On 06/09/2018 12:31, Francesco Chicchiriccò wrote:
Hi all,
I have been lately involved into some considerations around user
workflow, approvals and user requests.
As stated in [1], "Workflow manages the internal identity lifecycle by
defining statuses and transitions that every user, group or any object
in Apache Syncope will traverse.".
For users, the Flowable adapter is available [2] (Activiti up to
Syncope 2.0), which allows to define approvals [3] as additional steps
to traverse, to which approval forms are bound.
So far, so good.
The current approval forms can be seen as a particular case of a more
general concept, e.g user requests - a core concept of Identity
Governance (IGA).
With user requests, users can initiate whichever request among the
ones defined, for example "assign me a mobile phone" or "give me those
groups on AD", for them or on behalf of others; once initiated, such
requests can then follow their own path, which might include one or
more approval steps.
There is also no limitation on the number of concurrent requests that
an user can initiate.
Unfortunately, I came to the conclusion that our current
implementation is not able to properly implement the user requests as
briefly outlined above; among other things, the impossibility to
handle more than an approval process at a time, per user.
Hence, and a major refactoring is needed; I propose to:
1. remove the current Flowable user workflow adapter
After some further considerations, I think that this statement could be
reformulated as
1. remove approvals features from the current Flowable user workflow adapter
leaving it still open for usage in Syncope 2.1 and future releases, but
only to manage the internal user lifecycle and *not* for approvals -
which will be anyway replaced by user requests.
2. power up the DefaultUserWorkflowAdapter to allow easier injection
of custom logic, with the usual way we already take for PullActions,
PushActions, RealmActions etc, e.g. WorkflowActions
3. define a new UserRequest entity, which includes at least
3.1 some triggering conditions
3.2 a Flowable workflow definition, possibly containing approval
form(s)
4. adjust REST services, Admin Console and Enduser UI to cope with the
new UserRequest concept
In my idea, the changes above should take place in the 2_1_X branch
(and thus be likely available with Syncope 2.1.2), along with proper
upgrade instructions from Syncope 2.1.1.
WDYT?
Regards.
[1]
https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#workflow
[2]
https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#flowable-user-workflow-adapter
[3]
https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#approval
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
