Project

General

Profile

Actions
Copy link

Defect #2705

closed

Synchronization - HR process (contract end) removes identity roles (and accounts) of invalid contract before new automatic roles are evaluated (account on target system is deleted and created again from synchronization)

Added by Radek Tomiška about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Radek Tomiška
Category:
Synchronization
Target version:
11.0.0
Start date:
03/04/2021
Due date:
% Done:

100%

Estimated time:
Affected versions:
Garnet (7.7.0)
Owner:

Description

UC to reproduce the issue:
- automatic role is defined on root tree node in tree structure with down recursion
- automatic role gives account on some target system
- identity has valid contact in IdM with work position bellow root tree node (=> automatic role is assigned, accoun exists)
- this contract is invalidated or expired in source system
- new valid contract is added in the same time for the same identity in source system with work position bellow root tree node
- run synchronization of contracts with HR processes and automatic roles enabled
- check provisioning archive after end => there is drop and create for account above
=> prevent to drop and create account is needed

Related issues

Related to IdStory Identity Manager - Task #2695: Testing and release of version 10.8.0ClosedOndrej Husník03/01/2021

Actions
Actions
Copy link
 #1

Updated by Radek Tomiška about 3 years ago

Possible workarounds:

1) Enable protection mode on provisioning mapping
or
2) Disable hr processes and automatic roles in synchroniation a schedule tasks as dependent:
- Contract synchronization (SynchronizationSchedulableTaskExecutor)
-- Enable contracts (HrEnableContractProcess)
--- Exclude contracts (HrContractExclusionProcess)
---- Recalculate automatic roles for attribute (ProcessAllAutomaticRoleByAttributeTaskExecutor)
----- Recalculate automatic roles for trees (ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor)
------ End contracts (HrEndContractProcess)

Actions
Copy link
 #2

Updated by Radek Tomiška about 3 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Ondrej Husník
  • % Done changed from 50 to 90

Drop and create account is fixed from synchronization with hr processes and automatic roles enabled.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/a41ae2ccf024ce61180ae0cdc40c757c244dba11

Could you provide me a feedback, please?

Note: If you are schedule hr processes and automatic roles as dependent tasks (~ not enabled in synchronization), you have to use schedule by workaround 2 => HrEndContractProcess has to be last.

Actions
Copy link
 #3

Updated by Radek Tomiška about 3 years ago

  • Related to Task #2695: Testing and release of version 10.8.0 added
Actions
Copy link
 #4

Updated by Ondrej Husník about 3 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Ondrej Husník to Radek Tomiška
  • % Done changed from 90 to 100

I went through the test scenario which discovered this trouble and now the test passes. There were only updates and no delete or creation actions in the provisioning queue as expected. I preserved the original setting which means that HR tasks and role recalculations are initiated by synchronization itself (checked setting in the synchronization specific setting).
https://testy.bcvsolutions.eu/squash/executions/49
Good job!
LGTM

Actions
Copy link
 #5

Updated by Radek Tomiška about 3 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF