Approval

Last modified 14 Mar 2024 12:46 +01:00

Approval is perhaps the most frequently used type of workflow in the IDM solutions. It is used so often that the approval process has a special place in midPoint. The approval mechanisms are pre-defined and pre-configured in such a way that it is easy to implement majority of approval scenarios by simply using declarative approach. Workflow process modeling is almost never needed.

Basic Idea

MidPoint does not have any special way how to request something. E.g. there is no special mechanism how to request assignment of a role or how to request creation of a new organizational unit. The request is simply the operation itself: user requests an assignment of a role simply by trying to assign the role to himself. When midPoint encounters an operation like this it will consult the policies (Policy Rules) and decide whether the operation needs to be driven through an approval process. If an approval is needed then midPoint will automatically compute the approvers and start a workflow process to drive the approvals. When the approval process is done then midPoint will gather the results and proceed with the operation.

Therefore the only thing that is usually needed to set up an approval mechanism is the definition of the approvers and the policy rules. MidPoint will take care of the rest.

There are two broad categories for approvals: assignment approval and lifecycle approvals. These are described in the following sections.

Assignment Approval

Assignment approvals decide whether a user can have some kind of assignment. This usually means approval of a role assignment. The process usually goes like this:

  • User selects a role in the midPoint user interface (shopping cart). The user simply selects the roles and clicks on the "request" button. What the user does not know is that in fact this starts an operation that adds new assignment to the user object UserType.

  • When that operation is evaluated, internal algorithms in midPoint will analyze all the requested roles. MidPoint will evaluate role hierarchies, metaroles, gather all the applicable policy rules and apply default policies. This determines how the role assignment needs to be approved - and by whom. This also determines whether the role can be assigned at all (e.g. whether it does not violate the SoD constraints).

  • If there are any approvers then midPoint suspends the operation and it will drive it through an approval workflow.

  • After approvals are done the operation continues (if it was approved) or it is discarded.

The default policy in midPoint is to drive the request through approvals only if there are any approvers defined for the role. If no approvers are defined then the request is not driven through the approval process and it is automatically executed. This default can be changed by properly setting up the policy rules.

Default role approvers are defined by using the assignment mechanism. Role approvers have an assignment pointing to the role that are are approving. This assignment has Relation set to approver. The default midPoint policy will look for these assignments.

Approval in midPoint 3.4.1 and earlier

MidPoint 3.4.1 and earlier haven’t had the mechanism of policy rules and therefore it used slightly different mechanism to define role approvers. The approvers were not defined using assignments. The approvers defined as a property of the role. This mechanism still work with midPoint 3.5, but because of its limited flexibility and maintainability midPoint deployments that use this legacy mechanism are advised to migrate to an assignment-based mechanism as soon as possible.

Lifecycle Approval

Lifecycle approvals take place when an object is changed, e.g. when a new organizational unit is created, when a role definition is modified, when a role is deprecated and so on. The lifecycle approval process is very similar to that of assignment approval. The lifecycle approval goes like this:

  • User creates or modifies an object. E.g. a junior role engineer creates a new role. Operation to add a new role object is started in midPoint.

  • When that operation is evaluated, internal algorithms in midPoint will analyze policy rules that are applicable to the new role. As this role is new then the global policy rules will be applied. The policy rules may define an approver for the role modification.

  • MidPoint will suspend the operation and start an approval workflow.

  • After approvals are done the operation continues (if it was approved) or it is discarded.

See Role Lifecycle page for more details about specific use of lifecycle approval to control role lifecycle.

MidPoint 3.5 or later

This functionality is available in midPoint 3.5 and later. Although it was - in some form - present also in midPoint 3.4.1 and earlier (using approval aspects), it is strongly recommended to use this new (policy rules based) mechanism instead.

Was this page helpful?
YES NO
Thanks for your feedback