Access Request Approval

Last modified 13 Mar 2024 13:32 +01:00
Table of Contents

Description

This use-case is only partially supported in the current state of the REST api. A "piece of the puzzle" is still missing. Please endorse the development of the missing functionality with your midPoint subscription.

The example represents a use-case where an authorized user requested for access (e.g. role assignment request). Now as an approver we are capable of listing all open work items assigned to us and choose an approval action. The workflow is based on the default "approval" mechanism of midPoint where a specific user is assigned with the 'approver' relation to a role which assignment should be approved by him.

Authentication methods used to work with the REST api

Authentication methods

Example

In our examples we are authenticating with the credentials, name "administrator" and password "y0uR_P455woR*d" on a localhost instance running on port 8080.

For some help regarding the REST examples please see this link:

We are following up to the example described in this documentation article.

  1. To be able to read the created work items the user needs to have a set of authorizations approving these actions. (See example)

  2. Execute the search request as the user which wants to execute approval action on his cases.

  3. Select a specific case and execute the action which you would like to take with this case. not yet implemented, please endorse this MID-6067 improvement

Additionally, to the REST Search Objects role seen bellow, in out example we also used the out-of-the-box "Approver" role which is a part of every midPoint distribution package. The first one supplies us with UI authorizations the second with the Model authorizations

Show example authorization for "Search for Open Cases For Specific Approval" | GitHub
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
        xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
        xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        oid="04f5680a-b400-45c1-8522-946f39b6389d"
        version="1">

    <name>REST Search Objects</name>
    <description></description>
    <activation/>
    <authorization>
        <name>rest-search</name>
        <description></description>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#searchObjects</action>
    </authorization>
    <authorization>
        <name>rest-search</name>
        <description></description>
        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-rest-3#getObject</action>
    </authorization>
</role>
Search For Open Cases For Specific Approver
curl --user administrator:y0uR_P455woR*d \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-X POST http://localhost:8080/midpoint/ws/rest/cases/search?options=resolveNames \
-v \
--data-binary @./samples/rest/query-asignee-approve-access.json
Show data source example for "Search For Open Cases For Specific Approver" | GitHub
{
  "query": {
    "filter": {
      "text": "state = \"open\" AND workItem/assigneeRef/@/name =\"JohnM\""
    }
  }
}

The response is an HTTP 200 code in case of success with a response body containing the queried items.

