Defect #3230
open
Direct managers can partially see inactive subordinates, configuration to allow/disable option to see inactive subordinates
80%
Description
When we use the default settings of managers and subordinates by tree structures (https://wiki.czechidm.com/devel/documentation/architecture/dev/filters#defaultmanagersfilter), the managers are not able to see their inactive subordinates.
If we use finding managers/subordinates by directly configured managers (https://wiki.czechidm.com/devel/documentation/architecture/dev/filters#guaranteesubordinatesfilter), then managers can see the identities in the list of users, but aren't able to open them.
- make the default behavior of different algorithms consistent
- allow us to configure (without implementation) per project, if the managers may see/edit their left subordinate, or not (we need both options for different customers)
Current behavior on version 12.2, steps to reproduce:
- create manager and their subordinate, deactivate the subordinate by their contract's valid till
- login as manager -> Users -> clear the filter. You cannot see the inactive subordinate at all:
- use the direct managers configuration:
idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter
idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=guaranteeSubordinatesFilter - login as manager -> Users -> clear the filter. You can see the inactive subordinate:
- try to open the inactive subordinate => insufficient access rights
Note: userRole contains userManagerRole, no other changes in default permissions were made
Files
Related issues
Updated by Tomáš Doischer over 1 year ago
- Tracker changed from Task to Defect
- Target version set to 13.1.0
- Affected versions 12.1.3, 12.4.0 added
Updated by Tomáš Doischer about 1 year ago
- Assignee changed from Tomáš Doischer to Jan Potočiar
Updated by Tomáš Doischer about 1 year ago
- Sprint set to Sprint 13.1-2 (bře 08 - bře 22)
- Estimated time set to 32.00 h
Updated by Tomáš Doischer about 1 year ago
- Sprint changed from Sprint 13.1-2 (bře 08 - bře 22) to Sprint 13.1-3 (bře 22 - dub 05)
Updated by Jan Potočiar about 1 year ago
- What should the configuration look like? How shall it be set? By whom?
- If the manager can see his inactive subordinate in the list o users, should he also be able to see his details? (not possible now -> insufficient permissions)
Updated by Tomáš Doischer about 1 year ago
- Related to Task #3129: The EavCodeContractByManagerFilter returns subordinates from expired contracts added
Updated by Tomáš Doischer about 1 year ago
- Sprint changed from Sprint 13.1-3 (bře 22 - dub 05) to Sprint 13.1-4 (dub 05 - dub 19)
Updated by Jan Potočiar about 1 year ago
- introduce new field to properties config file
- name:
idm.sec.core.filter.IdmIdentity.managerInvalidSubordinateAccess - type: boolean
- purpose: to configure if managers can see (and edit?) their inactive subordinates
- default value?
- name:
- adjust DefaultSubordinatesFilter to accept the new config field
- true scenario
- false scenario
- adjust GuaranteeSubordinatesFilter to accept the new config field
- true scenario
- false scenario
- fix - inactive suboordinates displayed in the user list view should also have their details accessable
- should work for both DefaultSubordinatesFilter and GuaranteeSubordinatesFilter
- tests
Updated by Jan Potočiar about 1 year ago
- Status changed from New to In Progress
- % Done changed from 20 to 0
Updated by Jan Potočiar about 1 year ago
Question: how should the new config option work with the existing filter for "Inactive" users? Should the filter be disabled for managers who don't have the rights to access users who left the company?
Updated by Jan Potočiar about 1 year ago
- File inactive-users.png inactive-users.png added
Updated by Tomáš Doischer about 1 year ago
- Sprint changed from Sprint 13.1-4 (dub 05 - dub 19) to Sprint 13.1-5 (dub 19 - kvě 03)
Updated by Jan Potočiar 11 months ago
- Sprint changed from Sprint 13.0.5 - 2 (May 17 - May 29) to Sprint 13.0.5 - 1 (May 03 - May 17)
- Status changed from In Progress to Needs feedback
- Assignee changed from Jan Potočiar to Peter Štrunc
- % Done changed from 70 to 80
Updated by Peter Štrunc 11 months ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Peter Štrunc to Jan Potočiar
I reviewed the code. It looks good, thanks for the fix. I had one issue with the configuration property, which is described in the PR on GitHub. Once this is resolved, you can close this ticket.