Created
November 1, 2017 10:00
-
-
Save martin-lizner/d841d7cbaae83d9b1d0e66e1085fc51a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<globalPolicyRule> | |
<name>Role Management - Business role - adding/removing IT role</name> | |
<policyConstraints> | |
<modification> | |
<item>inducement</item> | |
</modification> | |
</policyConstraints> | |
<policyActions> | |
<approval> | |
<processSpecification> | |
<deltaFrom> | |
<itemValue>inducement</itemValue> | |
</deltaFrom> | |
<includeActionIfPresent>RM Role Owner - nonDraft</includeActionIfPresent> | |
<includeActionIfPresent>RM Security</includeActionIfPresent> | |
<includeActionIfPresent>RM SoD</includeActionIfPresent> | |
<includeActionIfPresent>RM Escalation of Role owners and Inducement owners</includeActionIfPresent> | |
<includeActionIfPresent>RM Timeout for Security + SoD</includeActionIfPresent> | |
<includeActionIfPresent>RM Timeout for Role creator</includeActionIfPresent> | |
</processSpecification> | |
<compositionStrategy> | |
<order>20</order> | |
</compositionStrategy> | |
<approvalSchema> | |
<level> | |
<name>Inducement owner approval</name> | |
<approverExpression> | |
<script> | |
<code> | |
import javax.xml.namespace.QName; | |
import com.evolveum.midpoint.schema.*; | |
import com.evolveum.midpoint.schema.constants.* | |
import com.evolveum.midpoint.xml.ns._public.common.common_3.*; | |
import com.evolveum.prism.xml.ns._public.types_3.*; | |
import com.evolveum.midpoint.prism.path.ItemPath; | |
import com.evolveum.midpoint.prism.query.builder.QueryBuilder; | |
import com.evolveum.midpoint.prism.query.*; | |
import com.evolveum.midpoint.prism.* | |
for (def mod : objectDelta?.getModifications()) { // look for modifications | |
if (mod.getPath() != new ItemPath(RoleType.F_INDUCEMENT)) { | |
continue; // interested only in inducements | |
} | |
for (def val : mod?.getValues()) { // returns all values regardless of whether they are added or removed or replaced | |
def targetRef = val.findItem(new ItemPath(new QName("targetRef")))?.getValue(); // look for referenced role objects | |
def resourceRef = val.findItem(new ItemPath(new QName("construction")))?.getValue() | |
?.findItem(new ItemPath(new QName("resourceRef")))?.getValue(); // look for referenced resource objects | |
if (targetRef?.getTargetType() == RoleType.COMPLEX_TYPE) { // roles | |
def ownerRef = new PrismReferenceValue(targetRef.getOid(), RoleType.COMPLEX_TYPE); | |
ownerRef.setRelation(SchemaConstants.ORG_OWNER); | |
ObjectFilter ownerFilter = QueryBuilder.queryFor(UserType.class, midpoint.getPrismContext()) | |
.item(UserType.F_ROLE_MEMBERSHIP_REF).ref(ownerRef).buildFilter(); | |
def ownerQuery = ObjectQuery.createObjectQuery(ownerFilter); | |
def owners = midpoint.searchObjects(UserType.class, ownerQuery); // find IT role owners | |
return owners.collect {u -> u.getOid()}; | |
} | |
else if (resourceRef?.getTargetType() == ResourceType.COMPLEX_TYPE) { // resources | |
resName = basic.stringify(midpoint.getObject(ResourceType.class, resourceRef?.oid)?.name); | |
resourceAdminsOrgOid = midpoint.getOrgByName(resName + " Admins")?.oid; | |
effResourceAdminsOrgOid = (resourceAdminsOrgOid == null)?"vfcz-org-resource-approvers":resourceAdminsOrgOid //fallback when specific resource org is missing | |
resourceAdminsRefs = midpoint.getMembersAsReferences(effResourceAdminsOrgOid) | |
return resourceAdminsRefs?.collect {ref -> ref.getOid()}; | |
} | |
} | |
} | |
//log.info ("Found no approvers for inducement"); | |
return null; | |
</code> | |
</script> | |
</approverExpression> | |
<evaluationStrategy>firstDecides</evaluationStrategy> | |
<groupExpansion>onWorkItemCreation</groupExpansion> | |
<outcomeIfNoApprovers>reject</outcomeIfNoApprovers> | |
<duration>$(vfcz.wf.duration.rm.short)</duration> | |
</level> | |
</approvalSchema> | |
</approval> | |
</policyActions> | |
<focusSelector> | |
<type>RoleType</type> | |
</focusSelector> | |
<c:condition> | |
<c:expression> | |
<c:value>$(vfcz.wf.enable)</c:value> | |
</c:expression> | |
</c:condition> | |
</globalPolicyRule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment