Defect #1233
closed
Unassigning one of the roles granting system account deletes and recreates account on end system.
0%
Description
To replicate this situation, use the following steps:
1. Create role "R" granting account on some system
2. Create organisation "O" with automatic role "R" assigned to it
2. Create user "U" with contract outside of this organisation
3. Assign role "R" directly to user "U"
4. Change contract position, so it now is on organisation "O"
5. Unassign role "R" which was assigned directly
6. You have arrived at your destination :) At this point there are DELETE and CREATE operations in provisioning queue
This needs to be fixed ASAP as it may completely break user account (change password, delete email messages, ...). Also take into consideration that some environments are slow, so grouping DELETE and CREATE into UPDATE may not be sufficient solution.
Affected version: 8.2.x
Updated by Vít Švanda over 5 years ago
I tested this on the version 9.0.0 (for now).
I cannot simulate the problem.
- Do you have enable async processing?
- Have you waited for end of LRT assigned the automatic role (before removing direct assigned role)?
Updated by Vít Švanda over 5 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Vít Švanda to Peter Štrunc
I tried that on version 8.2.0 and I think the problem does not exists.
I predicate this scenario:
4. After change position to O is starting process for recalculation automatic role. That process is async.
5. Removing direct assigned role is delete operation and that is every run as SYNC. So if you will not wait on end previous process, then account will be delete immediate (becouse sync). This is cause of your situation - first DELETE and then CREATE (after finished recalculation of automatic role) account.
Updated by Peter Štrunc over 5 years ago
I waited until roles were assigned. On a page with user roles there were two roles "R" assigned - one by automatic rule and one directly. Then i unassigned the directly assigned role and the above mentioned happened. So process of assigning automatic roles was already finished. I guess we can study the situation on a project on which the situation occured. It may be an issue of a configuration, but i am not able to tell at this point. I will consult it with someone from the dev team when they come to visit us :)
Updated by Vít Švanda over 5 years ago
I waited until roles were assigned.
And here will be the problem, roles (IdentityRole) are assigned quickly, but "problem" occures on assigned IdentityAccount relations and that is different queue and async process. So you can remove directly assigned role after in the table on tab "Accounts/Links to accounts" are two relations (more concretlly ... after finished account management invoked by assigned automatic role).
So you need waiting until accounts were assigned.
Updated by Marcel Poul over 5 years ago
- Priority changed from Immediate to High
Seems as a consequence of asynchronicity (which still the customer cannot understand as a standard behaviour). I lower the priority
@Peter please check it
We still have to think of how to improve the behaviour or improve GUI.
Updated by Radek Tomiška over 5 years ago
- Target version changed from Moonstone (9.1.0) to Morganite (9.2.0)
Updated by Radek Tomiška over 5 years ago
- Target version changed from Morganite (9.2.0) to Onyx (9.3.0)
Updated by Radek Tomiška over 5 years ago
- Status changed from Needs feedback to Rejected
I'm closing this obsolete ticket. Can be opened, if required additional information will be provided.