Defect #2543: The validity of automatic roles is not changed when validity of the contract changes during synchronization - IdStory Identity Manager

Custom queries

Product defect list
Product feature list
UX_2020

Actions

Copy link

Defect #2543

closed

The validity of automatic roles is not changed when validity of the contract changes during synchronization

Added by Alena Peterová about 4 years ago. Updated almost 4 years ago.

Status:

Closed

Priority:

Urgent

Assignee:

Radek Tomiška

Category:

Automatic roles

Target version:

10.4.9

Start date:

10/30/2020

Due date:

% Done:

100%

Estimated time:

Affected versions:

10.4.4, 10.5.0, 10.5.1, 10.4.5, 10.4.6, 10.4.7, 10.5.2, 10.5.3, 10.4.8, 10.6.0

Owner:

Description

The user had contract valid till 30.9.2020
The work position of the contract has 4 automatic roles by tree structure => the automatic roles were assigned to the user till 30.9.2020
The validity of the contract changed to 10.12.2020 during synchronization of contracts
The validity of the automatic roles wasn't changed and stayed 30.9.2020
We upgraded 10.4.4 -> 10.4.7 (probably not important)
When the IdentityRoleExpirationTaskExecutor started after 30.9. (in our case at 23.10., because previously there were some other errors not connected to this), it removed the automatic roles from the user

Related issues

Related to IdStory Identity Manager - Defect #2418: Automatic roles by organizations are sometimes not assigned/removed after synchronization of contracts

Closed

Radek Tomiška

07/31/2020

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Alena Peterová about 4 years ago

Subject changed from Automatic role validity is not changed when validity of the contract changes to The validity of automatic roles by tree structures is not changed when validity of the contract changes
Description updated (diff)

Actions

Copy link

Updated by Alena Peterová about 4 years ago

Problematic thing is also how to fix the data once this happened. Even though we run the task to recalculate automatic roles by tree structures 19.10. (this was due to another inconsistencies), but nothing happened to these roles, probably because they were already assigned and the task doesn't check validity. Or some other reason, I don't know.

Actions

Copy link

Updated by Radek Tomiška about 4 years ago

Related to Task #1043: Support skip recalculation for automatic roles by tree structure. added

Actions

Copy link

Updated by Radek Tomiška about 4 years ago

Assignee changed from Ondřej Kopr to Radek Tomiška

Actions

Copy link

Updated by Radek Tomiška about 4 years ago

Target version set to 10.4.9

Issue occurs, when recount automatic roles is skipped (e.g. from synchronization).

How to find data to fix:

select ir.* from idm_identity_role ir, idm_identity_contract ic 
where ir.identity_contract_id = ic.id and (ic.valid_till <> ir.valid_till or ic.valid_from <> ir.valid_from) and automatic_role_id is not null;

EDIT 27.9.2023: we have to include even null validity and subroles, + we want to see the info about identity
EDIT 2 WARNING: these queries don't solve the situation when there are multiple levels of business roles (subroles assigned by subroles)

select i.username, ir.* from idm_identity_role ir, idm_identity_contract ic 
join idm_identity i on ic.identity_id=i.id
where ir.identity_contract_id = ic.id and (ic.valid_till is null and ir.valid_till is not null OR ic.valid_till is not null and ir.valid_till is null OR ic.valid_till <> ir.valid_till or ic.valid_from <> ir.valid_from) and (automatic_role_id is not null or (ir.direct_role_id is not null and exists (select dr.id from idm_identity_role dr where dr.id = ir.direct_role_id and dr.automatic_role_id is not null)));

How to fix data on PostgreSql:

update idm_identity_role as ir set 
valid_from = (select ic.valid_from from idm_identity_contract ic where ir.identity_contract_id = ic.id),
valid_till = (select ic.valid_till from idm_identity_contract ic where ir.identity_contract_id = ic.id)
where ir.automatic_role_id is not null
or (ir.direct_role_id is not null and exists (select dr.id from idm_identity_role dr where dr.id = ir.direct_role_id and dr.automatic_role_id is not null));

How to fix data on MSSql:

update ir set 
valid_from = (select ic.valid_from from idm_identity_contract ic where ir.identity_contract_id = ic.id),
valid_till = (select ic.valid_till from idm_identity_contract ic where ir.identity_contract_id = ic.id)
from idm_identity_role ir
where ir.automatic_role_id is not null
or (ir.direct_role_id is not null and exists (select dr.id from idm_identity_role dr where dr.id = ir.direct_role_id and dr.automatic_role_id is not null));

Workaround: Unschedule IdentityRoleExpirationTaskExecutor until fix will be released.

Actions

Copy link

Updated by Radek Tomiška about 4 years ago

Status changed from New to In Progress

Actions

Copy link

Updated by Radek Tomiška about 4 years ago

Affected versions 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.4.5, 10.4.6, 10.4.7, 10.5.2, 10.5.3, 10.4.8, 10.6.0 added

Actions

Copy link

Updated by Radek Tomiška about 4 years ago

Related to deleted (Task #1043: Support skip recalculation for automatic roles by tree structure.)

Actions

Copy link

Updated by Radek Tomiška about 4 years ago

Related to Defect #2418: Automatic roles by organizations are sometimes not assigned/removed after synchronization of contracts added

Actions

Copy link

#10

Updated by Radek Tomiška about 4 years ago

Subject changed from The validity of automatic roles by tree structures is not changed when validity of the contract changes to The validity of automatic roles is not changed when validity of the contract changes during synchronization
Status changed from In Progress to Needs feedback
Assignee changed from Radek Tomiška to Vít Švanda
% Done changed from 0 to 90
Affected versions deleted (~~10.4.0, 10.4.1, 10.4.2, 10.4.3~~)

I've fixed updating validity for automatically assigned roles, when contract is changed + automatic role recount is skipped (broken by additional state for process skipped contracts #2418).
Change script is provided to fix data. It's placed in tool => will be efective for all fixed versinons 10.4.9 (10.5.4, 10.6.1).

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/418c51ede38b63665f0ca998e201c925286c0692

Could you provide me a feedback, please?

Actions

Copy link

#11

Updated by Radek Tomiška about 4 years ago

I improved fix above - I've added previous contract into skipped state processing => automatic roles will be processed in one request in ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor.
The fix above creates two request (and provisioning) from both places - when skipped + when skipped is processed.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/36c71931a497b8b61ada47cc43f1ab95ce5a038e

Actions

Copy link

#12

Updated by Radek Tomiška about 4 years ago

I fix change script to work with sub roles too, commit:
https://github.com/bcvsolutions/CzechIdMng/commit/936711f82d325cdd7c25922b61f087ff07b9ba3d

Actions

Copy link

#13

Updated by Vít Švanda about 4 years ago

Status changed from Needs feedback to Resolved
Assignee changed from Vít Švanda to Radek Tomiška
% Done changed from 90 to 100

I did reivew and tested it on the version 10.4.9 and 10.6.1. Works correctly now.

Putting a change script to the tool module is genius.

Actions

Copy link

#14

Updated by Radek Tomiška about 4 years ago

Status changed from Resolved to Closed

Actions

Copy link

#15

Updated by Alena Peterová almost 4 years ago

Fixed in 10.4.9, 10.5.4, 10.6.1+, and all above 10.7.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

IdStory Identity Manager

Custom queries

Defect #2543

The validity of automatic roles is not changed when validity of the contract changes during synchronization

Updated by Alena Peterová about 4 years ago

Updated by Alena Peterová about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Vít Švanda about 4 years ago

Updated by Radek Tomiška about 4 years ago

Updated by Alena Peterová almost 4 years ago