Project

General

Profile

Actions

Defect #2640

closed

Wrong validity of automatic roles after changing work position and contract validity, removed automatic roles when contract was extended on the last day

Added by Alena Peterová over 3 years ago. Updated over 3 years ago.


Description

Tested on 9.7.11 and 10.6.4.

Organization structure:
Parent - this has automatic role "autoByStructure" with recursion Down
├── Node1
└── Node2

First situation - wrong validity of automatic roles after changing work position and contract validity:
  • The user has the contract valid till 31.1.2021 with the work position Node1. The automatic role is assigned with validity 31.1.2021
  • Change the work position to Node2 and at the same time, change its validity
  • The validity of the automatic role wasn't changed!
  • On 1.2.2021, the automatic role would be removed by IdentityRoleExpirationTaskExecutor, even if the contract would be still valid!
Second situation - removed automatic roles when contract was extended on the last day - this can happen during synchronization of contracts/slices:
  • Contract is valid till 31.1.2021
  • The contract is extended in HR on the last day
  • Synchronization of contracts/slices processes the contract on 1.2.2021.
  • The validity of the contract is extended, but the validity of automatic roles by organizations is not changed => when IdentityRoleExpirationTaskExecutor runs that day, it removes the roles

How to find identities that have automatic roles with wrong validity:

SELECT i.username, i.external_code, itn.name organization, ic.valid_till as contractValidity, r.name rolename, ir.valid_till as roleValidity FROM idm_identity i JOIN idm_identity_contract ic ON ic.identity_id=i.id LEFT JOIN idm_tree_node itn on ic.work_position_id=itn.id JOIN  idm_identity_role ir ON ir.identity_contract_id=ic.id JOIN idm_role r on ir.role_id=r.id WHERE ir.role_id is not null and ir.automatic_role_id is not null and ((ir.valid_till is not null and ic.valid_till is null) or (ir.valid_till is null and ic.valid_till is not null) or (ir.valid_till <> ic.valid_till)) ;

How to find identities that don't have some automatic role. This is more problematic because of the recursion, but the following SQL can be used e.g. if you know that all identities with external code should have the role "autoByStructure":

SELECT i.username, i.external_code, itn.name organization, ic.valid_till as contractValidity, ir.role_id, ir.valid_till as roleValidity FROM idm_identity i JOIN idm_identity_contract ic ON ic.identity_id=i.id LEFT JOIN idm_tree_node itn on ic.work_position_id=itn.id LEFT JOIN  idm_identity_role ir ON ir.identity_contract_id=ic.id AND ir.role_id in (select id from idm_role where name='autoByStructure') WHERE  ( ic.valid_till  is null or ic.valid_till > '2021-11-01') AND ir.role_id is null and i.external_code is not null;


Files

1_contract_role_validity.png (32.1 KB) 1_contract_role_validity.png Alena Peterová, 01/12/2021 10:01 AM
2_contract_role_validity.png (32.7 KB) 2_contract_role_validity.png Alena Peterová, 01/12/2021 10:01 AM

Related issues

Related to IdStory Identity Manager - Task #1633: Add role request to automatic roles by tree structuresClosedRadek Tomiška05/02/2019

Actions
Actions #2

Updated by Radek Tomiška over 3 years ago

  • Status changed from New to In Progress
  • Target version set to 10.8.0
Actions #3

Updated by Radek Tomiška over 3 years ago

  • Related to Task #1633: Add role request to automatic roles by tree structures added
Actions #4

Updated by Radek Tomiška over 3 years ago

  • Affected versions Quartz (9.6.0), Quartz (9.6.1), Quartz (9.6.2), Quartz (9.6.3), Quartz (9.6.4), Quartz (9.6.5), Pyrite (9.5.1.2), Quartz (9.6.6), Rhyolite (9.7.0), Rhyolite (9.7.2), Rhyolite (9.7.3), Rhyolite (9.7.4), Rhyolite (9.7.5), Rhyolite (9.7.6), Rhyolite (9.7.7), Rhyolite (9.7.8), Rhyolite (9.7.9), Rhyolite (9.7.10), 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.0.2, 10.3.0, 10.3.1, 10.3.2, Rhyolite (9.7.17), 10.3.3, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.5.0, 10.5.1, 10.4.5, 10.4.6, 10.4.7, 10.5.2, 10.5.3, 10.4.8, 10.6.0, 10.4.9, 10.5.4, 10.6.1, 10.6.2, 10.6.3, 10.7.0, 10.7.1, 10.6.5 added
Actions #5

Updated by Radek Tomiška over 3 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 0 to 90

Both UC are related to #1633 (version 9.6.0):
ad1) issue occurs only, when different tree nodes asign the same automatic role by some recursion - e.g. automatic role is defined for parent node with down recursion.
ad2) issue occurs, when current contract is evaluated as invalid and is "changed" to valid again as desription above says (~ and "online" changes are skipped e.g. from synchronization or by slices). I'm not sure, if this can be solved by changing schedule somehow as workaround, maybe for synchronization but I think not for slices.

Fixed in commit:
https://github.com/bcvsolutions/CzechIdMng/commit/060ff123e3db380ac0bd4e65bf815aefbf7a4c56

Could you provide me a feedback, please?

Actions #6

Updated by Alena Peterová over 3 years ago

How we can fix identities that have wrong automatic roles by organizations (see the description how to find them)
  • automatic roles with wrong validity
    • move the "valid till" of the contract to some different date and back (don't move it to the past, that would remove all roles!)
  • completely missing automatic roles
    • LTS: change the work position of the contract to some different organization a and back. Be very careful what you choose, this can have consequences to the systems, e.g. value of the distinguishedName in AD, other automatic roles, etc.!!
    • 10.x - ProcessAllAutomaticRoleByTreeTaskExecutor should solve it, TODO check

Workaround to avoid removal of the automatic roles - unschedule the task IdentityRoleExpirationTaskExecutor. But of course, if the users on your project have manually assigned roles with a special expiration, the roles wouldn't be removed - so use wisely.
Check manually assigned roles with different validity than the contract:

SELECT i.username, i.external_code, itn.name organization, ic.valid_till as contractValidity, r.name rolename, ir.valid_till as roleValidity FROM idm_identity i JOIN idm_identity_contract ic ON ic.identity_id=i.id LEFT JOIN idm_tree_node itn on ic.work_position_id=itn.id JOIN  idm_identity_role ir ON ir.identity_contract_id=ic.id JOIN idm_role r on ir.role_id=r.id WHERE ir.automatic_role_id is null and ((ir.valid_till is not null and ic.valid_till is null)  or (ir.valid_till <> ic.valid_till)) ;

Actions #7

Updated by Radek Tomiška over 3 years ago

  • Target version changed from 10.8.0 to 10.7.2
Actions #8

Updated by Vít Švanda over 3 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 100

I did review and tested it. Validity is changing correctly now. Thanks for this fix and for test which is 90x longer than the fix :-).

Actions #9

Updated by Radek Tomiška over 3 years ago

  • Status changed from Resolved to Closed
Actions #10

Updated by Radek Tomiška over 3 years ago

Merged into 10.6.6

Actions

Also available in: Atom PDF