Defect #2418
closedAutomatic roles by organizations are sometimes not assigned/removed after synchronization of contracts
100%
Description
Version 10.4.1
Automatic roles by organizations are sometimes not recomputed after synchronization of contracts. It doesn't happen always, but in my scenario it was cca 50 %.- We have 3800 organizations, 6300 users, MS SQL repository
- Tree node A has 3 automatic roles by structure (without recursion), the roles assign several systems (some directly, some are business roles).
- Tree node B doesn't have any.
- User "referent" has a contract on the tree node B.
- Change the work position of the user from B to A in the HR system.
- Run synchronization of contracts, which has the settings "After end, start the automatic role recalculation" checked.
- After the synchronization finishes, the user's contract is already on the tree node A, but the user doesn't have any automatic role.
The screenshots show what probably happened:
The task ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor didn't process any of the state flags AUTOMATIC_ROLE_SKIPPED. Because they were generated from the event IdmIdentityContract NOTIFY (created by sync) a second later than the task run.
There are 2 IdmIdentityContract events - probably the first one comes from updating the contract, the second from updating the contract's EAV (#2248).
In some cases, processing of events was quick enough, so the first flag was generated before ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor, processed by it and so the user had the roles after the synchronization.
But it could make things worse - when the ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor removed the automatic roles (in this case the change was from tree node A to B) and the role removal just met the provisioning from the Notify event, than the provisionings collided. Some variation of #2404 and #2350 occurred - for some systems, the Delete was not successful, for other system the provisioning queue is broken.
I guess that if more contracts were processed by the synchronization, than something like this will happen with bigger probability for at least some of them.
To sum up (sorry for the long ticket), the problems are two:- automatic roles by organizations aren't sometimes recomputed after synchronization. (It requires another run of ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor)
- if they are recomputed, it could collide with other provisionings coming from the same synchronization
Files
Related issues
Updated by Radek Tomiška about 4 years ago
- Related to Defect #2404: Provisioning operations from event and sync. created at the same time can be executed in wrong order added
Updated by Radek Tomiška about 4 years ago
- Related to Defect #2350: Cannot view active operations in provisioning queue (error in communication with server) added
Updated by Radek Tomiška about 4 years ago
- Status changed from New to In Progress
- Target version set to 10.5.0
Updated by Radek Tomiška about 4 years ago
Thx Alča for detailed issue analysis! I hope this issue is the source of the other related issues with provisioning queue.
I'll try to reproduce this issue and switch role requests created from automatic roles by tree structure to be asynchronous.
Updated by Radek Tomiška about 4 years ago
- Target version changed from 10.5.0 to 10.4.3
- % Done changed from 0 to 10
All issues are related to asynchronous vs synchrounous processing =>
- synchronous operation ignores queue order (e.g. async from synchronization, sync from automatic roles) - #2400
- when synchronous operation is delete (role removal), then batch is deleted (and system entity too - referential integrity can be broken both ways) => provisioning queue is broken (provisioning operation for update has deleted batch reference) - #2350
- async NOTIFY from synchronization => flag 'AUTOMATIC_ROLE_SKIPPED' is created asynchrously and too late (as is described above).
This issue is mainly related to role requests - from UI, automatic roles, synchronization => all places, where roles (with targed system and provisioning) can be changed. The obstacle is delete operation (e.g. whole contract or automatic role is deleted by user), then role request cannot be asynchronous now.
The flag 'AUTOMATIC_ROLE_SKIPPED' can be created directly in synchronization => this issue will be solved in this ticket. Other issues with sync / async will be solved in #2404, #2350.
Updated by Radek Tomiška about 4 years ago
- Related to Task #1043: Support skip recalculation for automatic roles by tree structure. added
Updated by Radek Tomiška about 4 years ago
- Tracker changed from Task to Defect
- Affected versions 10.4.0, 10.4.1, 10.4.2 added
Updated by Radek Tomiška about 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Alena Peterová
- % Done changed from 10 to 90
Flag for recount automatic roles after contract (and other positions and contract slices) synchronization is created directly in synchrtonization to ensure it will be saved, before ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor is executed.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/2eda8239005bc8489fe5a21ad6bf475eb592ecc8
Could you provide me a feedback, please?
Note: Tree node synchronization and automatic roles recount: flag for recount automatic roles after tree node is moved in structure is saved on UPDATE event (sync), so it's ok.
Updated by Radek Tomiška about 4 years ago
- Target version changed from 10.4.3 to 10.4.4
Updated by Radek Tomiška about 4 years ago
- Subject changed from Automatic roles by organizations are sometimes not assigned/removed after synchronization of contracts, collision of provisionings to Automatic roles by organizations are sometimes not assigned/removed after synchronization of contracts
Updated by Vít Švanda about 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Alena Peterová to Radek Tomiška
- % Done changed from 90 to 100
I made review and tested it. It works well, but for ideal solution we need to implement waiting for the completion of the LRT after all asynchronous events. But this is feature request (#2444).
Thnaks for this fix.
Updated by Radek Tomiška about 4 years ago
- Status changed from Resolved to Closed
Updated by Radek Tomiška almost 4 years ago
- Related to Defect #2543: The validity of automatic roles is not changed when validity of the contract changes during synchronization added