Task #1797
closed
Add new persmission to roles, which can be requested.
Added by Alena Peterová over 4 years ago.
Updated over 4 years ago.
Description
Add new persmission to roles, which can be requested (flag "Can be requested" will be reused). Autocomplete for roles is used for select boxes, used on all places in application (e.g. in business roles). New permission will be used on role request detail, when new role is added.
UC: Expanding the business role doesn't show sub roles sometimes, situation:
- a business role contains two sub roles
- sub roles have "Can be requested" = false
- the business role is assigned to a user
- login as a manager (not superadmin), who has no special permission (namely - userRole has Roles (IdmRole) - View in select box (autocomplete) - RoleCanBeRequestedEvaluator)
- Open the Dashboard
- Try to expand the business role by "+"
- It's empty after expanding and looks like ordinary role
- Also when you get to the assigned roles full detail, it's still displayed wrongly
The request got empty response, which is probably the reason:
The same behavior is also in Directly assigned roles / Request to change roles.
Version 9.7.2
Files
- Tracker changed from Task to Defect
- Assignee changed from Radek Tomiška to Alena Peterová
I think it's about permissions. You don't have permission to autocomplete all roles, just roles which can be requested?
So role have two subroles (count doesn't support permission), but you cannot see them.
- Assignee changed from Alena Peterová to Radek Tomiška
I didn't say, you have wrong permission setting, I'm saying, icon on business role works, as permissions are configured :)
It's about the feature, that we speak before - add new permission to "Can be requested" instead flag. We don't have any mechanism to split this two requirements now (autocomplete vs. "Can be requested").
- Assignee changed from Radek Tomiška to Alena Peterová
I'm not sure which behavior do you expect (hide icon some how or add new permission instead)?
- Assignee changed from Alena Peterová to Radek Tomiška
I expect that when I expand the icon, the sub roles will appear. I don't know how to do it :-)
The most confusing thing is that I can see the sub roles in the table at the bottom. And I can see that they are assigned by business role. So the permissions enable to get this information, somehow. Maybe the expanding icon should call some different endpoint, which will get "the same" information as the bottom table?
- Assignee changed from Radek Tomiška to Alena Peterová
You are mixing two permissions:
- permissions to read Roles - (sub roles)
- permissions to read IdentityRoles (assigned roles - bottom table)
So you want to "expand" icon ignore configured security and call it other way?
- Tracker changed from Defect to Task
- Subject changed from Expanding the business role doesn't show sub roles sometimes to Add new persmission to roles, which can be requested.
- Description updated (diff)
- Assignee changed from Alena Peterová to Radek Tomiška
- Estimated time set to 8.00 h
Other use-case of the new permission:
Some roles can be assigned only by authorized users and without approval. Common users can't assign these roles to themselves.
Now we use workaround by setting criticality 2 and all authorized users as owner. Common users can request these roles, but it must be approved at least.
This workaround is not nice and can lead to #1807.
- Status changed from New to In Progress
- Target version set to Rhyolite (9.7.5)
- Related to Defect #1807: If role has more than 100 owners, the approval process works only with 100 of them added
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 0 to 90
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF