martin-lizner/gist:d841d7cbaae83d9b1d0e66e1085fc51a Secret

## gistfile1.txt
<globalPolicyRule>
		<name>Role Management - Business role - adding/removing IT role</name>
		<policyConstraints>
			<modification>
				<item>inducement</item>
			</modification>
		</policyConstraints>
		<policyActions>
			<approval>
				<processSpecification>
					<deltaFrom>
						<itemValue>inducement</itemValue>
					</deltaFrom>
					<includeActionIfPresent>RM Role Owner - nonDraft</includeActionIfPresent>
					<includeActionIfPresent>RM Security</includeActionIfPresent>
					<includeActionIfPresent>RM SoD</includeActionIfPresent>
					<includeActionIfPresent>RM Escalation of Role owners and Inducement owners</includeActionIfPresent>
					<includeActionIfPresent>RM Timeout for Security + SoD</includeActionIfPresent>
					<includeActionIfPresent>RM Timeout for Role creator</includeActionIfPresent>
				</processSpecification>
				<compositionStrategy>
					<order>20</order>
				</compositionStrategy>
				<approvalSchema>
					<level>
						<name>Inducement owner approval</name>
						<approverExpression>
							<script>
								<code>
									import javax.xml.namespace.QName;
									import com.evolveum.midpoint.schema.*;
									import com.evolveum.midpoint.schema.constants.*
									import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
									import com.evolveum.prism.xml.ns._public.types_3.*;
									import com.evolveum.midpoint.prism.path.ItemPath;
									import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
									import com.evolveum.midpoint.prism.query.*;
									import com.evolveum.midpoint.prism.*

									for (def mod : objectDelta?.getModifications()) { // look for modifications
										if (mod.getPath() != new ItemPath(RoleType.F_INDUCEMENT)) {
											continue; // interested only in inducements
										}

										for (def val : mod?.getValues()) { // returns all values regardless of whether they are added or removed or replaced

											def targetRef = val.findItem(new ItemPath(new QName("targetRef")))?.getValue(); // look for referenced role objects
											def resourceRef = val.findItem(new ItemPath(new QName("construction")))?.getValue()
												?.findItem(new ItemPath(new QName("resourceRef")))?.getValue(); // look for referenced resource objects

											if (targetRef?.getTargetType() == RoleType.COMPLEX_TYPE) { // roles

												def ownerRef = new PrismReferenceValue(targetRef.getOid(), RoleType.COMPLEX_TYPE);
												ownerRef.setRelation(SchemaConstants.ORG_OWNER);

												ObjectFilter ownerFilter = QueryBuilder.queryFor(UserType.class, midpoint.getPrismContext())
								                .item(UserType.F_ROLE_MEMBERSHIP_REF).ref(ownerRef).buildFilter();

												def ownerQuery = ObjectQuery.createObjectQuery(ownerFilter);
               									def owners = midpoint.searchObjects(UserType.class, ownerQuery); // find IT role owners

               									return owners.collect {u -> u.getOid()};
											}
											else if (resourceRef?.getTargetType() == ResourceType.COMPLEX_TYPE) { // resources
												resName = basic.stringify(midpoint.getObject(ResourceType.class, resourceRef?.oid)?.name);
												resourceAdminsOrgOid = midpoint.getOrgByName(resName + " Admins")?.oid;
												effResourceAdminsOrgOid = (resourceAdminsOrgOid == null)?"vfcz-org-resource-approvers":resourceAdminsOrgOid //fallback when specific resource org is missing

												resourceAdminsRefs = midpoint.getMembersAsReferences(effResourceAdminsOrgOid)

												return resourceAdminsRefs?.collect {ref -> ref.getOid()};
											}
										}
									}
									//log.info ("Found no approvers for inducement");

									return null;
								</code>
							</script>
						</approverExpression>
						<evaluationStrategy>firstDecides</evaluationStrategy>
						<groupExpansion>onWorkItemCreation</groupExpansion>
						<outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
						<duration>$(vfcz.wf.duration.rm.short)</duration>
					</level>
				</approvalSchema>
			</approval>
		</policyActions>
		<focusSelector>
			<type>RoleType</type>
		</focusSelector>
		<c:condition>
			<c:expression>
				<c:value>$(vfcz.wf.enable)</c:value>
			</c:expression>
		</c:condition>
	</globalPolicyRule>
	<globalPolicyRule>
	<name>Role Management - Business role - adding/removing IT role</name>
	<policyConstraints>
	<modification>
	<item>inducement</item>
	</modification>
	</policyConstraints>
	<policyActions>
	<approval>
	<processSpecification>
	<deltaFrom>
	<itemValue>inducement</itemValue>
	</deltaFrom>
	<includeActionIfPresent>RM Role Owner - nonDraft</includeActionIfPresent>
	<includeActionIfPresent>RM Security</includeActionIfPresent>
	<includeActionIfPresent>RM SoD</includeActionIfPresent>
	<includeActionIfPresent>RM Escalation of Role owners and Inducement owners</includeActionIfPresent>
	<includeActionIfPresent>RM Timeout for Security + SoD</includeActionIfPresent>
	<includeActionIfPresent>RM Timeout for Role creator</includeActionIfPresent>
	</processSpecification>
	<compositionStrategy>
	<order>20</order>
	</compositionStrategy>
	<approvalSchema>
	<level>
	<name>Inducement owner approval</name>
	<approverExpression>
	<script>
	<code>
	import javax.xml.namespace.QName;
	import com.evolveum.midpoint.schema.*;
	import com.evolveum.midpoint.schema.constants.*
	import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
	import com.evolveum.prism.xml.ns._public.types_3.*;
	import com.evolveum.midpoint.prism.path.ItemPath;
	import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
	import com.evolveum.midpoint.prism.query.*;
	import com.evolveum.midpoint.prism.*

	for (def mod : objectDelta?.getModifications()) { // look for modifications
	if (mod.getPath() != new ItemPath(RoleType.F_INDUCEMENT)) {
	continue; // interested only in inducements
	}

	for (def val : mod?.getValues()) { // returns all values regardless of whether they are added or removed or replaced

	def targetRef = val.findItem(new ItemPath(new QName("targetRef")))?.getValue(); // look for referenced role objects
	def resourceRef = val.findItem(new ItemPath(new QName("construction")))?.getValue()
	?.findItem(new ItemPath(new QName("resourceRef")))?.getValue(); // look for referenced resource objects

	if (targetRef?.getTargetType() == RoleType.COMPLEX_TYPE) { // roles

	def ownerRef = new PrismReferenceValue(targetRef.getOid(), RoleType.COMPLEX_TYPE);
	ownerRef.setRelation(SchemaConstants.ORG_OWNER);

	ObjectFilter ownerFilter = QueryBuilder.queryFor(UserType.class, midpoint.getPrismContext())
	.item(UserType.F_ROLE_MEMBERSHIP_REF).ref(ownerRef).buildFilter();

	def ownerQuery = ObjectQuery.createObjectQuery(ownerFilter);
	def owners = midpoint.searchObjects(UserType.class, ownerQuery); // find IT role owners

	return owners.collect {u -> u.getOid()};
	}
	else if (resourceRef?.getTargetType() == ResourceType.COMPLEX_TYPE) { // resources
	resName = basic.stringify(midpoint.getObject(ResourceType.class, resourceRef?.oid)?.name);
	resourceAdminsOrgOid = midpoint.getOrgByName(resName + " Admins")?.oid;
	effResourceAdminsOrgOid = (resourceAdminsOrgOid == null)?"vfcz-org-resource-approvers":resourceAdminsOrgOid //fallback when specific resource org is missing

	resourceAdminsRefs = midpoint.getMembersAsReferences(effResourceAdminsOrgOid)

	return resourceAdminsRefs?.collect {ref -> ref.getOid()};
	}
	}
	}
	//log.info ("Found no approvers for inducement");

	return null;
	</code>
	</script>
	</approverExpression>
	<evaluationStrategy>firstDecides</evaluationStrategy>
	<groupExpansion>onWorkItemCreation</groupExpansion>
	<outcomeIfNoApprovers>reject</outcomeIfNoApprovers>
	<duration>$(vfcz.wf.duration.rm.short)</duration>
	</level>
	</approvalSchema>
	</approval>
	</policyActions>
	<focusSelector>
	<type>RoleType</type>
	</focusSelector>
	<c:condition>
	<c:expression>
	<c:value>$(vfcz.wf.enable)</c:value>
	</c:expression>
	</c:condition>
	</globalPolicyRule>