Project

General

Profile

Actions

Task #1797

closed

Add new persmission to roles, which can be requested.

Added by Alena Peterová over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Radek Tomiška
Category:
Roles
Target version:
Start date:
08/14/2019
Due date:
% Done:

100%

Estimated time:
8.00 h
Owner:

Description

Add new persmission to roles, which can be requested (flag "Can be requested" will be reused). Autocomplete for roles is used for select boxes, used on all places in application (e.g. in business roles). New permission will be used on role request detail, when new role is added.

UC: Expanding the business role doesn't show sub roles sometimes, situation:
  • a business role contains two sub roles
  • sub roles have "Can be requested" = false
  • the business role is assigned to a user
  • login as a manager (not superadmin), who has no special permission (namely - userRole has Roles (IdmRole) - View in select box (autocomplete) - RoleCanBeRequestedEvaluator)
  • Open the Dashboard
  • Try to expand the business role by "+"
  • It's empty after expanding and looks like ordinary role
  • Also when you get to the assigned roles full detail, it's still displayed wrongly

The request got empty response, which is probably the reason:

The same behavior is also in Directly assigned roles / Request to change roles.

Version 9.7.2


Files

business_role_before.png (22.2 KB) business_role_before.png Alena Peterová, 08/14/2019 01:58 PM
business_role_after.png (21.6 KB) business_role_after.png Alena Peterová, 08/14/2019 01:58 PM
business_role_GET.png (46.3 KB) business_role_GET.png Alena Peterová, 08/14/2019 01:59 PM
full_detail.png (72.7 KB) full_detail.png Alena Peterová, 08/14/2019 02:00 PM

Related issues

Related to IdStory Identity Manager - Defect #1807: If role has more than 100 owners, the approval process works only with 100 of themClosedVít Švanda08/20/2019

Actions
Actions #1

Updated by Alena Peterová over 4 years ago

  • Tracker changed from Task to Defect
Actions #2

Updated by Radek Tomiška over 4 years ago

  • Assignee changed from Radek Tomiška to Alena Peterová

I think it's about permissions. You don't have permission to autocomplete all roles, just roles which can be requested?
So role have two subroles (count doesn't support permission), but you cannot see them.

Actions #3

Updated by Alena Peterová over 4 years ago

  • Assignee changed from Alena Peterová to Radek Tomiška

Radek Tomiška wrote:

I think is about permissions. You don't have permission to autocomplete all roles, just roles which can be requested?

Yes. This is because common users can request only for roles that are "can be requested". We can't add autocomplete for all roles, otherwise they could request for all roles.
(Please correct me if I'm wrong. But we consulted how to set userRole in the past and the conclusion was this. https://wiki.czechidm.com/devel/documentation/security/dev/authorization#default_settings_of_permissions_for_an_identity_profile)

Actions #4

Updated by Radek Tomiška over 4 years ago

I didn't say, you have wrong permission setting, I'm saying, icon on business role works, as permissions are configured :)

It's about the feature, that we speak before - add new permission to "Can be requested" instead flag. We don't have any mechanism to split this two requirements now (autocomplete vs. "Can be requested").

Actions #5

Updated by Radek Tomiška over 4 years ago

  • Assignee changed from Radek Tomiška to Alena Peterová
Actions #6

Updated by Radek Tomiška over 4 years ago

I'm not sure which behavior do you expect (hide icon some how or add new permission instead)?

Actions #7

Updated by Alena Peterová over 4 years ago

  • Assignee changed from Alena Peterová to Radek Tomiška

I expect that when I expand the icon, the sub roles will appear. I don't know how to do it :-)
The most confusing thing is that I can see the sub roles in the table at the bottom. And I can see that they are assigned by business role. So the permissions enable to get this information, somehow. Maybe the expanding icon should call some different endpoint, which will get "the same" information as the bottom table?

Actions #8

Updated by Radek Tomiška over 4 years ago

  • Assignee changed from Radek Tomiška to Alena Peterová

You are mixing two permissions:
- permissions to read Roles - (sub roles)
- permissions to read IdentityRoles (assigned roles - bottom table)

So you want to "expand" icon ignore configured security and call it other way?

Actions #9

Updated by Radek Tomiška over 4 years ago

  • Tracker changed from Defect to Task
  • Subject changed from Expanding the business role doesn't show sub roles sometimes to Add new persmission to roles, which can be requested.
  • Description updated (diff)
  • Assignee changed from Alena Peterová to Radek Tomiška
  • Estimated time set to 8.00 h
Actions #10

Updated by Alena Peterová over 4 years ago

Other use-case of the new permission:
Some roles can be assigned only by authorized users and without approval. Common users can't assign these roles to themselves.
Now we use workaround by setting criticality 2 and all authorized users as owner. Common users can request these roles, but it must be approved at least.
This workaround is not nice and can lead to #1807.

Actions #11

Updated by Radek Tomiška over 4 years ago

  • Status changed from New to In Progress
  • Target version set to Rhyolite (9.7.5)
Actions #12

Updated by Radek Tomiška over 4 years ago

  • Related to Defect #1807: If role has more than 100 owners, the approval process works only with 100 of them added
Actions #13

Updated by Radek Tomiška over 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 0 to 90

I added new permission ''CANBEREQUESTED'' to role. Now we are able to configure permissions separately on role request detail and in bulk acctions, which assigns roles (add / remove identity roles).

If you have ``RoleCanBeRequestedEvaluator`` configured in you project already, just switch permission from ``AUTOCOMPLETE`` to ``CANBEREQUESTED``.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/4f0df596b24276104c343e875851e005e4c94a51

Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization?s[]=userrole#default_settings_of_permissions_for_an_identity_profile

Could you do a feedback, please?

Actions #14

Updated by Vít Švanda over 4 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 100

I made a test and reivew. Works correctly. I think this feature solve many problems with show role. Thanks for that.

I fixed issue with focus in the selectbox component. Modal dialog for add new concept could not be closed if user doesn't have rights for "selectbox".
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/84d09d657baae625b2bd0c5dd00170fe3212455c

Actions #15

Updated by Radek Tomiška over 4 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF