Actions
Defect #2640
closed
Wrong validity of automatic roles after changing work position and contract validity, removed automatic roles when contract was extended on the last day
Start date:
01/12/2021
Due date:
% Done:
100%
Estimated time:
Affected versions:
Quartz (9.6.0), Quartz (9.6.1), Quartz (9.6.2), Quartz (9.6.3), Quartz (9.6.4), Quartz (9.6.5), Pyrite (9.5.1.2), Quartz (9.6.6), Rhyolite (9.7.0), Rhyolite (9.7.2), Rhyolite (9.7.3), Rhyolite (9.7.4), Rhyolite (9.7.5), Rhyolite (9.7.6), Rhyolite (9.7.7), Rhyolite (9.7.8), Rhyolite (9.7.9), Rhyolite (9.7.10), Rhyolite (9.7.11), Rhyolite (9.7.12), Rhyolite (9.7.13), 10.0.0, Rhyolite (9.7.14), 10.0.1, 10.1.0, Rhyolite (9.7.15), Rhyolite (9.7.16), 10.2.0, 10.0.2, 10.3.0, 10.3.1, 10.3.2, Rhyolite (9.7.17), 10.3.3, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.5.0, 10.5.1, 10.4.5, 10.4.6, 10.4.7, 10.5.2, 10.5.3, 10.4.8, 10.6.0, 10.4.9, 10.5.4, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.7.0, 10.7.1, 10.6.5
Owner:
Description
Tested on 9.7.11 and 10.6.4.
Organization structure:
Parent - this has automatic role "autoByStructure" with recursion Down
├── Node1
└── Node2
- The user has the contract valid till 31.1.2021 with the work position Node1. The automatic role is assigned with validity 31.1.2021
- Change the work position to Node2 and at the same time, change its validity
- The validity of the automatic role wasn't changed!
- On 1.2.2021, the automatic role would be removed by IdentityRoleExpirationTaskExecutor, even if the contract would be still valid!
- Contract is valid till 31.1.2021
- The contract is extended in HR on the last day
- Synchronization of contracts/slices processes the contract on 1.2.2021.
- The validity of the contract is extended, but the validity of automatic roles by organizations is not changed => when IdentityRoleExpirationTaskExecutor runs that day, it removes the roles
How to find identities that have automatic roles with wrong validity:
SELECT i.username, i.external_code, itn.name organization, ic.valid_till as contractValidity, r.name rolename, ir.valid_till as roleValidity FROM idm_identity i JOIN idm_identity_contract ic ON ic.identity_id=i.id LEFT JOIN idm_tree_node itn on ic.work_position_id=itn.id JOIN idm_identity_role ir ON ir.identity_contract_id=ic.id JOIN idm_role r on ir.role_id=r.id WHERE ir.role_id is not null and ir.automatic_role_id is not null and ((ir.valid_till is not null and ic.valid_till is null) or (ir.valid_till is null and ic.valid_till is not null) or (ir.valid_till <> ic.valid_till)) ;
How to find identities that don't have some automatic role. This is more problematic because of the recursion, but the following SQL can be used e.g. if you know that all identities with external code should have the role "autoByStructure":
SELECT i.username, i.external_code, itn.name organization, ic.valid_till as contractValidity, ir.role_id, ir.valid_till as roleValidity FROM idm_identity i JOIN idm_identity_contract ic ON ic.identity_id=i.id LEFT JOIN idm_tree_node itn on ic.work_position_id=itn.id LEFT JOIN idm_identity_role ir ON ir.identity_contract_id=ic.id AND ir.role_id in (select id from idm_role where name='autoByStructure') WHERE ( ic.valid_till is null or ic.valid_till > '2021-11-01') AND ir.role_id is null and i.external_code is not null;
Files
Related issues
Actions