Defect #2543
closedThe validity of automatic roles is not changed when validity of the contract changes during synchronization
100%
Description
- The user had contract valid till 30.9.2020
- The work position of the contract has 4 automatic roles by tree structure => the automatic roles were assigned to the user till 30.9.2020
- The validity of the contract changed to 10.12.2020 during synchronization of contracts
- The validity of the automatic roles wasn't changed and stayed 30.9.2020
- We upgraded 10.4.4 -> 10.4.7 (probably not important)
- When the IdentityRoleExpirationTaskExecutor started after 30.9. (in our case at 23.10., because previously there were some other errors not connected to this), it removed the automatic roles from the user
Related issues
Updated by Alena Peterová about 4 years ago
- Subject changed from Automatic role validity is not changed when validity of the contract changes to The validity of automatic roles by tree structures is not changed when validity of the contract changes
- Description updated (diff)
Updated by Alena Peterová about 4 years ago
Problematic thing is also how to fix the data once this happened. Even though we run the task to recalculate automatic roles by tree structures 19.10. (this was due to another inconsistencies), but nothing happened to these roles, probably because they were already assigned and the task doesn't check validity. Or some other reason, I don't know.
Updated by Radek Tomiška about 4 years ago
- Related to Task #1043: Support skip recalculation for automatic roles by tree structure. added
Updated by Radek Tomiška about 4 years ago
- Assignee changed from Ondřej Kopr to Radek Tomiška
Updated by Radek Tomiška about 4 years ago
- Target version set to 10.4.9
Issue occurs, when recount automatic roles is skipped (e.g. from synchronization).
How to find data to fix:
select ir.* from idm_identity_role ir, idm_identity_contract ic where ir.identity_contract_id = ic.id and (ic.valid_till <> ir.valid_till or ic.valid_from <> ir.valid_from) and automatic_role_id is not null;
EDIT 27.9.2023: we have to include even null validity and subroles, + we want to see the info about identity
EDIT 2 WARNING: these queries don't solve the situation when there are multiple levels of business roles (subroles assigned by subroles)
select i.username, ir.* from idm_identity_role ir, idm_identity_contract ic join idm_identity i on ic.identity_id=i.id where ir.identity_contract_id = ic.id and (ic.valid_till is null and ir.valid_till is not null OR ic.valid_till is not null and ir.valid_till is null OR ic.valid_till <> ir.valid_till or ic.valid_from <> ir.valid_from) and (automatic_role_id is not null or (ir.direct_role_id is not null and exists (select dr.id from idm_identity_role dr where dr.id = ir.direct_role_id and dr.automatic_role_id is not null)));
How to fix data on PostgreSql:
update idm_identity_role as ir set valid_from = (select ic.valid_from from idm_identity_contract ic where ir.identity_contract_id = ic.id), valid_till = (select ic.valid_till from idm_identity_contract ic where ir.identity_contract_id = ic.id) where ir.automatic_role_id is not null or (ir.direct_role_id is not null and exists (select dr.id from idm_identity_role dr where dr.id = ir.direct_role_id and dr.automatic_role_id is not null));
How to fix data on MSSql:
update ir set valid_from = (select ic.valid_from from idm_identity_contract ic where ir.identity_contract_id = ic.id), valid_till = (select ic.valid_till from idm_identity_contract ic where ir.identity_contract_id = ic.id) from idm_identity_role ir where ir.automatic_role_id is not null or (ir.direct_role_id is not null and exists (select dr.id from idm_identity_role dr where dr.id = ir.direct_role_id and dr.automatic_role_id is not null));
Workaround: Unschedule IdentityRoleExpirationTaskExecutor until fix will be released.
Updated by Radek Tomiška about 4 years ago
- Status changed from New to In Progress
Updated by Radek Tomiška about 4 years ago
- Affected versions 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.4.5, 10.4.6, 10.4.7, 10.5.2, 10.5.3, 10.4.8, 10.6.0 added
Updated by Radek Tomiška about 4 years ago
- Related to deleted (Task #1043: Support skip recalculation for automatic roles by tree structure.)
Updated by Radek Tomiška about 4 years ago
- Related to Defect #2418: Automatic roles by organizations are sometimes not assigned/removed after synchronization of contracts added
Updated by Radek Tomiška about 4 years ago
- Subject changed from The validity of automatic roles by tree structures is not changed when validity of the contract changes to The validity of automatic roles is not changed when validity of the contract changes during synchronization
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 0 to 90
- Affected versions deleted (
10.4.0, 10.4.1, 10.4.2, 10.4.3)
I've fixed updating validity for automatically assigned roles, when contract is changed + automatic role recount is skipped (broken by additional state for process skipped contracts #2418).
Change script is provided to fix data. It's placed in tool => will be efective for all fixed versinons 10.4.9 (10.5.4, 10.6.1).
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/418c51ede38b63665f0ca998e201c925286c0692
Could you provide me a feedback, please?
Updated by Radek Tomiška about 4 years ago
I improved fix above - I've added previous contract into skipped state processing => automatic roles will be processed in one request in ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor.
The fix above creates two request (and provisioning) from both places - when skipped + when skipped is processed.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/36c71931a497b8b61ada47cc43f1ab95ce5a038e
Updated by Radek Tomiška about 4 years ago
I fix change script to work with sub roles too, commit:
https://github.com/bcvsolutions/CzechIdMng/commit/936711f82d325cdd7c25922b61f087ff07b9ba3d
Updated by Vít Švanda about 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did reivew and tested it on the version 10.4.9 and 10.6.1. Works correctly now.
Putting a change script to the tool module is genius.
Updated by Radek Tomiška about 4 years ago
- Status changed from Resolved to Closed
Updated by Alena Peterová almost 4 years ago
Fixed in 10.4.9, 10.5.4, 10.6.1+, and all above 10.7.