Defect #1201
closed
Reconciliation with default role creates duplicit links to account
Added by Petr Hanák over 6 years ago.
Updated over 6 years ago.
Description
IdM version 8.1.2
I removed all roles before sync.
Rekonciliation config:
We need to import DN from AD => not linked is set to create role and update entity
Automatic role is not configured, AD user role is assigned only by default role in sync.
Every user with AD user role has got duplicit link to account after reconciliation.
Attachment: screen of user audit.
Files
- Target version set to Malachite (9.0.0)
We also have this behavior on project after migration to production.
- Status changed from New to In Progress
I simulated that problem:
- I suppose, your default role mapp the same system, is that true?
- In this case is first relation created by assigning the role, via standard ACM.
- The second relation is created in the synchronization on assigne the default role.
- In the synchronization I counted with this and I checks the duplicity. When same identity-account relation exists (for same identity-role), then is used and none new is created. That check on the duplicity doesn't work now. Cause of this problem is in the asynchronicity, becouse ACM (on default role) is not starts synchronously now (duplicity check is executed too early).
I have two temporary workaround:
1. - Turn off asynchronicity during sync.
2. - Remove mapping on the system from default role. Then execute the sync and after end create mapping in default role.
Fix for that will be in the version 9.1.0.
- Target version changed from Malachite (9.0.0) to Moonstone (9.1.0)
- Assignee changed from Vít Švanda to Radek Tomiška
Here we need to have way how start role-request synchronously on async environment.
- IdentitySynchronizationExecutor(301)
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Ondřej Kopr
- % Done changed from 0 to 90
- Status changed from Needs feedback to Resolved
- Assignee changed from Ondřej Kopr to Radek Tomiška
- % Done changed from 90 to 100
I made review and tests. Its little bit complicated for me, because I haven't configured system with working synchronization and provisioning (I have clean develop environment - new db mssql). But I test it and works, I had one account for system with synchronization and provisioning (role with provisioning was added).
Thank you for fix. Works as I expect.
- Status changed from Resolved to Closed
Also available in: Atom
PDF
