You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Dhairya <dh...@gmail.com> on 2016/01/21 14:49:43 UTC
Multiple Role Approval Requests
I've been evaluating Syncope (v1.2.6) for about 3 weeks. I was able to
figure out most of the stuff we need to do (like syncing, provisioning,
basic role approval) but we also have a requirement that user be able to
submit multiple independent approval requests. I did setup basic approval
as indicated on http://blog.tirasa.net/approval-process-syncope.html but it
seems the user can only submit one approval request and once the user is
waiting approval, he is unable to login into his own profile.
The scenario we have is like this...
We have several approval roles based on the application you're requesting
access to.
app-a-approver-role
app-a1-role
app-a1-role
app-b-approver-role
app-b1-role
app-b2-role
app-c-approver-role
app-c1-role
app-c2-role
So if the user selects app-a1-role, app-b1-role, and app-c2-role then we
need to generate three independent approval request to
app-a-approver-role, app-b-approver-role and app-c-approver-role.
if app-a-approver and app-b-approver approve then the user will be assigned
app-a1-role and app-b1-role and if app-c-approver-role rejects then the
user won't be assigned app-c2-role.
How do I setup something like this?
Thanks,
Dhairya Shah
Re: Multiple Role Approval Requests
Posted by Dhairya <dh...@gmail.com>.
Thank you.
On Thu, Jan 21, 2016 at 11:17 AM, Francesco Chicchiriccò <
ilgrosso@apache.org> wrote:
> On 21/01/2016 15:59, Dhairya wrote:
>
> Thank you for a quick response. I was able to resolve the user login issue
> as per your fix but I'm still having hard time figuring out what needs to
> be done for multiple independent approval requests. Could you please
> provide some suggestions/clues on what needs to be added/modified in the
> workflow to get multiple approval requests working?
>
>
> You essentially need to figure out first how to draw your wokflow with
> Activiti - possibly using the modeler which you can enable in the admin
> console [1] - then understand which tasks need custom implementation in
> Java, and write them down.
>
> As said, it is not easy and require consistent Activiti skills, but it's
> doable.
>
> Regards.
>
> [1]
> https://cwiki.apache.org/confluence/display/SYNCOPE/Enable+Activiti+Modeler
>
> On Thu, Jan 21, 2016 at 8:59 AM, Francesco Chicchiriccò <
> <il...@apache.org> wrote:
>
>> On 21/01/2016 14:49, Dhairya wrote:
>>
>>> I've been evaluating Syncope (v1.2.6) for about 3 weeks. I was able to
>>> figure out most of the stuff we need to do (like syncing, provisioning,
>>> basic role approval)
>>>
>>
>> Hi Dhairya,
>> this looks good.
>>
>> but we also have a requirement that user be able to submit multiple
>>> independent approval requests. I did setup basic approval as indicated on
>>> <http://blog.tirasa.net/approval-process-syncope.html>
>>> http://blog.tirasa.net/approval-process-syncope.html but it seems the
>>> user can only submit one approval request and once the user is waiting
>>> approval, he is unable to login into his own profile.
>>>
>>
>> You need to add the status in which the user is brought after the first
>> approval request to the "authentication.statuses" parameter - from admin
>> console go under Configuration then click on itemized list icon on top
>> right corner.
>>
>> The scenario we have is like this...
>>>
>>> We have several approval roles based on the application you're
>>> requesting access to.
>>>
>>> app-a-approver-role
>>> app-a1-role
>>> app-a1-role
>>>
>>> app-b-approver-role
>>> app-b1-role
>>> app-b2-role
>>>
>>> app-c-approver-role
>>> app-c1-role
>>> app-c2-role
>>>
>>> So if the user selects app-a1-role, app-b1-role, and app-c2-role then
>>> we need to generate three independent approval request to
>>> app-a-approver-role, app-b-approver-role and app-c-approver-role.
>>>
>>> if app-a-approver and app-b-approver approve then the user will be
>>> assigned app-a1-role and app-b1-role and if app-c-approver-role rejects
>>> then the user won't be assigned app-c2-role.
>>>
>>> How do I setup something like this?
>>>
>>
>> Essentially, you'll need to expand the logic introduced in the post
>> mentioned above: it is indeed feasible, but not elementary.
>>
>> Regards.
>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committerhttp://home.apache.org/~ilgrosso/
>
>
Re: Multiple Role Approval Requests
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 21/01/2016 15:59, Dhairya wrote:
> Thank you for a quick response. I was able to resolve the user login
> issue as per your fix but I'm still having hard time figuring out what
> needs to be done for multiple independent approval requests. Could
> you please provide some suggestions/clues on what needs to be
> added/modified in the workflow to get multiple approval requests working?
You essentially need to figure out first how to draw your wokflow with
Activiti - possibly using the modeler which you can enable in the admin
console [1] - then understand which tasks need custom implementation in
Java, and write them down.
As said, it is not easy and require consistent Activiti skills, but it's
doable.
Regards.
