====== Bulk actions on approval tasks ====== Bulk actions on approval tasks are used for making easy and asynchronous changes on multiple identities. ===== Supported bulk actions on identities ===== * Delegate * Add approvers * Remove approvers ==== Add approvers (core-approval-task-add-approvers-bulk-action) ==== Adds the selected users as approvers of the selected approval tasks. === Form fields === ^Field^Type^Description| |**New approvers** |identity multiselect (required)|Users to add as approvers. Only enabled (active) identities are offered and accepted — missing or disabled identities are filtered \\ out on the backend.| |**Remove old approvers** |checkbox (default off)|When checked, the current approvers are removed and replaced by the selection. When unchecked, they are left untouched and the new \\ ones are added alongside them.| === Behavior === * A selected user who is **already an approver** of a task is silently skipped — the existing approver record is kept untouched (no duplicate is created). The action is idempotent: \\ running it twice with the same selection has the same effect as running it once. \\ * In **replace mode** (checkbox on), new approvers are created //first// and only then are the unselected current approvers removed, so a task is never left without an approver at any \\ point. Current approvers who are part of the selection keep their original approver record. \\ * The whole selection is processed **all-or-nothing per task**: all required permissions are checked before any change is made. If any single create/delete would not be permitted, the \\ task fails as a whole and no partial change happens. \\ * No notification is sent to the added approvers and no delegation is created — the users are added directly. Configured delegations of the added users are **not** resolved (unlike the \\ reassignment and delegation flows). === Failure states === ^Result code^When| |''APPROVAL_TASK_ADD_APPROVERS_TASK_NOT_RUNNING'' |The task is not in the Running state.| |''APPROVAL_TASK_ADD_APPROVERS_APPROVERS_MISSING'' |The selection contains no valid (existing, enabled) identity.| |''FORBIDDEN_ENTITY'' |The logged user lacks a required permission for some approver record of the task (see Security below).| === Security === This action is governed by the permission group **''APPROVALTASKAPPROVER'' ** (//Approval task \\ approvers//, entity ''IdmApprovalTaskApprover'') and its permission CREATE. If the user wants to also use the "Remove old approvers" option, they will need the DELETE permission as well. ==== Remove approvers (core-approval-task-remove-approvers-bulk-action) ==== Removes the selected users from the approvers of the selected approval tasks. === Form fields === ^Field^Type^Description| |**Approvers to remove** |identity multiselect (required)|Users to remove from the task approvers. Disabled identities can be selected too — removing a disabled approver is a common \\ use case.| === Behavior === * Selected users who are **not approvers** of a particular task are simply ignored for that task — the action still finishes successfully (even when none of the selected users is an approver; the task is then left unchanged). * When the removal takes away the **last active approver** of a task, the task is automatically reassigned by the same mechanism used when an approver is deleted or disabled: new approvers are resolved by the configured reassign script (''idm.pub.core.wf.approval.task.reassign.script''), with fallback to default approvers. A running task is therefore never left \\ without an approver. * Permissions are checked for **all matching approver records before any change** — if the user may not delete any one of them, the task fails as a whole and nothing is removed (all-or-nothing per task). * No history record (''FORMER_APPROVER'' identity link) is created — direct removal is distinct from delegation. === Failure states === ^Result code^When| |''APPROVAL_TASK_REMOVE_APPROVERS_TASK_NOT_RUNNING'' |The task is not in the Running state| |''APPROVAL_TASK_REMOVE_APPROVERS_APPROVERS_MISSING'' |No user was selected.| |''FORBIDDEN_ENTITY'' |The logged user may not delete some approver record of the task| === Security === This action is governed by the permission group **''APPROVALTASKAPPROVER'' ** (//Approval task\\ approvers//, entity ''IdmApprovalTaskApprover'') and its permission CREATE