syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <>
Subject Re: [DISCUSS] User requests
Date Tue, 11 Sep 2018 14:55:40 GMT
Hi all,
no objections, hence I created


On 07/09/2018 14:52, Francesco Chicchiriccò wrote:
> On 06/09/2018 12:31, Francesco Chicchiriccò wrote:
>> Hi all,
>> I have been lately involved into some considerations around user 
>> workflow, approvals and user requests.
>> As stated in [1], "Workflow manages the internal identity lifecycle 
>> by defining statuses and transitions that every user, group or any 
>> object in Apache Syncope will traverse.".
>> For users, the Flowable adapter is available [2] (Activiti up to 
>> Syncope 2.0), which allows to define approvals [3] as additional 
>> steps to traverse, to which approval forms are bound.
>> So far, so good.
>> The current approval forms can be seen as a particular case of a more 
>> general concept, e.g user requests - a core concept of Identity 
>> Governance (IGA).
>> With user requests, users can initiate whichever request among the 
>> ones defined, for example "assign me a mobile phone" or "give me 
>> those groups on AD", for them or on behalf of others; once initiated, 
>> such requests can then follow their own path, which might include one 
>> or more approval steps.
>> There is also no limitation on the number of concurrent requests that 
>> an user can initiate.
>> Unfortunately, I came to the conclusion that our current 
>> implementation is not able to properly implement the user requests as 
>> briefly outlined above; among other things, the impossibility to 
>> handle more than an approval process at a time, per user.
>> Hence, and a major refactoring is needed; I propose to:
>> 1. remove the current Flowable user workflow adapter
> After some further considerations, I think that this statement could 
> be reformulated as
> 1. remove approvals features from the current Flowable user workflow 
> adapter
> leaving it still open for usage in Syncope 2.1 and future releases, 
> but only to manage the internal user lifecycle and *not* for approvals 
> - which will be anyway replaced by user requests.
>> 2. power up the DefaultUserWorkflowAdapter to allow easier injection 
>> of custom logic, with the usual way we already take for PullActions, 
>> PushActions, RealmActions etc, e.g. WorkflowActions
>> 3. define a new UserRequest entity, which includes at least
>>   3.1 some triggering conditions
>>   3.2 a Flowable workflow definition, possibly containing approval 
>> form(s)
>> 4. adjust REST services, Admin Console and Enduser UI to cope with 
>> the new UserRequest concept
>> In my idea, the changes above should take place in the 2_1_X branch 
>> (and thus be likely available with Syncope 2.1.2), along with proper 
>> upgrade instructions from Syncope 2.1.1.
>> WDYT?
>> Regards.
>> [1] 
>> [2] 
>> [3] 

Francesco Chicchiriccò

Tirasa - Open Source Excellence

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail

View raw message