Defect #1201
closed
Reconciliation with default role creates duplicit links to account
100%
Description
IdM version 8.1.2
I removed all roles before sync.
Rekonciliation config:
We need to import DN from AD => not linked is set to create role and update entity
Automatic role is not configured, AD user role is assigned only by default role in sync.
Every user with AD user role has got duplicit link to account after reconciliation.
Attachment: screen of user audit.
Files
Updated by Petr Michal over 6 years ago
- Target version set to Malachite (9.0.0)
We also have this behavior on project after migration to production.
Updated by Vít Švanda over 6 years ago
I simulated that problem:
- I suppose, your default role mapp the same system, is that true?
- In this case is first relation created by assigning the role, via standard ACM.
- The second relation is created in the synchronization on assigne the default role.
- In the synchronization I counted with this and I checks the duplicity. When same identity-account relation exists (for same identity-role), then is used and none new is created. That check on the duplicity doesn't work now. Cause of this problem is in the asynchronicity, becouse ACM (on default role) is not starts synchronously now (duplicity check is executed too early).
I have two temporary workaround:
1. - Turn off asynchronicity during sync.
2. - Remove mapping on the system from default role. Then execute the sync and after end create mapping in default role.
Fix for that will be in the version 9.1.0.
Updated by Vít Švanda over 6 years ago
- Target version changed from Malachite (9.0.0) to Moonstone (9.1.0)
Updated by Vít Švanda over 6 years ago
- Assignee changed from Vít Švanda to Radek Tomiška
- IdentitySynchronizationExecutor(301)
Updated by Radek Tomiška over 6 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Ondřej Kopr
- % Done changed from 0 to 90
I was able to find and fix the issue - i created synchronous way for executing role requests - it's used in synchronization and could be used in other background tasks if needed.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/3bf5eaf098708d857bd2df372c632c50337b72ad
Note: duplicate identity account could be find and removed by scripted LRT (see AccIdentityAccountService), if needed.
Could you do a feedback please?
Updated by Ondřej Kopr over 6 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Ondřej Kopr to Radek Tomiška
- % Done changed from 90 to 100
I made review and tests. Its little bit complicated for me, because I haven't configured system with working synchronization and provisioning (I have clean develop environment - new db mssql). But I test it and works, I had one account for system with synchronization and provisioning (role with provisioning was added).
Thank you for fix. Works as I expect.
Updated by Radek Tomiška over 6 years ago
- Status changed from Resolved to Closed