syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marco Di Sabatino Di Diodoro <marco.disabat...@tirasa.net>
Subject Re: [DISCUSS] User requests
Date Mon, 10 Sep 2018 11:02:01 GMT


Il 07/09/2018 14:52, Francesco Chicchiriccò ha scritto:
> On 06/09/2018 12:31, Francesco Chicchiriccò wrote:
>> Hi all,
>> I have been lately involved into some considerations around user 
>> workflow, approvals and user requests.
>>
>> As stated in [1], "Workflow manages the internal identity lifecycle 
>> by defining statuses and transitions that every user, group or any 
>> object in Apache Syncope will traverse.".
>> For users, the Flowable adapter is available [2] (Activiti up to 
>> Syncope 2.0), which allows to define approvals [3] as additional 
>> steps to traverse, to which approval forms are bound.
>>
>> So far, so good.
>>
>> The current approval forms can be seen as a particular case of a more 
>> general concept, e.g user requests - a core concept of Identity 
>> Governance (IGA).
>>
>> With user requests, users can initiate whichever request among the 
>> ones defined, for example "assign me a mobile phone" or "give me 
>> those groups on AD", for them or on behalf of others; once initiated, 
>> such requests can then follow their own path, which might include one 
>> or more approval steps.
>> There is also no limitation on the number of concurrent requests that 
>> an user can initiate.
>>
>> Unfortunately, I came to the conclusion that our current 
>> implementation is not able to properly implement the user requests as 
>> briefly outlined above; among other things, the impossibility to 
>> handle more than an approval process at a time, per user.
>>
>> Hence, and a major refactoring is needed; I propose to:
>>
>> 1. remove the current Flowable user workflow adapter
>
> After some further considerations, I think that this statement could 
> be reformulated as
>
> 1. remove approvals features from the current Flowable user workflow 
> adapter
>
> leaving it still open for usage in Syncope 2.1 and future releases, 
> but only to manage the internal user lifecycle and *not* for approvals 
> - which will be anyway replaced by user requests.
I think it's the best choice. Syncope remains very flexible and can 
continue to handle the lifecycle via wf.
>> 2. power up the DefaultUserWorkflowAdapter to allow easier injection 
>> of custom logic, with the usual way we already take for PullActions, 
>> PushActions, RealmActions etc, e.g. WorkflowActions
>> 3. define a new UserRequest entity, which includes at least
>>   3.1 some triggering conditions
>>   3.2 a Flowable workflow definition, possibly containing approval 
>> form(s)
>> 4. adjust REST services, Admin Console and Enduser UI to cope with 
>> the new UserRequest concept
>>
>> In my idea, the changes above should take place in the 2_1_X branch 
>> (and thus be likely available with Syncope 2.1.2), along with proper 
>> upgrade instructions from Syncope 2.1.1.
>>
>> WDYT?
>> Regards.
+1
M
>>
>> [1] 
>> https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#workflow
>> [2] 
>> https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#flowable-user-workflow-adapter
>> [3] 
>> https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#approval
>

-- 
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message