Modules - Extras: Workflows for approval of role assignment
The extras module contains additional workflows, which can be used for the approval of role assignment. If you are not familiar with the approval process, please read Approval of role assignment and Role assignment - approval process configuration.
Provided approval workflows:
- extras-approve-role-by-contract-manager - Approvers are managers of the applicant's contract. For other accounts are managers of applicant's contract with login role for account. For technical account managers are account guarantees.
- extras-approve-role-by-manager-and-guarantee - Approvers are managers of the applicant's contract, for other accounts are managers of applicant's contract with login role for account. For technical account managers are account guarantees.. And two types of authorizers for the given role (every type of authorizers has its own approval round).
- extras-approve-role-by-manager-script-guarantee - Approvers are managers of the applicant's contract, for other accounts are managers of applicant's contract with login role for account. For technical account managers are account guarantees. Then managers computed by a custom script, and then two types of authorizers for the given role.
- extras-approve-role-by-multiple-authorizers (since 3.5.0) - Approvers are two types of authorizers for the given role.
Some of the approval workflows make use of the Role authorizer type. You will use this typically in the cases, if you want to have 2 distinct approvers (or group of approvers) and you want for both of them to approve the assignment of the role. The approval process creates the approval task first for the authorizers in the first group (type A). After approving, then an approval task is created for the authorizers in the second group (type B).
Configuration needed for the approval workflows:
Create the code list (Settings → Code lists) with the code guarantee-type (if it doesn't exist).
Create two items in this code list - you can use e.g. "guaranteeTypeA" and "guaranteeTypeB".
Set the desired approval workflow for the role priority level (criticality) which you want to use (1-4) in the application configuration. Example:
- idm.sec.core.wf.role.approval.X = extras-approve-role-by-manager-and-guarantee - X is role priority level (1-4)
Set the configuration properties for worflows:
- idm.sec.extras.wf.approval.customScript - Code of the custom script used by the workflow extras-approve-role-by-manager-script-guarantee (not needed for other workflows)
- idm.sec.extras.wf.approval.guaranteeTypeA - Code of codelist item for guarantee of A type in the code list guarantee-type (e.g. "guaranteeTypeA")
- idm.sec.extras.wf.approval.guaranteeTypeB - Code of codelist item for guarantee of B type in the code list guarantee-type (e.g. "guaranteeTypeB")
- idm.sec.extras.wf.approval.approver.states (optional) - List of valid identity states for approvers. By default tasks are assigned only to identities in states CREATED, VALID, FUTURE_CONTRACT
Finally, set the desired priority level for the selected roles and specify the role authorizers. When adding a new authorizer, you will always select its type from the above mentioned code list.
Example of custom script:
- Script category: System
- Script authorities: Service - identityService, Class - eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto
- Scrip code:
import eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto; List<IdmIdentityDto> candidates = new ArrayList<IdmIdentityDto>(); candidates.add(identityService.getByUsername("user_for_approval")); return candidates;
The script must return List of IdmIdentityDto.