Project

General

Profile

Task #2002

Managers of contracts ended in the past shouldn't be able to change roles for currect contract

Added by Tomáš Doischer 9 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Start date:
01/06/2020
Due date:
% Done:

100%

Estimated time:

Description

The situation is as follows:
  • a user has a contract C and a manager A
  • contract C ends and a new contract D is created for the user
  • problem: manager A still can change roles for the contract D and approve role requests on contract D eventhough he is not the manager of the contract D

This is an issue closely related to the one in #1146 but probably easier to fix (maybe ended contracts will not have a manager).

Just to add, we do want a manager of contract valid in future to be able to change roles of the contract.


Related issues

Related to CzechIdM - Feature #1146: Managers should change roles only for the contracts, for which they are managersClosed01/06/2020

Related to CzechIdM - Task #2204: Authorization policies: Add permission to identity by contract (transitively)Closed04/14/2020

History

#1 Updated by Radek Tomiška 9 months ago

  • Assignee changed from Radek Tomiška to Tomáš Doischer

UC: When new contract D is not created, then no manager can edit this identity. This is the reason, why are evaluators for subordinates designed this way (contract state is ignored for subordinates).
Are you sure about this requirement?

#2 Updated by Marcel Poul 9 months ago

  • Parent task deleted (#1146)

#3 Updated by Marcel Poul 9 months ago

  • Related to Feature #1146: Managers should change roles only for the contracts, for which they are managers added

#7 Updated by Tomáš Doischer 7 months ago

  • Assignee changed from Tomáš Doischer to Radek Tomiška

After the discussion on Slack, we arrived at the conclusion that we do need the manager of an ended contract to manully edit the user. So we would like it to work like this:

A manager of a contract ended in the past
  • CAN edit the identity
  • CANNOT approve its role requests (no tasks should be created for the manager)

Can you please implement this?

#9 Updated by Radek Tomiška 5 months ago

  • Assignee changed from Radek Tomiška to Vladimír Kotýnek

We didn't finish a discussion for this requirement, the last question remains open:
Do we need to the manager of an ended contract can edit the user?

Could you please confirm this requirement coming from your project only?

#10 Updated by Radek Tomiška 5 months ago

  • Related to Task #2204: Authorization policies: Add permission to identity by contract (transitively) added

#11 Updated by Radek Tomiška 5 months ago

  • Status changed from New to In Progress
  • Assignee changed from Vladimír Kotýnek to Radek Tomiška
  • Target version set to 10.3.0

We have consensus to implement this feature as original requirement says, so ended contract will not have a manager.

Summary: A manager of a contract ended in the past
  • CANNOT edit the identity
  • CANNOT approve its role requests (no tasks should be created for the manager)

#12 Updated by Radek Tomiška 5 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 0 to 90

It's implemented. Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/3246ea1ca2aed88a83eb08ef40d3279256de791c

Doc:
https://wiki.czechidm.com/devel/documentation/architecture/dev/filters

Could you provide me a feedback, please?

#13 Updated by Radek Tomiška 5 months ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 50

As we consulted on friday - we need all variants, because managers of invalid contract have to be provisioned.
So all changes above have to be refactored and new filter has to be created and used in requests and security.

#14 Updated by Radek Tomiška 5 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 50 to 90

New method ``IdmIdentityService#findAllManagers(UUID, UUID, Boolean)`` was added. Use this method to get managers of valid contracts (as approvers) in your custom scripts and workflows. This new method is used in product workflows. All product filters for find managers were updated and new optional parameter ``validContractManagers`` was added - change behavior in your custom (overriden) filters if needed.
Contract state (DISABLED) is ignored by this new filter - filter works just with contract dates.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/6ff3b859e7897514f9eb6433e1a28bb17a6efc7e

Doc:
https://wiki.czechidm.com/devel/documentation/architecture/dev/filters

Could you provide me a feedback, please?

#15 Updated by Vít Švanda 5 months ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 100

I did review and test. Manager cannot change roles for expired subordinate's contract now. If a contract is future valid, then assigned roles can be modified by manager.

Thnaks for this feature.

#16 Updated by Radek Tomiška 4 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Go to top