Defect #2034
closed
Subordinate roles are not processed correctly after editing business role
100%
Description
We have automatic business role on cca 250 users. Then we added dozens of new subordinate roles to business role.
1) Some subordinate roles are duplicated on users and it's not possible to recalculate and fix from GUI.
2) For some subordinate roles link for connected system wasn't created and role wasn't provisioned to user's account -> this was fixed by bulk action for accounts recalculation.
Tested on 9.7.14
Updated by Radek Tomiška about 4 years ago
I was finally able to reproduce the issue about duplicated assigned subroles by business role definition.
The issue is related to AddNewRoleCompositionTaskExecutor respectivelly to method, where all currently defined subroles, not just for newly added subrole, are processed and assigned => the idea was create all missing subroles (check the state), when some composition is added. But it not works, when two subroles are added simultaneously to the same superior role, before the first LRT ends (~ when assigned subroles are commited).
This design is wrong, i will add filter to process only currently added subrole definition in one AddNewRoleCompositionTaskExecutor and then try to remove duplicates.
Note: i hoped this assigned roles duplication will be related with issue #2040. But it's not, duplicate assigned roles (i had 7x700 duplicates ~ 5000 assigned roles) are processed / provisioned correctly as standard assigned role (even with merge attribute is set) :/.
Updated by Radek Tomiška about 4 years ago
- Status changed from New to In Progress
Updated by Radek Tomiška about 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 0 to 90
I fixed assigning duplicated subroles, when superior business role is edited simulatanously.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/685c8a954cc2b1abf4d2deaeb8ba130140e10663
Remove already created duplicities can be solved by UC:
1. Execute bulk action for accounts recalculation for all identities, which have duplicities. This step adds missing identity accounts.
2. Execute bulk action for role deduplication - duplicities will be removed (i improved action for cover duplicities in subroles).
Note: I improved LRT for skip stateful query usage (can be run repetitively without LRT removal). LRT for remove business rol definition now return better result code, when role is assigned simultaneosly. LRT agenda contains transactionId now for better debugging. Integration test for role deduplication bulk action rewritten to unit tests.
Could you provide me a feedback, please?
Updated by Vít Švanda about 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did review and test. I'm not able create duplicity now, thanks for fix.
Updated by Radek Tomiška about 4 years ago
- Status changed from Resolved to Closed