Actions
Defect #3230
open
Direct managers can partially see inactive subordinates, configuration to allow/disable option to see inactive subordinates
Start date:
11/24/2022
Due date:
% Done:
80%
Estimated time:
32.00 h
Description
When we use the default settings of managers and subordinates by tree structures (https://wiki.czechidm.com/devel/documentation/architecture/dev/filters#defaultmanagersfilter), the managers are not able to see their inactive subordinates.
If we use finding managers/subordinates by directly configured managers (https://wiki.czechidm.com/devel/documentation/architecture/dev/filters#guaranteesubordinatesfilter), then managers can see the identities in the list of users, but aren't able to open them.
- make the default behavior of different algorithms consistent
- allow us to configure (without implementation) per project, if the managers may see/edit their left subordinate, or not (we need both options for different customers)
Current behavior on version 12.2, steps to reproduce:
- create manager and their subordinate, deactivate the subordinate by their contract's valid till
- login as manager -> Users -> clear the filter. You cannot see the inactive subordinate at all:
- use the direct managers configuration:
idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter
idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=guaranteeSubordinatesFilter - login as manager -> Users -> clear the filter. You can see the inactive subordinate:
- try to open the inactive subordinate => insufficient access rights
Note: userRole contains userManagerRole, no other changes in default permissions were made
Files
Related issues
Updated by Tomáš Doischer about 2 years ago
- Tracker changed from Task to Defect
- Target version set to 13.1.0
- Affected versions 12.1.3, 12.4.0 added
Updated by Tomáš Doischer almost 2 years ago
- Assignee changed from Tomáš Doischer to Jan Potočiar
Updated by Tomáš Doischer almost 2 years ago
- Sprint set to Sprint 13.1-2 (bře 08 - bře 22)
- Estimated time set to 32.00 h
Updated by Tomáš Doischer almost 2 years ago
- Sprint changed from Sprint 13.1-2 (bře 08 - bře 22) to Sprint 13.1-3 (bře 22 - dub 05)
Updated by Jan Potočiar over 1 year ago
I understand the issue, but am not sure about the solution:
- What should the configuration look like? How shall it be set? By whom?
- If the manager can see his inactive subordinate in the list o users, should he also be able to see his details? (not possible now -> insufficient permissions)
Updated by Tomáš Doischer over 1 year ago
- Related to Task #3129: The EavCodeContractByManagerFilter returns subordinates from expired contracts added
Updated by Tomáš Doischer over 1 year ago
- Sprint changed from Sprint 13.1-3 (bře 22 - dub 05) to Sprint 13.1-4 (dub 05 - dub 19)
Updated by Jan Potočiar over 1 year ago
Plan (todo list):
- introduce new field to properties config file
- name:
idm.sec.core.filter.IdmIdentity.managerInvalidSubordinateAccess - type: boolean
- purpose: to configure if managers can see (and edit?) their inactive subordinates
- default value?
- name:
- adjust DefaultSubordinatesFilter to accept the new config field
- true scenario
- false scenario
- adjust GuaranteeSubordinatesFilter to accept the new config field
- true scenario
- false scenario
- fix - inactive suboordinates displayed in the user list view should also have their details accessable
- should work for both DefaultSubordinatesFilter and GuaranteeSubordinatesFilter
- tests
Updated by Jan Potočiar over 1 year ago
- Status changed from New to In Progress
- % Done changed from 20 to 0
Updated by Jan Potočiar over 1 year ago
Question: how should the new config option work with the existing filter for "Inactive" users? Should the filter be disabled for managers who don't have the rights to access users who left the company?
Updated by Jan Potočiar over 1 year ago
- File inactive-users.png inactive-users.png added
Updated by Tomáš Doischer over 1 year ago
- Sprint changed from Sprint 13.1-4 (dub 05 - dub 19) to Sprint 13.1-5 (dub 19 - kvě 03)
Updated by Peter Štrunc over 1 year ago
- Sprint changed from Sprint 13.1-5 (Apr 19 - May 03) to Sprint 13.0.5 - 1 (May 03 - May 17)
Updated by Peter Štrunc over 1 year ago
- Sprint changed from Sprint 13.0.5 - 1 (May 03 - May 17) to Sprint 13.0.5 - 2 (May 17 - May 29)
Updated by Jan Potočiar over 1 year ago
- Sprint changed from Sprint 13.0.5 - 2 (May 17 - May 29) to Sprint 13.0.5 - 1 (May 03 - May 17)
- Status changed from In Progress to Needs feedback
- Assignee changed from Jan Potočiar to Peter Štrunc
- % Done changed from 70 to 80
Updated by Jan Potočiar over 1 year ago
- Sprint changed from Sprint 13.0.5 - 1 (May 03 - May 17) to Sprint 13.0.5 - 2 (May 17 - May 29)
Updated by Peter Štrunc over 1 year ago
- Sprint changed from Sprint 13.0.5 - 2 (May 17 - May 29) to Sprint 13.0.5 - 3 (May 29 - Jun 12)
Updated by Peter Štrunc over 1 year ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Peter Štrunc to Jan Potočiar
I reviewed the code. It looks good, thanks for the fix. I had one issue with the configuration property, which is described in the PR on GitHub. Once this is resolved, you can close this ticket.
Updated by Peter Štrunc over 1 year ago
- Sprint changed from Sprint 13.0.5 - 3 (May 29 - Jun 12) to Sprint 13.0.5 - 4 (Jun 12 - Jun 26)
Updated by Peter Štrunc over 1 year ago
- Sprint changed from Sprint 13.0.5 - 4 (Jun 12 - Jun 26) to Sprint 13.0.6 - 5 (Jun 27 - Jun 28)
Updated by Peter Štrunc over 1 year ago
- Sprint changed from Sprint 13.0.6 - 5 (Jun 27 - Jun 28) to Sprint 13.0.7 - 6 (Jul 12 - Jul 26)
Updated by Peter Štrunc over 1 year ago
- Sprint changed from Sprint 13.0.7 - 6 (Jul 12 - Jul 26) to Sprint JIP-KAAS / IdStory Hub - 7 (Jul 24 - Aug 07)
Updated by Peter Štrunc over 1 year ago
- Sprint changed from Sprint JIP-KAAS / IdStory Hub - 7 (Jul 24 - Aug 07) to Sprint PoC / IdStory Hub - 8 (Aug 07 - Sep 04)
Updated by Martin Kolombo about 1 year ago
- Sprint changed from Sprint PoC / IdStory Hub - 8 (Aug 07 - Sep 04) to Next Backlog (Oct 30 - Nov 13)
Updated by Martin Kolombo about 1 year ago
- Sprint deleted (
Next sprint candidates (Oct 30 - Nov 13))
Actions