Task #1225
closedSynchronization of protection mode
100%
Description
In synchronization with 'not linked' action, there are two features, which could be very helpful.
- in 'not linked' synchronization, identities, which have not valid contract or will have in future, could be just updated and any link would not be created
- in 'not linked' synchronization, identities, which have not valid contract, move their account to 'account protection'
both of them could be turned off.
This would be helpful for example in synchronization from AD, where some identities has already been blocked and after normal synchronization, they'd never been erased in AD.
Related issues
Updated by Patrik Stloukal over 6 years ago
So i consulted this issue with Vít and situation to not link identity without valid contract should not be implemented.
If user on system is equvivalent to identity on IdM it should be linked.
Updated by Marcel Poul over 6 years ago
Patrik Stloukal wrote:
So i consulted this issue with Vít and situation to not link identity without valid contract should not be implemented.
If user on system is equvivalent to identity on IdM it should be linked.
This can easily be implemented as checkbox. But in real life, we sometimes really need to NOT link those account. They might be some kind of relict, which the customer is advised to manually remove from the connected system. It really causes us a trouble having an account linked without a role and we spend a lot of time clearing the data afterwards.
Updated by Marcel Poul over 6 years ago
Patrik Stloukal wrote:
- in 'not linked' synchronization, identities, which have not valid contract or will have in future, could be just updated and any link would not be created
@Patrik - not sure that update is wanted. On the contrary just ignore it (not link it) - https://wiki.czechidm.com/priv/program830
Updated by Alena Peterová over 6 years ago
- Status changed from New to In Progress
- Assignee changed from Vít Švanda to Alena Peterová
Updated by Alena Peterová about 6 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Alena Peterová to Vít Švanda
- % Done changed from 0 to 80
- LINK - for backward compatibility, accounts for inactive owners are linked with Warning
- LINK_PROTECTED - accounts for inactive owners are linked and put to protection
- DO_NOT_LINK - accounts for inactive owners are not linked and identities are not updated, result is Ignore.
Also, the flag "wish" for system entities is now handled during synchronization. If the system entity has "wish", but the synchronization knows that the entity on the system really exists, then the "wish" is removed. Only when the situation is LINKED and the action Ignore, or the property idm.acc.provisioning.allowedAutoMappingOnExistingAccount is false, then the synchronization doesn't remove this flag. Otherwise, removing the flag would effectively do auto mapping, which is not desired in those situations.
Implementation: https://github.com/bcvsolutions/CzechIdMng/tree/apeterova/1225-sync-protected-mode
Documenation: ASAP
There is a new flyway script for acc module.
Could you do a feedback, please?
Please note that GUI now doesn't hide "Inactive owner behavior" when default role is removed by the cross in select box. I think this is a bug in the new RoleSelect component and I will consult the potential fix (https://github.com/bcvsolutions/CzechIdMng/tree/apeterova/role-select-onchange-fix) with Radek.
Updated by Alena Peterová about 6 years ago
- Has duplicate Task #844: Sync of protection mode added
Updated by Ondřej Kopr about 6 years ago
Fix the sql server flyway script: https://github.com/bcvsolutions/CzechIdMng/commit/09f9396c2e3bffc5647d20d51c9e26007c356d09 (branch: apeterova/1225-sync-protected-mode)
Now application started.
Updated by Vít Švanda about 6 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Alena Peterová
- % Done changed from 80 to 100
I did review and test. Everything works correctly, code is nice. Thanks for that.
- I had comments for situation when identity has contract valid in future. In this case is account switched to protected mode. This is strange, but same behaves is via UI. So I agree with this same behavior in sync of protection.
- Please don't forget on documentation in wiki :-).
- I merged branch to the develop.
Updated by Alena Peterová about 6 years ago
Vít Švanda wrote:
I did review and test. Everything works correctly, code is nice. Thanks for that.
- I had comments for situation when identity has contract valid in future. In this case is account switched to protected mode. This is strange, but same behaves is via UI. So I agree with this same behavior in sync of protection.
I consulted this with Marcel and we will make from this another feature request (not needed for 9.2.3) - together with to option to assign the default role for all valid contracts.
- Please don't forget on documentation in wiki :-).
I keep it in mind :-)
- I merged branch to the develop.
Thank you.
Updated by Vít Švanda about 6 years ago
- Subject changed from Add to synchronization - put account to protection and not link entity action to Synchronization of protection mode
Updated by Alena Peterová about 6 years ago
Updated by Alena Peterová about 6 years ago
Changelog and ER diagram were updated, pull request is on Vítek.
Updated by Vít Švanda about 6 years ago
- Status changed from Resolved to Closed
Thanks for nice documentation. Update of ER diagram is in develop now.
Updated by Radek Tomiška over 5 years ago
- Related to Defect #1709: Select box Behavior of the default roles shouldn't be active for newly set synchronization added