Task #1200
closedBusiness role - design and implementation
Added by Radek Tomiška over 6 years ago. Updated over 6 years ago.
100%
Related issues
Updated by Radek Tomiška over 6 years ago
- Add name (~display name) to IdmRole - current name will be renamed to code + Codeable interface
- IdmRole - remove lazy lists - subRoles, superiorRoles, guarantees, roleCatalogues - all sub entities will have their own service + rest. New tabs with separate tables will be created on FE.
- Create role composition structure - or reuse IdmRoleComposition entity - add validation to prevent cycles. Create new tab on FE to define role composition.
- when direct role is assigned to identity, then NOTIFY event is published - create new asynchronous processor to compute, which sub roles should be assign by business role definition => all roles will be physically assigned to identity with the same validity as direct role (benefit: assigned roles evaluation remains the same, ).
- change identity roles content on FE:
- show direct roles and roles assigned by business role (options: show direct roles with info about business roles vs. separate tables)
- roles assigned by business role will have reference to direct role (~owner role)
Requirements extracted from: https://wiki.czechidm.com/priv/navrh/byznys_role
Updated by Radek Tomiška over 6 years ago
- Related to Task #1139: Life cycle of role - analysis added
Updated by Radek Tomiška over 6 years ago
- Status changed from New to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 0 to 90
Business roles are implemented.
Documentation:
https://wiki.czechidm.com/devel/documentation/roles
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#default_settings_of_permissions_for_an_identity_profile
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#default_settings_of_permissions_for_a_role_detail
https://wiki.czechidm.com/devel/documentation/application_configuration/dev/scheduled_tasks/task-scheduler#addnewrolecompositiontaskexecutor
https://wiki.czechidm.com/devel/documentation/architecture/dev/events#identityroleassignsubrolesprocessor
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/fce531a3e12209d2420e56eadd6707844fccb5bd
Implementation notes:
- entity IdmRoleComposition reused (resurected) for business role definition
- sub roles defined by business roles are automatically assigned to identity with the same validity as business (~direct) role. Sub roles are assigned asynchronously (NOTIFY event on IdmIdentityRoleDto)
- when business role definition is cretaed / removed, then assigned roles are recounted by LRT (see documentation)
- added new attribute 'code' for IdmRole (Codeable interface is now fully supported), created new frontend component for autofill name attribute by code, if name is the same (name is not unique now - just decorator)
- removed all lazy lists from IdmRole - elementary services, rests, tabs created for IdmRoleComposition, IdmRoleCatalogueRole, IdmRoleGuarantee, IdmRoleGuaranteeRole, added authorization policies support (see documentation).
- event processing support added for IdmRoleGuarantee, IdmRoleGuaranteeRole, IdmRoleComposition
- boolean flag 'automaticRole' removed from IdmIdentityRole and dto
- repository usage for finding role by catalogue was rewritten
- RoleCatalogueRoleRepository usign criteria api for finding now
- IdmRoleGuarantee, IdmRoleGuaranteeRole, IdmRoleComposition - external id added
- Created new rest endpoint for read assigned identity roles (IdmIdentityRoleController), Added filter by direct role and by business role. New rest endpoint is used on identity detail on tab with assigned roles - pagination and sort is supported now (sorted by role name by default). Tab with assigned roles redesigned - horizontal tabs are used now, business roles are shown, showloading was fixed, duplicate requests for loading identity and roles removed.
- loading and rendering bulk actions for tables was optimized (loaded only once) - bulk operation for event queue was added. Removing parent / direct events removes all cild events automatically.
- event processing improved - added parent event processing. When all child events is processed, then NOTIFY event on root event is published (used on role requests, when role request is processed after all roles are processed). parent event can be published, when child event is created and published (see EventableDtoService).
- new Badge frontend component created - can be used for count of records (see tab with identity roles)
Could you do a feedback, pls?
Updated by Radek Tomiška over 6 years ago
- Related to Task #1221: Improve roles list on user added
Updated by Vít Švanda over 6 years ago
I did review and test. Code looks awesome and bussiness role works perfectly.
I found some minor issues:- Bulk operation (remove role on identity) allow remove roles assigned as subrole (not direct).
- Role info component try to load count of sub roles. Issue occures when user does not have a permissions on role-composition.
- Messages on add or remove compositions should be 'blue'. Name of role missing in the messages.
- Event table - will be nice to have filter by root ID.
Updated by Radek Tomiška over 6 years ago
I fixed all point from feedback:
https://github.com/bcvsolutions/CzechIdMng/commit/10bd4745a6cd9a1c1e5b078b97f3da3faaf0f0e7
Could you retest it, pls?
Updated by Vít Švanda over 6 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I retested it and works prefectly now.
Updated by Radek Tomiška over 6 years ago
- Status changed from Resolved to Closed
Updated by Ondřej Kopr about 6 years ago
- Related to Defect #1333: Wrong filtering by code in role service added
Updated by Radek Tomiška about 4 years ago
- Related to Defect #2600: Removing authorization policy form role assigned to many users fails added