Defect #2043
closedAccount in protection can't be linked to new identity
100%
Description
Existing account in protection without connection to identity can't be linked again to new identity.
Use case:- identity has ended contract,
- account is moved into protection mode,
- administrator delete the identity (release username),
- after some time will be crated identity with same username and UID (resuming - znovu nástup :)),
- identity obtain role with mapped system (eq role request, automatic role, etc),
- the role request failed with exception:
java.lang.IllegalArgumentException: [Assertion failed] - this argument is required; it must not be null at org.springframework.util.Assert.notNull(Assert.java:115) at org.springframework.util.Assert.notNull(Assert.java:126) at eu.bcvsolutions.idm.acc.service.impl.DefaultAccIdentityAccountService.delete(DefaultAccIdentityAccountService.java:104) at eu.bcvsolutions.idm.acc.service.impl.DefaultAccIdentityAccountService.delete(DefaultAccIdentityAccountService.java:94) at eu.bcvsolutions.idm.acc.service.impl.DefaultAccIdentityAccountService.delete(DefaultAccIdentityAccountService.java:88) at eu.bcvsolutions.idm.acc.service.impl.DefaultAccIdentityAccountService.delete(DefaultAccIdentityAccountService.java:47) at eu.bcvsolutions.idm.acc.service.impl.DefaultAccIdentityAccountService$$FastClassBySpringCGLIB$$90657c7.invoke(<generated>) at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
Role, identity account and connection with account missing event state in idm is executed.
Warning for project:- While is role added by automatically role by organizational structure during contract/contract slice synchronization the error is in log and synchronization log.
- While is role added by automatically role by attribute. The task ProcessAllAutomaticRoleByAttributeTaskExecutor failed and can't be finished without fix this account.
In both cases exists in logs IDs of role request and role concept, but all these entities are rolled back.
Workaround: Unset protection by DB
update acc_account set in_protection = false, end_of_protection = null where uid = '<ACCOUNT UID>';
Affected version: 9.7.11 (tested version, probably also higher version)
Updated by Vít Švanda about 4 years ago
- Assignee set to Vít Švanda
- Target version set to Rhyolite (9.7.15)
The main problem is step: administrator delete the identity (release username).
Deleting an identity will also delete linked accounts. In this case, however, the removal is not performed because the account is in a protected state. This causes data inconsistency as the account becomes orphaned.
As a solution, I suggest: Create a check that will not allow delete identity if it has any protected accounts.
Updated by Vít Švanda about 4 years ago
- Status changed from New to Needs feedback
- Assignee changed from Vít Švanda to Radek Tomiška
I fixed this problem. So mapping orphan AccAccount in protected mode works well now:
On identity delete is use force delete. That remove relationships between identity and account, event if the AccAccount is in the protected mode. Only identity-account relations are removed. The account on system (AccAccount) is not removed! From this moment is AccAccount orphan without any relations on indentity. If new identity with same system identifier will be created, then this protected account will be linked on it!
I created test for this use-case to.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/d4c23635abdac7289c65f02b6a871f9cee4a0d25
Doc: https://wiki.czechidm.com/devel/documentation/accounts/dev/protection-system?s[]=protected#basic_use_case_scenario
Updated by Radek Tomiška about 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 90 to 100
I did test and code review, is works and code is nice, thx!
Updated by Radek Tomiška about 4 years ago
- Status changed from Resolved to Closed