<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
oid="04f5680a-b400-45c1-8522-946f39b6389d"
version="1">
<name>REST Search Objects</name>
<description></description>
<activation/>
<authorization>
<name>rest-search</name>
<description></description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#searchObjects</action>
</authorization>
<authorization>
<name>rest-search</name>
<description></description>
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#getObject</action>
</authorization>
</role>
Access Request Approval
Description
This use-case is only partially supported in the current state of the REST api. A "piece of the puzzle" is still missing. Please endorse the development of the missing functionality with your midPoint subscription. |
The example represents a use-case where an authorized user requested for access (e.g. role assignment request). Now as an approver we are capable of listing all open work items assigned to us and choose an approval action. The workflow is based on the default "approval" mechanism of midPoint where a specific user is assigned with the 'approver' relation to a role which assignment should be approved by him.
Example
In our examples we are authenticating with the credentials, name "administrator" and password "y0uR_P455woR*d" on a localhost instance running on port 8080. |
For some help regarding the REST examples please see this link:
We are following up to the example described in this documentation article.
-
To be able to read the created work items the user needs to have a set of authorizations approving these actions. (See example)
-
Execute the search request as the user which wants to execute approval action on his cases.
-
Select a specific case and execute the action which you would like to take with this case. not yet implemented, please endorse this MID-6067 improvement
Additionally, to the REST Search Objects role seen bellow, in out example we also used the out-of-the-box "Approver" role which is a part of every midPoint distribution package. The first one supplies us with UI authorizations the second with the Model authorizations |
Show example authorization for "Search for Open Cases For Specific Approval" | GitHub
curl --user administrator:y0uR_P455woR*d \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-X POST http://localhost:8080/midpoint/ws/rest/cases/search?options=resolveNames \
-v \
--data-binary @./samples/rest/query-asignee-approve-access.json
Show data source example for "Search For Open Cases For Specific Approver" | GitHub
{
"query": {
"filter": {
"text": "state = \"open\" AND workItem/assigneeRef/@/name =\"JohnM\""
}
}
}
The response is an HTTP 200 code in case of success with a response body containing the queried items.
Example Output is a list of objects.
{
"@ns" : "http://prism.evolveum.com/xml/ns/public/types-3",
"object" : {
"@type" : "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3#ObjectListType",
"object" : [ {
"@type" : "c:CaseType",
"oid" : "b0de0420-7848-4981-88f8-c21b415fcabb",
"version" : "1",
"name" : {
"orig" : "Assigning role \"Basic Employee\" to user \"Jack\"",
"norm" : "assigning role basic employee to user jack",
"translation" : {
"key" : "DefaultPolicyConstraint.Short.assignmentModification.toBeAdded",
"argument" : [ {
"translation" : {
"key" : "ObjectSpecification",
"argument" : [ {
"translation" : {
"key" : "ObjectTypeLowercase.RoleType",
"fallback" : "RoleType"
}
}, {
"value" : "Basic Employee"
} ]
}
}, {
"translation" : {
"key" : "ObjectSpecification",
"argument" : [ {
"translation" : {
"key" : "ObjectTypeLowercase.UserType",
"fallback" : "UserType"
}
}, {
"value" : "Jack"
} ]
}
} ]
}
},
"metadata" : {},
"assignment" : {},
"archetypeRef" : {},
"parentRef" : {
"oid" : "e2f64612-c616-4e08-bace-e9308232553f",
"relation" : "org:default",
"type" : "c:CaseType",
"targetName" : "Approving and executing change of user \"Jack\" (started Mar 7, 2024, 10:10:59 AM)"
},
"objectRef" : {
"oid" : "a9885c61-c442-42d8-af34-8182a8653e3c",
"relation" : "org:default",
"type" : "c:UserType",
"targetName" : "Jack"
},
"targetRef" : {
"oid" : "96262f4f-053a-4b0b-8901-b3ec01e3509c",
"relation" : "org:default",
"type" : "c:RoleType",
"targetName" : "employee"
},
"requestorRef" : {
"oid" : "a9885c61-c442-42d8-af34-8182a8653e3c",
"relation" : "org:default",
"type" : "c:UserType",
"targetName" : "Jack"
},
"state" : "open",
"event" : {
"@type" : "c:CaseCreationEventType",
"@id" : 3,
"timestamp" : "2024-03-07T10:10:59.720+01:00",
"initiatorRef" : {
"oid" : "a9885c61-c442-42d8-af34-8182a8653e3c",
"relation" : "org:default",
"type" : "c:UserType",
"targetName" : "Jack"
}
},
"workItem" : {
"@id" : 4,
"name" : {
"orig" : "Assigning role \"Basic Employee\" to user \"Jack\"",
"norm" : "assigning role basic employee to user jack",
"translation" : {
"key" : "DefaultPolicyConstraint.Short.assignmentModification.toBeAdded",
"argument" : [ {
"translation" : {
"key" : "ObjectSpecification",
"argument" : [ {
"translation" : {
"key" : "ObjectTypeLowercase.RoleType",
"fallback" : "RoleType"
}
}, {
"value" : "Basic Employee"
} ]
}
}, {
"translation" : {
"key" : "ObjectSpecification",
"argument" : [ {
"translation" : {
"key" : "ObjectTypeLowercase.UserType",
"fallback" : "UserType"
}
}, {
"value" : "Jack"
} ]
}
} ]
}
},
"stageNumber" : 1,
"createTimestamp" : "2024-03-07T10:10:59.847+01:00",
"originalAssigneeRef" : {
"oid" : "472001d8-839f-4a28-acdf-d8d1c81583b0",
"relation" : "org:default",
"type" : "c:UserType",
"targetName" : "JohnM"
},
"assigneeRef" : {
"oid" : "472001d8-839f-4a28-acdf-d8d1c81583b0",
"relation" : "org:default",
"type" : "c:UserType",
"targetName" : "JohnM"
}
},
"approvalContext" : {
"changeAspect" : "com.evolveum.midpoint.wf.impl.processors.primary.policy.PolicyRuleBasedAspect",
"deltasToApprove" : {
"focusPrimaryDelta" : {
"changeType" : "modify",
"objectType" : "c:UserType",
"oid" : "a9885c61-c442-42d8-af34-8182a8653e3c",
"itemDelta" : [ {
"modificationType" : "add",
"path" : "c:assignment",
"value" : [ {
"@type" : "c:AssignmentType",
"targetRef" : {
"oid" : "96262f4f-053a-4b0b-8901-b3ec01e3509c",
"type" : "c:RoleType"
}
} ]
} ]
}
},
"immediateExecution" : false,
"approvalSchema" : {
"stage" : {
"@id" : 2,
"number" : 1,
"approverRef" : {
"oid" : "472001d8-839f-4a28-acdf-d8d1c81583b0",
"relation" : "org:default",
"type" : "c:UserType",
"targetName" : "JohnM"
},
"outcomeIfNoApprovers" : "reject",
"groupExpansion" : "byClaimingWorkItem"
}
},
"policyRules" : { }
},
"stageNumber" : 1
} ]
}
}