Hi folks!!!
We are trying to harness Camunda as approval engine.
Best option for us is to have one flow that covers all the cases, but we are not sure that this is possible.
Application is tenant based.
Access control is ABAC/GBAC.
We need approval engine for different operations.
Simple case (userId based):
For operation we can select approvers (userIds), operation is not succeed until all approvals collected.
Advanced case (group based):
On tenant level we can define approval rule (mandate) for operations.
Group names and number of approvals depend on the tenant and dynamic.
Example-1:
amount <= 100000
required approvals: 2 from Group_A and 1 from Group_B
100000 < amount
required approvals: (2 from Group_A and 2 from Group_B) or 1 from Group_C
Operation is not succeed until required number of approvals from each group collected.
Approvals are not staged (all groups at the same time can approve).
Example-2:
amount any
required approvals: 1 from APPROVER and 1 from OWNER
Operation is not succeed until required number of approvals from each group collected.
Approvals are not staged (all groups at the same time can approve).
Is it possible to automate advanced case (group based) with Camunda?
The main problem: group names and required number of approvals are dynamic, also we have amount condition.
At the same time flow should work for Example-1, Example-2 and any others defined on tenant level.
Thanks in advance, totally unskilled (in Camunda yet).
Hello @unskilled ,
this requirement sounds like you would need a combination of decision task and user tasks.
Can I help you with a blueprint of the process model?
Jonathan
Thanks Jonathan for quick answer.
Sure you can.
I would really appreciate it.
Hello @unskilled ,
I have an approach for you:
Currently, it does not contain scenario with amount any, I could imagine to make it the default path or make the DMN point to variables instead of static values.
approval-form.form (840 Bytes)
approval.bpmn (14.8 KB)
approval-decision.dmn (1.8 KB)
I hope this helps
Jonathan
2 Likes
Hello Jonathan.
Good job, really like it.
I’m not sure if it applicable for us in general case.
You use outer subprocess for OR condition and inner for IN.
What if we have something like this:
inner or
(1 from GROUP_A OR 1 from GROUP_B) AND (1 from GROUP_D OR 1 from GROUP_C)
same group in different parts of expression (we will have 2 tasks for GROUP_A, but in fact only one is required):
(1 from GROUP_A AND 1 from GROUP_B) OR (1 from GROUP_A AND 1 from GROUP_C)
Disjunctive normal form maybe that’s the answer, but we need somehow transform user entered mandate into DNF.
But in any case as Giordano Bruno’s said - even if it is not true, it is a very good fabrication.
Thanks a lot.
Currently based on available approvals we check mandate condition.
Condition can be any combination of boolean OR/AND and parentheses.
For example for this mandate:
(1 from GROUP_A OR 1 from GROUP_B) AND (1 from GROUP_D OR 1 from GROUP_C)
We will create boolean expression “(A OR B) AND (D OR C)”.
Spring Spell can check if condition satisfied for example if we have approvals for GROUP_A and GROUP_D we will execute expression with Map of parameters {“A”:true, “D”: true} and form will return true.
With this approach no need to use DNF just evaluate mandate condition as is.
We can use same approach with Camunda after each user task check condition on BE side (maybe service task) and update process variable in Camunda.
Regarding DMN.
I don’t have enough experience to judge, but seems to me such parameterization is not something that DMN rule is intended for.
We can have different number of ranges for different users and so on.
What is your opinion Jonathan?
From Java code perspective this is just: ranges TreeMap<Double, List> amountToGroups and amountToGroups.ceilingEntry(78.00) for particular payment amount, so we can cover this case as service task or business rule task, or even start process instance with populated variable approvalGroups.
We also read Real-Life BPMN book meanwhile and created flow too.
Similar to your solution, but in mandate flow we have conditional boundary event based on operationApproved variable (to avoid limitation with above OR).
If operationApproved is true we stop all user approve tasks because operation is treated as approved.
Condition operationApproved is checked each time after user approves task.
See:
multiuser.bpmn (15.4 KB)
We already occupied a lot of your time but could you please answer below questions just yes/no:
- Is this integration correct?
– Camunda is internal tool (not visible outside), user approval from our FE is directed by our BE to Camunda (find user group – for group find assigned tasks in Camunda – get first task for group (can be multiple) – complete user task approved/rejected – also check if mandate condition is satisfied if yes change operationApproved = true – conditional boundary event stops the polling – operation approved)
- If two users in above flow get the same task one will be succeeded and one failed (task already completed). What is a strategy for failed - just try to get another available task for this group and complete ?
- We have logic to show all available for approval operations per user. Is it good idea to use Camunda for such cases? Find user group - find in Camunda all tasks assigned to this group, or better keep dedicated structures in our BE db?
- Is there any safe way to manage process level variable, that can be updated from multiuser tasks? For example keep list of all groups that already approved operation as process variable (we have concurrent update problem as far as we understand)?
- Is there any way to get completed tasks for process where variable approved = true, or something like this (the goal to get all approved groups to execute mandate condition)?
- We have daily budgets - you can’t execute operations with total amount exceeded daily budget. All pending operations should wait next day. Is it possible to keep such budgets in Camunda, or better store them outside and just add service task to check after approval multitask if budget is not exceeded?
- Can Camunda be used as global lock for same business process instances? For example daily budgets all tasks with money should check daily budget limit - sequential step for all process instances with the same business id to prevent check-then-act problem?
Thanks in advance Jonathan!!!