Task #2985
closed
Synchronization of of group memberships does not work, when account uid is different in IdM and on system
100%
Description
When searching for an identity to which it should assign roles, role synchronization assumes that connector-object uid is the same as IdentityAccount uid. This is not always true, because account identifier can be different (for example when uid is generated by the system).
Related issues
Updated by Peter Štrunc over 2 years ago
- Status changed from New to Needs feedback
- % Done changed from 0 to 70
I developed a somehow naive solution, using SysSystemEntityDto uid, which is always the same as connector-object uid. The drawback is that for each member sync now does two more db queries (those queries are fairly quick though).
It would not be too big a hassle to implement specific criteria query for searching for IdentityAccount by corresponding SystemEntity uid, but I need this functionality quickly.
Everything is here: https://github.com/bcvsolutions/CzechIdMng/commit/9f1cd8d67218452efff58884c69da569ac3aa3de
I run all the tests and it looks good. I also tested it in a project environment and it also now works as expected. @svandav Would you please review my changes?
Updated by Vít Švanda over 2 years ago
- Status changed from Needs feedback to Resolved
- % Done changed from 70 to 100
I did review and tested it on Kyblicek AD. Idea is correct. I found problem with using filter by Ids (is not supported in systemEntityService yet). I fixed that. Works nice, thanks for that.
Review notes:- Please do not use asterix in imports.
- We have like if stream are formated.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/2cb424d4850f89ae17fe7c351126c228e82e9395
Updated by Radek Tomiška over 2 years ago
- Related to Task #2986: Refactor SysSystemEntityRepository find method to criteria. added
Updated by Radek Tomiška over 2 years ago
- Status changed from Resolved to Closed