syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <ilgro...@apache.org>
Subject Re: [DISCUSS] User requests
Date Fri, 07 Sep 2018 12:52:27 GMT
On 06/09/2018 12:31, Francesco Chicchiriccò wrote:
> Hi all,
> I have been lately involved into some considerations around user 
> workflow, approvals and user requests.
>
> As stated in [1], "Workflow manages the internal identity lifecycle by 
> defining statuses and transitions that every user, group or any object 
> in Apache Syncope will traverse.".
> For users, the Flowable adapter is available [2] (Activiti up to 
> Syncope 2.0), which allows to define approvals [3] as additional steps 
> to traverse, to which approval forms are bound.
>
> So far, so good.
>
> The current approval forms can be seen as a particular case of a more 
> general concept, e.g user requests - a core concept of Identity 
> Governance (IGA).
>
> With user requests, users can initiate whichever request among the 
> ones defined, for example "assign me a mobile phone" or "give me those 
> groups on AD", for them or on behalf of others; once initiated, such 
> requests can then follow their own path, which might include one or 
> more approval steps.
> There is also no limitation on the number of concurrent requests that 
> an user can initiate.
>
> Unfortunately, I came to the conclusion that our current 
> implementation is not able to properly implement the user requests as 
> briefly outlined above; among other things, the impossibility to 
> handle more than an approval process at a time, per user.
>
> Hence, and a major refactoring is needed; I propose to:
>
> 1. remove the current Flowable user workflow adapter

After some further considerations, I think that this statement could be 
reformulated as

1. remove approvals features from the current Flowable user workflow adapter

leaving it still open for usage in Syncope 2.1 and future releases, but 
only to manage the internal user lifecycle and *not* for approvals - 
which will be anyway replaced by user requests.

> 2. power up the DefaultUserWorkflowAdapter to allow easier injection 
> of custom logic, with the usual way we already take for PullActions, 
> PushActions, RealmActions etc, e.g. WorkflowActions
> 3. define a new UserRequest entity, which includes at least
>   3.1 some triggering conditions
>   3.2 a Flowable workflow definition, possibly containing approval 
> form(s)
> 4. adjust REST services, Admin Console and Enduser UI to cope with the 
> new UserRequest concept
>
> In my idea, the changes above should take place in the 2_1_X branch 
> (and thus be likely available with Syncope 2.1.2), along with proper 
> upgrade instructions from Syncope 2.1.1.
>
> WDYT?
> Regards.
>
> [1] 
> https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#workflow
> [2] 
> https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#flowable-user-workflow-adapter
> [3] 
> https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#approval

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/


Mime
View raw message