Defect #2415
closed
Business roles has subroles with mapped system and merge attribute. When you delete for example 2 subroles, one of them still remain on the end system
Added by Roman Kučera almost 4 years ago.
Updated over 3 years ago.
Affected versions:
Malachite (9.0.0),
Moonstone (9.1.0),
Moonstone (9.1.1),
Morganite (9.2.0),
Morganite (9.2.1),
Morganite (9.2.2),
Onyx (9.3.0),
Onyx (9.3.1),
Opal (9.4.0-rc.1),
Onyx (9.3.2),
Onyx (9.3.3),
Opal (9.4.0-rc.2),
Onyx (9.3.4),
Opal (9.4.0),
Pyrite (9.5.0),
Pyrite (9.5.1),
Pyrite (9.5.2),
Pyrite (9.5.3),
Pyrite (9.5.4),
Quartz (9.6.0),
Quartz (9.6.1),
Quartz (9.6.2),
Quartz (9.6.3),
Quartz (9.6.4),
Quartz (9.6.5),
Pyrite (9.5.1.2),
Quartz (9.6.6),
Rhyolite (9.7.0),
Rhyolite (9.7.2),
Rhyolite (9.7.3),
Rhyolite (9.7.4),
Rhyolite (9.7.5),
Rhyolite (9.7.6),
Rhyolite (9.7.7),
Rhyolite (9.7.8),
Rhyolite (9.7.9),
Rhyolite (9.7.10),
Rhyolite (9.7.11),
Rhyolite (9.7.12),
Rhyolite (9.7.13),
10.0.0,
Rhyolite (9.7.14),
10.0.1,
10.1.0,
Rhyolite (9.7.15),
Rhyolite (9.7.16),
10.2.0,
10.0.2,
10.3.0,
10.3.1,
10.3.2,
Rhyolite (9.7.17),
10.3.3,
10.4.0,
10.4.1,
10.4.2,
10.4.3
Description
Use case:
Business role "role" has 3 subroles:
"subrole 1" - has mapped system system and override multivalue merge attribute
"subrole 2" - has mapped system system and override multivalue merge attribute
"subrole 3" - has mapped system system and override multivalue merge attribute
You have some user which has account on this end system and has role "role"
If you delete for example 2 subroles from "role" together, one of them will still remain on the end system. E.g remove "subrole 1" and "subrole 2" by checking checkbox and deleting one of them will still remain on the end system.
It looks like that provisioning is executed before the role is removed from user in IdM.
Result:
User has still some permission on end system until next re-save for this user.
Workaround:
Re-save all users after you delete some subroles?
Workaround: Run account management on users.
- Target version set to 10.4.3
I will add validation to prevent change business role simultaneously => wait before one change (by asynchronous task) is completed.
- Target version changed from 10.4.3 to 10.4.4
- Status changed from New to In Progress
- Affected versions Malachite (9.0.0), Moonstone (9.1.0), Moonstone (9.1.1), Morganite (9.2.0), Morganite (9.2.1), Morganite (9.2.2), Onyx (9.3.0), Onyx (9.3.1), Opal (9.4.0-rc.1), Onyx (9.3.2), Onyx (9.3.3), Opal (9.4.0-rc.2), Onyx (9.3.4), Opal (9.4.0), Pyrite (9.5.0), Pyrite (9.5.1), Pyrite (9.5.2), Pyrite (9.5.3), Pyrite (9.5.4), Quartz (9.6.0), Quartz (9.6.1), Quartz (9.6.2), Quartz (9.6.3), Quartz (9.6.4), Quartz (9.6.5), Pyrite (9.5.1.2), Quartz (9.6.6), Rhyolite (9.7.0), Rhyolite (9.7.2), Rhyolite (9.7.3), Rhyolite (9.7.4), Rhyolite (9.7.5), Rhyolite (9.7.6), Rhyolite (9.7.7), Rhyolite (9.7.8), Rhyolite (9.7.9), Rhyolite (9.7.10), Rhyolite (9.7.11), Rhyolite (9.7.12), Rhyolite (9.7.13), 10.0.0, 10.4.2, 10.4.3 added
- Target version changed from 10.4.4 to 10.5.0
- Related to Task #1636: Redesign business roles assignment added
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 0 to 90
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did reivew and tested it. Only one sub role can be deleted in same time. This prevents occurring of this problem. Maybe creating bulk action for delete subroles will cause better UX (in future). LGTM
- Status changed from Resolved to Closed
- Related to Task #2498: Automatic roles: prevent to recount automatic roles simultaneously added
Also available in: Atom
PDF
