Project

General

Profile

Actions

Task #1574

closed

Task #1560: Testing of the product (9.5.0)

Role deduplication process: result not quite expected

Added by milus kotisova over 5 years ago. Updated over 5 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Ondřej Kopr
Category:
Roles
Target version:
-
Start date:
03/25/2019
Due date:
% Done:

0%

Estimated time:
Owner:

Description

@affected version 9.5.0

Wiki documentation states:
"Deduplication removes only manually added roles.
Roles that were assigned by automatic roles or by business roles will never be removed."

TC 182: Roles- deduplicating roles (with approval WF process)
https://kiwi.czechidm.com/case/182/

Initial state of identity's roles - see screenshots
Final state of identity's roles - see screenshots
2 gifs also included

Assessment:
1. As admin I clicked on the bin icon - on the request - to remove the Testovaci_role with the validity dates set (15.3.2019-30.4.2020). It would be helpful to add a pop-up window, informing the user that by clicking on the bin equals to withdrawing this particular role from the selection to be removed, perhaps the opposite of what they are thinking. ("Are you sure you want to keep this role that is a duplicate of another role?") To reinforce the fact that the pinkish highlighted area indicates the roles that are to be removed.

2. The request is a deduplication operation, and so it should clearly state the purpose of the request (DEDUPLICATION). Especially once it is split into subprocesses (because 2 roles are incompatible). There is no way for the manager to differentiate it from any other regular role-removal request (see subprocess for role 2 - I declined this part of the request, as I wanted to keep this role, but I didn't know it was initiated by deduplication, in fact). Perhaps there should be more contextual information for the manager to make the right decision. Or perhaps a pop-up window - when the manager declines the request - "Are you sure you want to keep this role that is a duplicate of another role?"

3. I am not sure any more how to interpret the 2 statements above (from the documentation) given the results. Some business subroles did disappear, after all.

4. As it is, at the end I am still left with
3x Testovaci_role (1 manual, 2 business subroles) - OK, I overrode the deduplication in one case (Testovaci role with validity dates by unclicking the removal) - which is great that I can do that.
2x Testovaci_role2 - here, I also overrode the deduplication in one case.

But even if I hadn't taken any action and hadn't overridden the deduplication process, I would still be left with 2 duplicate roles - Testovaci role
Is this the correct result?

5. Perhaps there should be a follow-up evaluation loop at the backend after the end of approval process to make sure all role duplicities have really been gotten rid of. And a message to admin as well as the manager about the result of deduplication (?).

6. Does the evaluation algorithm actually consider just 2 roles at a time, couldn't it evaluate more than 2 (when there is an odd count of roles)?

Thank you.

BTW: I appreciate your changing the header from "Napřímo přidělené role" to "Přiděleno díky roli" :-)


Files

Initial_state.png (136 KB) Initial_state.png milus kotisova, 03/25/2019 01:34 PM
Initial_State_2.png (107 KB) Initial_State_2.png milus kotisova, 03/25/2019 01:34 PM
Vysledek_deduplikace1.png (105 KB) Vysledek_deduplikace1.png milus kotisova, 03/25/2019 01:34 PM
Vysledek_deduplikace2.png (97.1 KB) Vysledek_deduplikace2.png milus kotisova, 03/25/2019 01:35 PM
zadost_deduplikace_bez_kontextu.png (67.3 KB) zadost_deduplikace_bez_kontextu.png milus kotisova, 03/25/2019 01:35 PM
header.png (17.1 KB) header.png milus kotisova, 03/25/2019 02:11 PM
Actions

Also available in: Atom PDF