Hi David, you will find my replies embedded below. Regards.
On 28/03/2013 21:23, Walker, David R. (JMD) wrote:
When using the default workflow (corrected for roles)
I guess you are running 1.1.0-SNAPSHOT: correct? What does "corrected for roles" mean? Can you provide your userWorkflow.bpmn20.xml (or relevant fragments) via http://apaste.info/?
the approval task will accept a response of "No" but the user is provisioned to the denied resource anyway. What is the correct approach to denying access to one resource but granting access to others?
Since the approval is currently implemented - in the default workflow definition, at least - as a whole acceptance / reject, you would need to implement this requirement by providing your own service tasks (e.g. Java classes similar to [1] - in the hypotesis you are on 1.1.0-SNAPSHOT).
Scenario: 1. Admin creates a new user and with a resource of "Active Directory-IP" and a role of "Active Directory User". 2. The role routes the action to a user task. 3. Another participant, the approver, picks up the user task on her ToDo list and claims it. 4. The approver selects "No" on the Boolean 5. The task completes 6. The user is provisioned to Active Directory anyway. Attempts to modify the workflow to delete the syncopeUser on a denial fail in that the task ignores the "No" selection and remains on the ToDo list for the assignee.
In the default workflow definition [2], a "No" moves the user in a 'Rejected' state and no propagation occurs at all: I think then that the problems you are observing are highly dependent on the customization introduced. I need more details about these for being able to provide some hints.
[1] https://svn.apache.org/repos/asf/syncope/trunk/core/src/main/java/org/apache/syncope/core/workflow/user/activiti/task/Create.java
[2] https://cwiki.apache.org/confluence/display/SYNCOPE/Default+Workflow -- Francesco Chicchiriccò ASF Member, Apache Syncope PMC chair, Apache Cocoon PMC Member http://people.apache.org/~ilgrosso/