[1]
https://cwiki.apache.org/confluence/display/SYNCOPE/Enable+Activiti+Modeler
> On Thu, Jan 21, 2016 at 8:59 AM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 21/01/2016 14:49, Dhairya wrote:
>
> I've been evaluating Syncope (v1.2.6) for about 3 weeks. I was
> able to figure out most of the stuff we need to do (like
> syncing, provisioning, basic role approval)
>
>
> Hi Dhairya,
> this looks good.
>
> but we also have a requirement that user be able to submit
> multiple independent approval requests. I did setup basic
> approval as indicated on
> http://blog.tirasa.net/approval-process-syncope.html but it
> seems the user can only submit one approval request and once
> the user is waiting approval, he is unable to login into his
> own profile.
>
>
> You need to add the status in which the user is brought after the
> first approval request to the "authentication.statuses" parameter
> - from admin console go under Configuration then click on itemized
> list icon on top right corner.
>
> The scenario we have is like this...
>
> We have several approval roles based on the application you're
> requesting access to.
>
> app-a-approver-role
> app-a1-role
> app-a1-role
>
> app-b-approver-role
> app-b1-role
> app-b2-role
>
> app-c-approver-role
> app-c1-role
> app-c2-role
>
> So if the user selects app-a1-role, app-b1-role, and
> app-c2-role then we need to generate three independent
> approval request to app-a-approver-role, app-b-approver-role
> and app-c-approver-role.
>
> if app-a-approver and app-b-approver approve then the user
> will be assigned app-a1-role and app-b1-role and if
> app-c-approver-role rejects then the user won't be assigned
> app-c2-role.
>
> How do I setup something like this?
>
>
> Essentially, you'll need to expand the logic introduced in the
> post mentioned above: it is indeed feasible, but not elementary.
>
> Regards.
>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/
Re: Multiple Role Approval Requests
Posted by Dhairya <dh...@gmail.com>.
Thank you for a quick response. I was able to resolve the user login issue
as per your fix but I'm still having hard time figuring out what needs to
be done for multiple independent approval requests. Could you please
provide some suggestions/clues on what needs to be added/modified in the
workflow to get multiple approval requests working?
Thanks,
Dhairya
On Thu, Jan 21, 2016 at 8:59 AM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 21/01/2016 14:49, Dhairya wrote:
>
>> I've been evaluating Syncope (v1.2.6) for about 3 weeks. I was able to
>> figure out most of the stuff we need to do (like syncing, provisioning,
>> basic role approval)
>>
>
> Hi Dhairya,
> this looks good.
>
> but we also have a requirement that user be able to submit multiple
>> independent approval requests. I did setup basic approval as indicated on
>> http://blog.tirasa.net/approval-process-syncope.html but it seems the
>> user can only submit one approval request and once the user is waiting
>> approval, he is unable to login into his own profile.
>>
>
> You need to add the status in which the user is brought after the first
> approval request to the "authentication.statuses" parameter - from admin
> console go under Configuration then click on itemized list icon on top
> right corner.
>
> The scenario we have is like this...
>>
>> We have several approval roles based on the application you're requesting
>> access to.
>>
>> app-a-approver-role
>> app-a1-role
>> app-a1-role
>>
>> app-b-approver-role
>> app-b1-role
>> app-b2-role
>>
>> app-c-approver-role
>> app-c1-role
>> app-c2-role
>>
>> So if the user selects app-a1-role, app-b1-role, and app-c2-role then we
>> need to generate three independent approval request to
>> app-a-approver-role, app-b-approver-role and app-c-approver-role.
>>
>> if app-a-approver and app-b-approver approve then the user will be
>> assigned app-a1-role and app-b1-role and if app-c-approver-role rejects
>> then the user won't be assigned app-c2-role.
>>
>> How do I setup something like this?
>>
>
> Essentially, you'll need to expand the logic introduced in the post
> mentioned above: it is indeed feasible, but not elementary.
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
> http://home.apache.org/~ilgrosso/
>
>
Re: Multiple Role Approval Requests
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 21/01/2016 14:49, Dhairya wrote:
> I've been evaluating Syncope (v1.2.6) for about 3 weeks. I was able to
> figure out most of the stuff we need to do (like syncing,
> provisioning, basic role approval)
Hi Dhairya,
this looks good.
> but we also have a requirement that user be able to submit multiple
> independent approval requests. I did setup basic approval as indicated
> on http://blog.tirasa.net/approval-process-syncope.html but it seems
> the user can only submit one approval request and once the user is
> waiting approval, he is unable to login into his own profile.
You need to add the status in which the user is brought after the first
approval request to the "authentication.statuses" parameter - from admin
console go under Configuration then click on itemized list icon on top
right corner.
> The scenario we have is like this...
>
> We have several approval roles based on the application you're
> requesting access to.
>
> app-a-approver-role
> app-a1-role
> app-a1-role
>
> app-b-approver-role
> app-b1-role
> app-b2-role
>
> app-c-approver-role
> app-c1-role
> app-c2-role
>
> So if the user selects app-a1-role, app-b1-role, and app-c2-role then
> we need to generate three independent approval request to
> app-a-approver-role, app-b-approver-role and app-c-approver-role.
