, MD
21502</div>
</span>
<div><a value="+18885455008" style="color:rgb(17,85,204)" href="tel:888.545.5008" target="_blank">888.545.5008</a><span style="color:rgb(34,34,34)"> or </span><a value="+13017225008" style="color:rgb(17,85,204)" href="tel:301.722.5008+ext+144" target="_blank">301.722.5008
ext 144</a></div>
<span>
<div style="text-align:left">fax <a value="+13017222183" style="color:rgb(17,85,204)">301.722.2183</a></div>
</span>
<div><a href="mailto:brandon@exclamationlabs.com" style="color:rgb(17,85,204)" target="_blank">brandon@exclamationlabs.com</a></div>
<span>
<div style="text-align:left"><a href="mailto:brandon@exclamationlabs.com" style="color:rgb(17,85,204);font-size:13px" target="_blank">www.exclamationlabs.com</a></div>
</span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>