Task #2002
closed
Managers of contracts ended in the past shouldn't be able to change roles for currect contract
100%
Description
- a user has a contract C and a manager A
- contract C ends and a new contract D is created for the user
- problem: manager A still can change roles for the contract D and approve role requests on contract D eventhough he is not the manager of the contract D
This is an issue closely related to the one in #1146 but probably easier to fix (maybe ended contracts will not have a manager).
Just to add, we do want a manager of contract valid in future to be able to change roles of the contract.
Related issues
Updated by Radek Tomiška over 4 years ago
- Assignee changed from Radek Tomiška to Tomáš Doischer
UC: When new contract D is not created, then no manager can edit this identity. This is the reason, why are evaluators for subordinates designed this way (contract state is ignored for subordinates).
Are you sure about this requirement?
Updated by Marcel Poul over 4 years ago
- Related to Feature #1146: Managers should change roles only for the contracts, for which they are managers added
Updated by Tomáš Doischer about 4 years ago
- Assignee changed from Tomáš Doischer to Radek Tomiška
After the discussion on Slack, we arrived at the conclusion that we do need the manager of an ended contract to manully edit the user. So we would like it to work like this:
A manager of a contract ended in the past- CAN edit the identity
- CANNOT approve its role requests (no tasks should be created for the manager)
Can you please implement this?
Updated by Radek Tomiška about 4 years ago
- Assignee changed from Radek Tomiška to Vladimír Kotýnek
We didn't finish a discussion for this requirement, the last question remains open:
Do we need to the manager of an ended contract can edit the user?
Could you please confirm this requirement coming from your project only?
Updated by Radek Tomiška about 4 years ago
- Related to Task #2204: Authorization policies: Add permission to identity by contract (transitively) added
Updated by Radek Tomiška about 4 years ago
- Status changed from New to In Progress
- Assignee changed from Vladimír Kotýnek to Radek Tomiška
- Target version set to 10.3.0
We have consensus to implement this feature as original requirement says, so ended contract will not have a manager.
Summary: A manager of a contract ended in the past- CANNOT edit the identity
- CANNOT approve its role requests (no tasks should be created for the manager)
Updated by Radek Tomiška about 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 0 to 90
It's implemented. Only valid or future valid contract can define managers and subordinates. Ended contract in the past cannot define managers or subordinates. On the other hand, contract state (e.g. manually disabled contract) still can define managers or subordinates - when contract is disabled by manager, then manager still can enable contract again.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/3246ea1ca2aed88a83eb08ef40d3279256de791c
Doc:
https://wiki.czechidm.com/devel/documentation/architecture/dev/filters
Could you provide me a feedback, please?
Updated by Radek Tomiška about 4 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 50
As we consulted on friday - we need all variants, because managers of invalid contract have to be provisioned.
So all changes above have to be refactored and new filter has to be created and used in requests and security.
Updated by Radek Tomiška about 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 50 to 90
New method ``IdmIdentityService#findAllManagers(UUID, UUID, Boolean)`` was added. Use this method to get managers of valid contracts (as approvers) in your custom scripts and workflows. This new method is used in product workflows. All product filters for find managers were updated and new optional parameter ``validContractManagers`` was added - change behavior in your custom (overriden) filters if needed.
Contract state (DISABLED) is ignored by this new filter - filter works just with contract dates.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/6ff3b859e7897514f9eb6433e1a28bb17a6efc7e
Doc:
https://wiki.czechidm.com/devel/documentation/architecture/dev/filters
Could you provide me a feedback, please?
Updated by Vít Švanda almost 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did review and test. Manager cannot change roles for expired subordinate's contract now. If a contract is future valid, then assigned roles can be modified by manager.
Thnaks for this feature.
Updated by Radek Tomiška almost 4 years ago
- Status changed from Resolved to Closed
Updated by Tomáš Doischer almost 2 years ago
- Related to Task #3129: The EavCodeContractByManagerFilter returns subordinates from expired contracts added