<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hello Keith,<br></div><div><br data-mce-bogus="1"></div><div>it's long time (almost years) I last touched the approvals so my answer is not guaranteed to be 100% complete.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Generally, you can use dynamic filters (using expressions) in the approverRef item in the approval schema. These are evaluated at <a data-mce-href="https://github.com/Evolveum/midpoint/blob/739c93db806cdd55af6c177e613ffba9212e5d8e/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java#L122-L127" href="https://github.com/Evolveum/midpoint/blob/739c93db806cdd55af6c177e613ffba9212e5d8e/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java#L122-L127">https://github.com/Evolveum/midpoint/blob/739c93db806cdd55af6c177e613ffba9212e5d8e/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java#L122-L127</a>. Unfortunately, it looks like there is no role variable at your disposal there.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>An alternative would be to use approverExpression item in the stage definition. You could try that, and e.g. list all available groovy variables to see if there is something useful there.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>A third - and maybe preferred - way is to abandon "owner" custom attribute and use a custom relation instead. So instead of role -> user link you would have user -> role link, differentiated by specific relation in the targetRef. This is how approvals are done in midPoint regularly.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Hope this helps,<br data-mce-bogus="1"></div><div>Pavol<br data-mce-bogus="1"></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Keith LeValley via midPoint" <midpoint@lists.evolveum.com><br><b>To: </b>midpoint@lists.evolveum.com<br><b>Cc: </b>"Keith LeValley" <klevalley2@davenport.edu><br><b>Sent: </b>Monday, February 15, 2021 8:23:33 PM<br><b>Subject: </b>[midPoint] Dynamic Role Approval Authority<br></div><div><br></div><div data-marker="__QUOTED_TEXT__"><div dir="ltr">I might be on a little bit of a fishing expedition with this one so if I am way off base please point me in the right direction.<br><div>I am trying to set up a "meta-role" that will dynamically assign an approval authority process based on an attribute within the role assigned to the meta-role.  So I created a custom attribute for roles called "owner" and I want to assign a role name that will act as the approval authority.  I started with the example shown below below:<br><div><inducement><br>        <policyRule><br>            <policyConstraints><br>                <assignment/><br>            </policyConstraints><br>            <policyActions><br>                <approval><br>                    <compositionStrategy><br>                        <order>20</order><br>                    </compositionStrategy><br>                    <approvalSchema><br>                        <stage><br>                            <name>Security</name><br>                            <approverRef relation="org:default" type="c:RoleType"><br>                                <filter><br>                                    <q:equal><br>                                        <q:path>name</q:path><br>                                        <q:value>csc</q:value><br>                                    </q:equal><br>                                </filter><br>                                <resolutionTime>run</resolutionTime><br>                            </approverRef><br>                            <evaluationStrategy>firstDecides</evaluationStrategy><br>                            <outcomeIfNoApprovers>reject</outcomeIfNoApprovers><br>                            <groupExpansion>onWorkItemCreation</groupExpansion><br>                        </stage><br>                    </approvalSchema><br>                </approval><br>            </policyActions><br>        </policyRule><br>    </inducement></div><br><br><div>So I plug this into my "meta-role" and any role assigned to it now requires approval from the group/role named "csc".  The problem is this is still static, so I am hoping to somehow take the example above and turn it into something like this below:</div><br><div>                               <filter><br>                                    <q:equal><br>                                        <q:path>name</q:path><br>                                        <q:value>$owner</q:value><br>                                    </q:equal><br>                                </filter></div><br><div>The above doesn't work and I am not sure this is even possible.<br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr">Keith LeValley<br><div><font face="arial, helvetica, sans-serif">Identity Services Architect</font>, Davenport University</div><div>phone:  (616) 732-1102</div><div><a href="mailto:klevalley2@davenport.edu" target="_blank" rel="nofollow noopener noreferrer">klevalley2@davenport.edu<br></a><br data-mce-bogus="1"></div></div></div></div></div></div></div></div></div></div></div></div>
<br>_______________________________________________<br>midPoint mailing list<br>midPoint@lists.evolveum.com<br>https://lists.evolveum.com/mailman/listinfo/midpoint<br></div></div></body></html>