Il 07/09/2018 14:52, Francesco Chicchiriccò ha scritto:
On 06/09/2018 12:31, Francesco Chicchiriccò wrote:
Hi all,
I have been lately involved into some considerations around user
workflow, approvals and user requests.
As stated in [1], "Workflow manages the internal identity lifecycle
by defining statuses and transitions that every user, group or any
object in Apache Syncope will traverse.".
For users, the Flowable adapter is available [2] (Activiti up to
Syncope 2.0), which allows to define approvals [3] as additional
steps to traverse, to which approval forms are bound.
So far, so good.
The current approval forms can be seen as a particular case of a more
general concept, e.g user requests - a core concept of Identity
Governance (IGA).
With user requests, users can initiate whichever request among the
ones defined, for example "assign me a mobile phone" or "give me
those groups on AD", for them or on behalf of others; once initiated,
such requests can then follow their own path, which might include one
or more approval steps.
There is also no limitation on the number of concurrent requests that
an user can initiate.
Unfortunately, I came to the conclusion that our current
implementation is not able to properly implement the user requests as
briefly outlined above; among other things, the impossibility to
handle more than an approval process at a time, per user.
Hence, and a major refactoring is needed; I propose to:
1. remove the current Flowable user workflow adapter
After some further considerations, I think that this statement could
be reformulated as
1. remove approvals features from the current Flowable user workflow
adapter
leaving it still open for usage in Syncope 2.1 and future releases,
but only to manage the internal user lifecycle and *not* for approvals
- which will be anyway replaced by user requests.
I think it's the best choice. Syncope remains very flexible and can
continue to handle the lifecycle via wf.
2. power up the DefaultUserWorkflowAdapter to allow easier injection
of custom logic, with the usual way we already take for PullActions,
PushActions, RealmActions etc, e.g. WorkflowActions
3. define a new UserRequest entity, which includes at least
3.1 some triggering conditions
3.2 a Flowable workflow definition, possibly containing approval
form(s)
4. adjust REST services, Admin Console and Enduser UI to cope with
the new UserRequest concept
In my idea, the changes above should take place in the 2_1_X branch
(and thus be likely available with Syncope 2.1.2), along with proper
upgrade instructions from Syncope 2.1.1.
WDYT?
Regards.
+1
M
[1]
https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#workflow
[2]
https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#flowable-user-workflow-adapter
[3]
https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#approval
--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570
Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/