Defect #2705
closed
Synchronization - HR process (contract end) removes identity roles (and accounts) of invalid contract before new automatic roles are evaluated (account on target system is deleted and created again from synchronization)
Added by Radek Tomiška about 3 years ago.
Updated about 3 years ago.
Description
UC to reproduce the issue:
- automatic role is defined on root tree node in tree structure with down recursion
- automatic role gives account on some target system
- identity has valid contact in IdM with work position bellow root tree node (=> automatic role is assigned, accoun exists)
- this contract is invalidated or expired in source system
- new valid contract is added in the same time for the same identity in source system with work position bellow root tree node
- run synchronization of contracts with HR processes and automatic roles enabled
- check provisioning archive after end => there is drop and create for account above
=> prevent to drop and create account is needed
Possible workarounds:
1) Enable protection mode on provisioning mapping
or
2) Disable hr processes and automatic roles in synchroniation a schedule tasks as dependent:
- Contract synchronization (SynchronizationSchedulableTaskExecutor)
-- Enable contracts (HrEnableContractProcess)
--- Exclude contracts (HrContractExclusionProcess)
---- Recalculate automatic roles for attribute (ProcessAllAutomaticRoleByAttributeTaskExecutor)
----- Recalculate automatic roles for trees (ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor)
------ End contracts (HrEndContractProcess)
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Ondrej Husník
- % Done changed from 50 to 90
- Related to Task #2695: Testing and release of version 10.8.0 added
- Status changed from Needs feedback to Resolved
- Assignee changed from Ondrej Husník to Radek Tomiška
- % Done changed from 90 to 100
I went through the test scenario which discovered this trouble and now the test passes. There were only updates and no delete or creation actions in the provisioning queue as expected. I preserved the original setting which means that HR tasks and role recalculations are initiated by synchronization itself (checked setting in the synchronization specific setting).
https://testy.bcvsolutions.eu/squash/executions/49
Good job!
LGTM
- Status changed from Resolved to Closed
Also available in: Atom
PDF
