Project

General

Profile

Actions

Task #1225

closed

Synchronization of protection mode

Added by Patrik Stloukal over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Alena Peterová
Category:
Synchronization
Target version:
Start date:
08/28/2018
Due date:
% Done:

100%

Estimated time:
Owner:

Description

In synchronization with 'not linked' action, there are two features, which could be very helpful.
- in 'not linked' synchronization, identities, which have not valid contract or will have in future, could be just updated and any link would not be created
- in 'not linked' synchronization, identities, which have not valid contract, move their account to 'account protection'
both of them could be turned off.

This would be helpful for example in synchronization from AD, where some identities has already been blocked and after normal synchronization, they'd never been erased in AD.


Related issues

Related to IdStory Identity Manager - Defect #1709: Select box Behavior of the default roles shouldn't be active for newly set synchronizationClosedRadek Tomiška06/06/2019

Actions
Has duplicate IdStory Identity Manager - Task #844: Sync of protection modeClosedAlena Peterová11/22/2017

Actions
Actions #1

Updated by Patrik Stloukal over 5 years ago

So i consulted this issue with Vít and situation to not link identity without valid contract should not be implemented.
If user on system is equvivalent to identity on IdM it should be linked.

Actions #2

Updated by Vít Švanda over 5 years ago

  • Priority changed from High to Normal
Actions #3

Updated by Marcel Poul over 5 years ago

Patrik Stloukal wrote:

So i consulted this issue with Vít and situation to not link identity without valid contract should not be implemented.
If user on system is equvivalent to identity on IdM it should be linked.

This can easily be implemented as checkbox. But in real life, we sometimes really need to NOT link those account. They might be some kind of relict, which the customer is advised to manually remove from the connected system. It really causes us a trouble having an account linked without a role and we spend a lot of time clearing the data afterwards.

Actions #4

Updated by Marcel Poul over 5 years ago

Patrik Stloukal wrote:

- in 'not linked' synchronization, identities, which have not valid contract or will have in future, could be just updated and any link would not be created

@Patrik - not sure that update is wanted. On the contrary just ignore it (not link it) - https://wiki.czechidm.com/priv/program830

Actions #5

Updated by Alena Peterová over 5 years ago

  • Status changed from New to In Progress
  • Assignee changed from Vít Švanda to Alena Peterová
Actions #6

Updated by Vít Švanda over 5 years ago

  • Target version set to Onyx (9.3.0)
Actions #7

Updated by Alena Peterová over 5 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Alena Peterová to Vít Švanda
  • % Done changed from 0 to 80
Synchronization of protected mode is implemented by a new option "Inactive owner behavior" in the specific settings of synchronization of identities. This option is available when a default role is selected. There are 3 values:
  • LINK - for backward compatibility, accounts for inactive owners are linked with Warning
  • LINK_PROTECTED - accounts for inactive owners are linked and put to protection
  • DO_NOT_LINK - accounts for inactive owners are not linked and identities are not updated, result is Ignore.

Also, the flag "wish" for system entities is now handled during synchronization. If the system entity has "wish", but the synchronization knows that the entity on the system really exists, then the "wish" is removed. Only when the situation is LINKED and the action Ignore, or the property idm.acc.provisioning.allowedAutoMappingOnExistingAccount is false, then the synchronization doesn't remove this flag. Otherwise, removing the flag would effectively do auto mapping, which is not desired in those situations.

Implementation: https://github.com/bcvsolutions/CzechIdMng/tree/apeterova/1225-sync-protected-mode
Documenation: ASAP

There is a new flyway script for acc module.

Could you do a feedback, please?

Please note that GUI now doesn't hide "Inactive owner behavior" when default role is removed by the cross in select box. I think this is a bug in the new RoleSelect component and I will consult the potential fix (https://github.com/bcvsolutions/CzechIdMng/tree/apeterova/role-select-onchange-fix) with Radek.

Actions #8

Updated by Alena Peterová over 5 years ago

  • Has duplicate Task #844: Sync of protection mode added
Actions #9

Updated by Ondřej Kopr over 5 years ago

Fix the sql server flyway script: https://github.com/bcvsolutions/CzechIdMng/commit/09f9396c2e3bffc5647d20d51c9e26007c356d09 (branch: apeterova/1225-sync-protected-mode)

Now application started.

Actions #10

Updated by Vít Švanda over 5 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Alena Peterová
  • % Done changed from 80 to 100

I did review and test. Everything works correctly, code is nice. Thanks for that.

  • I had comments for situation when identity has contract valid in future. In this case is account switched to protected mode. This is strange, but same behaves is via UI. So I agree with this same behavior in sync of protection.
  • Please don't forget on documentation in wiki :-).
  • I merged branch to the develop.
Actions #11

Updated by Alena Peterová over 5 years ago

Vít Švanda wrote:

I did review and test. Everything works correctly, code is nice. Thanks for that.

  • I had comments for situation when identity has contract valid in future. In this case is account switched to protected mode. This is strange, but same behaves is via UI. So I agree with this same behavior in sync of protection.

I consulted this with Marcel and we will make from this another feature request (not needed for 9.2.3) - together with to option to assign the default role for all valid contracts.

  • Please don't forget on documentation in wiki :-).

I keep it in mind :-)

  • I merged branch to the develop.

Thank you.

Actions #12

Updated by Vít Švanda over 5 years ago

  • Subject changed from Add to synchronization - put account to protection and not link entity action to Synchronization of protection mode
Actions #14

Updated by Alena Peterová over 5 years ago

Changelog and ER diagram were updated, pull request is on Vítek.

Actions #15

Updated by Vít Švanda over 5 years ago

  • Status changed from Resolved to Closed

Thanks for nice documentation. Update of ER diagram is in develop now.

Actions #16

Updated by Radek Tomiška almost 5 years ago

  • Related to Defect #1709: Select box Behavior of the default roles shouldn't be active for newly set synchronization added
Actions

Also available in: Atom PDF