Project

General

Profile

Feature #1299

SoD: Mutual incompatibility of roles in CzechIdM

Added by Vladimír Kotýnek 7 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Category:
Roles
Target version:
Start date:
10/08/2018
Due date:
% Done:

100%


Description

Old generation of CzechIdM had a feature of Role's incompatibility (https://blog.bcvsolutions.eu/neslucitelnost-roli/). The incompatibility means that you can define restrictions on roles A nad B that will forbid any user or process to assign those to roles together to the same user.
In new generation of CezchIdM we woud like to have a similar feature. However, due to our experiences from CzechIdM deployments on projects we want the incompatibility to be "soft". It means that CzechIdM will allow the user to have incompatible roles assigned to the identity, but an administrator/security manager will be notified about this incident. Security will also have tools to generate reports with users and their incompatible roles.
It would be nice if CzechIdM was able to show a warning sign to the user in role request form and in role request task if the requested role is incompatible with other assigned/requested roles of the identity.
Before the implementation itself begins a better feature specification should be made.

identity-incompatible-role-report-20190116102527.xlsx - Report with identities with assigned incompatible roles (19.5 KB) Radek Tomiška, 01/16/2019 11:44 AM


Related issues

Related to CzechIdM - Task #1469: SoD: improve report renderer - split columns Closed 01/23/2019

History

#2 Updated by Vít Švanda 5 months ago

  • Target version changed from Onyx (9.3.0) to Opal (9.4.0-rc.1)

#3 Updated by Vít Švanda 5 months ago

  • Target version changed from Opal (9.4.0-rc.1) to Opal (9.4.0)

#4 Updated by Radek Tomiška 4 months ago

  • Status changed from New to In Progress

#5 Updated by Radek Tomiška 3 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 0 to 90

Feature is implemented:
- incompatible roles can be defined. When role request is enabled, then definition of incompatible role has to be approved (role lifecycle).
- incompatible roles warning is shown on role request, identity roles and business roles
- report of currently assigned incompatible roles to identities is created (in core)

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/bd561d159ca602f74dfc275a801d7c02f7712e13

Doc:
https://wiki.czechidm.com/devel/documentation/roles#incompatible_roles

Could you please do a review and update ERD diagram (I'll have to upgrade my PC already :))?

#7 Updated by Vít Švanda 3 months ago

  • Target version changed from Opal (9.4.0) to Opal (9.4.0-rc.2)

#8 Updated by Vít Švanda 3 months ago

ERD diagram completed.

#9 Updated by Vít Švanda 3 months ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška

I did reveiw and tested it. Works fine and code look nice too.

Thanks for that

Creation of approval process will be realized in the ticked #1460.

#10 Updated by Radek Tomiška 3 months ago

  • Status changed from Resolved to Closed
  • % Done changed from 90 to 100

#11 Updated by Radek Tomiška 3 months ago

  • Related to Task #1469: SoD: improve report renderer - split columns added

Also available in: Atom PDF