Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this scenario we'll show four-level stage approvals for role assignments. Assignment of each critical role will be approved at two to four levelsstages, by the following actors:

LevelStageApproversModeNote
1manager(s) of the role assignee"All must approve", i.e. if there are more managers (either because the user is a member of more organizations, or an organization has more than one manager), all of the must approve the request.If there are no managers, the request will be rejected outright.
2members of Security Approvers organization"First decides", i.e. first member that provides the decision will approve request (at this levelstage), or reject it altogether.Applicable only for selected roles.
3members of SoD Approvers organization"First decides"Applicable only for selected roles.
4approvers specific for the given roleEither "All must approve" or "First decides", based on the configuration.If there are no approvers, the request will be rejected.

...

Code Block
languagexml
titlemetarole-approval-line-managers
linenumberstrue
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="a97f27fe-db6f-4d94-99cd-753d1cab82ca">
    <name>metarole-approval-line-managers</name>
    <description>Requests to assign role holding this metarole will be approved by the line manager(s)</description>
    <displayName>Metarole: approval by the line manager(s)</displayName>
    <inducement>
        <policyRule>
            <policyConstraints>
                <assignment/>
            </policyConstraints>
            <policyActions>
                <approval>
                    <compositionStrategy>
                        <order>10</order>
                    </compositionStrategy>
                    <approvalSchema>
                        <level><stage>
                            <name>Line managers</name>
                            <approverExpression>
                                <script>
                                    <code>midpoint.getManagersOidsExceptUser(object)</code>
                                </script>
                            </approverExpression>
                            <evaluationStrategy>allMustApprove</evaluationStrategy>
                            <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
                        </level>stage>
                    </approvalSchema>
                </approval>
            </policyActions>
        </policyRule>
    </inducement>
</role> 

...

Code Block
languagexml
titlemetarole-approval-security
linenumberstrue
<role oid="9c0c224f-f279-44b5-b906-8e8418a651a2"
     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
   <name>metarole-approval-security</name>
   <description>Requests to assign role holding this metarole will be approved by the security officer(s)</description>
   <displayName>Metarole: approval by the security people</displayName>
   <inducement>
      <policyRule>
         <policyConstraints>
            <assignment/>
         </policyConstraints>
         <policyActions>
            <approval>
               <compositionStrategy>
                  <order>20</order>
               </compositionStrategy>
               <approvalSchema>
                  <level><stage>
                     <name>Security</name>
                     <approverRef type="OrgType">
                        <filter>
                           <q:equal>
                              <q:path>name</q:path>
                              <q:value>Security Approvers</q:value>
                           </q:equal>
                        </filter>
                        <resolutionTime>run</resolutionTime>
                     </approverRef>
                     <evaluationStrategy>firstDecides</evaluationStrategy>
                     <groupExpansion>onWorkItemCreation</groupExpansion>
                     <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
                  </level>stage>
               </approvalSchema>
            </approval>
         </policyActions>
      </policyRule>
   </inducement>
</role>

...

  1. A work item is created for all members of the "group" (org or role). These users can claim the work item and complete it - or release it back. These users can find the work items not in "My work items", but in "Items claimable by me" menu.
  2. Separate work item is created for each member of the "group". These users are added to the list of approvers for the given approval schema levelstage. Approval schema level stage evaluation strategy (all must approve, first decides) is then applied to the complete list of approvers.

...

Code Block
languagexml
titlemetarole-approval-role-approvers-first
linenumberstrue
<role oid="2dadd243-687d-4b4c-80cd-09ddfe4cbf59"
    xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
    <name>metarole-approval-role-approvers-all</name>
    <description>Requests to assign role holding this metarole will be approved by the role approver(s) using "all must approve" method</description>
    <displayName>Metarole: approval by the role approver(s) - all must approve</displayName>
    <inducement>
        <policyRule>
            <policyConstraints>
                <assignment/>
            </policyConstraints>
            <policyActions>
                <approval>
                    <compositionStrategy>
                        <order>40</order>
                    </compositionStrategy>
                    <approvalSchema>
                        <level><stage>
                            <name>Role approvers (all)</name>
                            <approverRelation>approver</approverRelation>
                            <evaluationStrategy>allMustApprove</evaluationStrategy>
                            <outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
                        </level>stage>
                    </approvalSchema>
                </approval>
            </policyActions>
        </policyRule>
    </inducement>
</role> 

This is quite self-explanatory. In this case, we are looking for approvers for this role by gathering users that have assigned the role with a relation of approver. If there are no such users, the request is rejected.

An execution example

When assigning role test-1 to bob, the following can be seen in the log (at the DEBUG level):

...