Task #1917
closed
Copying roles from users - add "Can Be Requested" permission
Added by Alena Peterová about 5 years ago.
Updated about 5 years ago.
Description
Version 9.7.10
When copying assigned roles from users, it ignores the CANBEREQUESTED permission. So I can copy and assign all roles, not only the roles which I can add by standard role selection.
E.g. manager can see all his subordinates and should be able to assign only "requestable" roles to them. But if one of his subordinates has superAdminRole, the manager can effectively assign this role as well.
- Tracker changed from Defect to Task
I supose this feature was designed this way, see:
https://wiki.czechidm.com/tutorial/adm/copying
where all assigned roles and even automatic and sub roles can be copied.
Feature 'Copy of roles' only creates role request, but this request should be approved by workflow, where roles can be removed (e.g. superAdminRole) - it's approver responsibility (if i remeber it right, this was conclusion about this feature).
I'm not sure, if this change is ok for all implementations, we need to analyze this new requirement at first. It goes against original requirements => we will not be able copy automatic and sub roles.
We consulted this in the team - we agreed that we expect, that the permission "Can be requested" determines, if the role can be added by the role request. It doesn't matter if I choose roles by adding them directly, or by copying them from somebody else.
Our expectation was that if the role can't be requested, then nobody except Admin can assign it. So we usually don't set approval process for non-requestable roles; we thought it's not needed. I see it as a workaround for this situation.
"we will not be able copy automatic and sub roles" - This is not exactly true. We have some roles, that can be requested manually and at the same time, some group of users has these roles automatically assigned. I expect that users can copy only the roles, which Can be requested. It doesn't matter if the "example" user has them automatically, or manually.
- Status changed from New to In Progress
- Target version set to Rhyolite (9.7.12)
- % Done changed from 0 to 80
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 80 to 90
- Subject changed from Copying roles from users ignores "Can Be Requested" permission to Copying roles from users - add "Can Be Requested" permission
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did test and review. Code looks great (interesting idea with disable a nodes and double call). Thanks for that.
- Status changed from Resolved to Closed
Also available in: Atom
PDF
