Defect #1980
closed
Recalculate accounts bulk action deletes and creates account, if the role was previously assigned without connected system
100%
Description
Situation:
- an identity has assigned a role LDAP, which (now) has connected system LDAP.
- the identity has an account on LDAP linked by this role, but without the "roleSystem" property (the link was originally made by the default role in the synchronization, when the role didn't have the system yet)
- run "Recalculate accounts and provision" on this identity
- the account is deleted
- run "Recalculate accounts and provision" on this identity again
- the account is created
Expected behavior: The account is not deleted by this actions. Maybe the account link is updated (added roleSystem), or recreated.
You can see from the screenshots, that no other action than ACM was run for this identity (the role was assigned the whole time). Audit:
Provisioning archive:
Files
Updated by Alena Peterová over 4 years ago
How to find accounts, which could be affected by this:
select ss.name, ii.username, aa.uid from acc_identity_account aia join idm_identity ii on aia.identity_id=ii.id join acc_account aa on aa.id=aia.account_id join sys_system ss on aa.system_id=ss.id where identity_role_id is not null and role_system_id is null;
Updated by Vít Švanda over 4 years ago
- Target version changed from 10.1.0 to Rhyolite (9.7.15)
- % Done changed from 0 to 90
I commfirmed your scenario. Account is deleted and created.
The basis of this problem I see in second step (the link was originally made by the default role in the synchronization, when the role didn't have the system yet). This caused that data are "broken" (you have role assigning accounts, but without system mapping).
Bulk ACM operation only fix the data and remove account. Pairing of disconnected relations has been never implemented here.
I fully understand what behavior do you need and expect. So I implemented this paring now. It was pain, to find correct place, but I think it works correctly now. It means if ACM find exists identity-account without role-system, then ID of role-system is sets and save to the identity-account (during ACM).
Commit with test:
https://github.com/bcvsolutions/CzechIdMng/commit/6e0c0906e322fd54f8424a4626ad9328533938ed
Updated by Vít Švanda over 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Vít Švanda to Radek Tomiška
Updated by Radek Tomiška about 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 90 to 100
I did test and code review, it works, account is modified only now (roleSystem relation is filled properly by newly configured mapping), thx!
Updated by Radek Tomiška about 4 years ago
- Status changed from Resolved to Closed