<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hello Keith,<br></div><div><br data-mce-bogus="1"></div><div>it's long time (almost years) I last touched the approvals so my answer is not guaranteed to be 100% complete.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Generally, you can use dynamic filters (using expressions) in the approverRef item in the approval schema. These are evaluated at <a data-mce-href="https://github.com/Evolveum/midpoint/blob/739c93db806cdd55af6c177e613ffba9212e5d8e/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java#L122-L127" href="https://github.com/Evolveum/midpoint/blob/739c93db806cdd55af6c177e613ffba9212e5d8e/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java#L122-L127">https://github.com/Evolveum/midpoint/blob/739c93db806cdd55af6c177e613ffba9212e5d8e/model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/impl/processors/primary/aspect/BasePrimaryChangeAspect.java#L122-L127</a>. Unfortunately, it looks like there is no role variable at your disposal there.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>An alternative would be to use approverExpression item in the stage definition. You could try that, and e.g. list all available groovy variables to see if there is something useful there.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>A third - and maybe preferred - way is to abandon "owner" custom attribute and use a custom relation instead. So instead of role -> user link you would have user -> role link, differentiated by specific relation in the targetRef. This is how approvals are done in midPoint regularly.<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>Hope this helps,<br data-mce-bogus="1"></div><div>Pavol<br data-mce-bogus="1"></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Keith LeValley via midPoint" <midpoint@lists.evolveum.com><br><b>To: </b>midpoint@lists.evolveum.com<br><b>Cc: </b>"Keith LeValley" <klevalley2@davenport.edu><br><b>Sent: </b>Monday, February 15, 2021 8:23:33 PM<br><b>Subject: </b>[midPoint] Dynamic Role Approval Authority<br></div><div><br></div><div data-marker="__QUOTED_TEXT__"><div dir="ltr">I might be on a little bit of a fishing expedition with this one so if I am way off base please point me in the right direction.<br><div>I am trying to set up a "meta-role" that will dynamically assign an approval authority process based on an attribute within the role assigned to the meta-role. So I created a custom attribute for roles called "owner" and I want to assign a role name that will act as the approval authority. I started with the example shown below below:<br><div><inducement><br> <policyRule><br> <policyConstraints><br> <assignment/><br> </policyConstraints><br> <policyActions><br> <approval><br> <compositionStrategy><br> <order>20</order><br> </compositionStrategy><br> <approvalSchema><br> <stage><br> <name>Security</name><br> <approverRef relation="org:default" type="c:RoleType"><br> <filter><br> <q:equal><br> <q:path>name</q:path><br> <q:value>csc</q:value><br> </q:equal><br> </filter><br> <resolutionTime>run</resolutionTime><br> </approverRef><br> <evaluationStrategy>firstDecides</evaluationStrategy><br> <outcomeIfNoApprovers>reject</outcomeIfNoApprovers><br> <groupExpansion>onWorkItemCreation</groupExpansion><br> </stage><br> </approvalSchema><br> </approval><br> </policyActions><br> </policyRule><br> </inducement></div><br><br><div>So I plug this into my "meta-role" and any role assigned to it now requires approval from the group/role named "csc". The problem is this is still static, so I am hoping to somehow take the example above and turn it into something like this below:</div><br><div> <filter><br> <q:equal><br> <q:path>name</q:path><br> <q:value>$owner</q:value><br> </q:equal><br> </filter></div><br><div>The above doesn't work and I am not sure this is even possible.<br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr">Keith LeValley<br><div><font face="arial, helvetica, sans-serif">Identity Services Architect</font>, Davenport University</div><div>phone: (616) 732-1102</div><div><a href="mailto:klevalley2@davenport.edu" target="_blank" rel="nofollow noopener noreferrer">klevalley2@davenport.edu<br></a><br data-mce-bogus="1"></div></div></div></div></div></div></div></div></div></div></div></div>
<br>_______________________________________________<br>midPoint mailing list<br>midPoint@lists.evolveum.com<br>https://lists.evolveum.com/mailman/listinfo/midpoint<br></div></div></body></html>