Example Output is a list of objects.
{
  "@ns" : "http://prism.evolveum.com/xml/ns/public/types-3",
  "object" : {
    "@type" : "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3#ObjectListType",
    "object" : [ {
      "@type" : "c:CaseType",
      "oid" : "b0de0420-7848-4981-88f8-c21b415fcabb",
      "version" : "1",
      "name" : {
        "orig" : "Assigning role \"Basic Employee\" to user \"Jack\"",
        "norm" : "assigning role basic employee to user jack",
        "translation" : {
          "key" : "DefaultPolicyConstraint.Short.assignmentModification.toBeAdded",
          "argument" : [ {
            "translation" : {
              "key" : "ObjectSpecification",
              "argument" : [ {
                "translation" : {
                  "key" : "ObjectTypeLowercase.RoleType",
                  "fallback" : "RoleType"
                }
              }, {
                "value" : "Basic Employee"
              } ]
            }
          }, {
            "translation" : {
              "key" : "ObjectSpecification",
              "argument" : [ {
                "translation" : {
                  "key" : "ObjectTypeLowercase.UserType",
                  "fallback" : "UserType"
                }
              }, {
                "value" : "Jack"
              } ]
            }
          } ]
        }
      },
      "metadata" : {},
      "assignment" : {},
      "archetypeRef" : {},
      "parentRef" : {
        "oid" : "e2f64612-c616-4e08-bace-e9308232553f",
        "relation" : "org:default",
        "type" : "c:CaseType",
        "targetName" : "Approving and executing change of user \"Jack\" (started Mar 7, 2024, 10:10:59 AM)"
      },
      "objectRef" : {
        "oid" : "a9885c61-c442-42d8-af34-8182a8653e3c",
        "relation" : "org:default",
        "type" : "c:UserType",
        "targetName" : "Jack"
      },
      "targetRef" : {
        "oid" : "96262f4f-053a-4b0b-8901-b3ec01e3509c",
        "relation" : "org:default",
        "type" : "c:RoleType",
        "targetName" : "employee"
      },
      "requestorRef" : {
        "oid" : "a9885c61-c442-42d8-af34-8182a8653e3c",
        "relation" : "org:default",
        "type" : "c:UserType",
        "targetName" : "Jack"
      },
      "state" : "open",
      "event" : {
        "@type" : "c:CaseCreationEventType",
        "@id" : 3,
        "timestamp" : "2024-03-07T10:10:59.720+01:00",
        "initiatorRef" : {
          "oid" : "a9885c61-c442-42d8-af34-8182a8653e3c",
          "relation" : "org:default",
          "type" : "c:UserType",
          "targetName" : "Jack"
        }
      },
      "workItem" : {
        "@id" : 4,
        "name" : {
          "orig" : "Assigning role \"Basic Employee\" to user \"Jack\"",
          "norm" : "assigning role basic employee to user jack",
          "translation" : {
            "key" : "DefaultPolicyConstraint.Short.assignmentModification.toBeAdded",
            "argument" : [ {
              "translation" : {
                "key" : "ObjectSpecification",
                "argument" : [ {
                  "translation" : {
                    "key" : "ObjectTypeLowercase.RoleType",
                    "fallback" : "RoleType"
                  }
                }, {
                  "value" : "Basic Employee"
                } ]
              }
            }, {
              "translation" : {
                "key" : "ObjectSpecification",
                "argument" : [ {
                  "translation" : {
                    "key" : "ObjectTypeLowercase.UserType",
                    "fallback" : "UserType"
                  }
                }, {
                  "value" : "Jack"
                } ]
              }
            } ]
          }
        },
        "stageNumber" : 1,
        "createTimestamp" : "2024-03-07T10:10:59.847+01:00",
        "originalAssigneeRef" : {
          "oid" : "472001d8-839f-4a28-acdf-d8d1c81583b0",
          "relation" : "org:default",
          "type" : "c:UserType",
          "targetName" : "JohnM"
        },
        "assigneeRef" : {
          "oid" : "472001d8-839f-4a28-acdf-d8d1c81583b0",
          "relation" : "org:default",
          "type" : "c:UserType",
          "targetName" : "JohnM"
        }
      },
      "approvalContext" : {
        "changeAspect" : "com.evolveum.midpoint.wf.impl.processors.primary.policy.PolicyRuleBasedAspect",
        "deltasToApprove" : {
          "focusPrimaryDelta" : {
            "changeType" : "modify",
            "objectType" : "c:UserType",
            "oid" : "a9885c61-c442-42d8-af34-8182a8653e3c",
            "itemDelta" : [ {
              "modificationType" : "add",
              "path" : "c:assignment",
              "value" : [ {
                "@type" : "c:AssignmentType",
                "targetRef" : {
                  "oid" : "96262f4f-053a-4b0b-8901-b3ec01e3509c",
                  "type" : "c:RoleType"
                }
              } ]
            } ]
          }
        },
        "immediateExecution" : false,
        "approvalSchema" : {
          "stage" : {
            "@id" : 2,
            "number" : 1,
            "approverRef" : {
              "oid" : "472001d8-839f-4a28-acdf-d8d1c81583b0",
              "relation" : "org:default",
              "type" : "c:UserType",
              "targetName" : "JohnM"
            },
            "outcomeIfNoApprovers" : "reject",
            "groupExpansion" : "byClaimingWorkItem"
          }
        },
        "policyRules" : { }
      },
      "stageNumber" : 1
    } ]
  }
}
Was this page helpful?
YES NO
Thanks for your feedback