>
> if app-a-approver and app-b-approver approve then the user will be
> assigned app-a1-role and app-b1-role and if app-c-approver-role
> rejects then the user won't be assigned app-c2-role.
>
> How do I setup something like this?
Essentially, you'll need to expand the logic introduced in the post
mentioned above: it is indeed feasible, but not elementary.
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/
Re: Multiple Role Approval Requests
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 26/01/2016 10:25, Martin van Es wrote:
> Hi,
>
> On Tue, Jan 26, 2016 at 8:51 AM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 22/01/2016 14:11, Martin van Es wrote:
>
> Hoping nobody minds stealing this thread I'd like to ask how
> (simple) approvals are enabled in the first place? I've
> updated to 1.2.7 and both created a user in self-service and
> assigned a role to an existing one, but neither triggered an
> approval task for admin (and both tasks completely finished)?
> Does the default workflow support approvals, or do I need to
> change that in the first place to trigger approvals anyway?
>
>
> Hi,
> you can take a look at
>
> http://blog.tirasa.net/approval-process-syncope.html
>
>
> Thx. I found that, but I hoped "simple" approvals were available out
> of the box in syncope.
The whole approval mechanism is there (if you use Activiti, naturally):
only, you need to change the workflow definition to trigger it.
Obviously you can still use the workflow definition used by integration
tests, which used to be included in releases as well:
https://github.com/apache/syncope/blob/1_2_X/core/src/test/resources/userWorkflow.bpmn20.xml
> Please consider that in recent releases the default workflow
> definition is not configured for any approval.
>
>
> Which explains my findings.
> I'll take a look at the tirasa blog.
HTH
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/
Re: Multiple Role Approval Requests
Posted by Martin van Es <mr...@gmail.com>.
Hi,
On Tue, Jan 26, 2016 at 8:51 AM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:
> On 22/01/2016 14:11, Martin van Es wrote:
>
>> Hoping nobody minds stealing this thread I'd like to ask how (simple)
>> approvals are enabled in the first place? I've updated to 1.2.7 and both
>> created a user in self-service and assigned a role to an existing one, but
>> neither triggered an approval task for admin (and both tasks completely
>> finished)? Does the default workflow support approvals, or do I need to
>> change that in the first place to trigger approvals anyway?
>>
>
> Hi,
> you can take a look at
>
> http://blog.tirasa.net/approval-process-syncope.html
>
>
Thx. I found that, but I hoped "simple" approvals were available out of the
box in syncope.
> Please consider that in recent releases the default workflow definition is
> not configured for any approval.
>
Which explains my findings.
I'll take a look at the tirasa blog.
Regards,
Martin
Re: Multiple Role Approval Requests
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 22/01/2016 14:11, Martin van Es wrote:
> Hoping nobody minds stealing this thread I'd like to ask how (simple)
> approvals are enabled in the first place? I've updated to 1.2.7 and
> both created a user in self-service and assigned a role to an existing
> one, but neither triggered an approval task for admin (and both tasks
> completely finished)? Does the default workflow support approvals, or
> do I need to change that in the first place to trigger approvals anyway?
Hi,
you can take a look at
http://blog.tirasa.net/approval-process-syncope.html
Please consider that in recent releases the default workflow definition
is not configured for any approval.
HTH
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF committer
http://home.apache.org/~ilgrosso/
Re: Multiple Role Approval Requests
Posted by Martin van Es <mr...@gmail.com>.
Hoping nobody minds stealing this thread I'd like to ask how (simple)
approvals are enabled in the first place? I've updated to 1.2.7 and both
created a user in self-service and assigned a role to an existing one, but
neither triggered an approval task for admin (and both tasks completely
finished)? Does the default workflow support approvals, or do I need to
change that in the first place to trigger approvals anyway?
Best regards,
Martin
On Thu, Jan 21, 2016 at 2:49 PM, Dhairya <dh...@gmail.com> wrote:
> I've been evaluating Syncope (v1.2.6) for about 3 weeks. I was able to
> figure out most of the stuff we need to do (like syncing, provisioning,
> basic role approval) but we also have a requirement that user be able to
> submit multiple independent approval requests. I did setup basic approval
> as indicated on http://blog.tirasa.net/approval-process-syncope.html but
> it seems the user can only submit one approval request and once the user is
> waiting approval, he is unable to login into his own profile.
>
> The scenario we have is like this...
>
> We have several approval roles based on the application you're requesting
> access to.
>
> app-a-approver-role
> app-a1-role
> app-a1-role
>
> app-b-approver-role
> app-b1-role
> app-b2-role
>
> app-c-approver-role
> app-c1-role
> app-c2-role
>
> So if the user selects app-a1-role, app-b1-role, and app-c2-role then we
> need to generate three independent approval request to
> app-a-approver-role, app-b-approver-role and app-c-approver-role.
>
> if app-a-approver and app-b-approver approve then the user will be
> assigned app-a1-role and app-b1-role and if app-c-approver-role rejects
> then the user won't be assigned app-c2-role.
>
> How do I setup something like this?
>
> Thanks,
> Dhairya Shah
>
>
>
--
If 'but' was any useful, it would be a logic operator