Defect #3230
open
Direct managers can partially see inactive subordinates, configuration to allow/disable option to see inactive subordinates
Added by Alena Peterová over 1 year ago.
Updated 6 months ago.
Description
When we use the default settings of managers and subordinates by tree structures (https://wiki.czechidm.com/devel/documentation/architecture/dev/filters#defaultmanagersfilter), the managers are not able to see their inactive subordinates.
If we use finding managers/subordinates by directly configured managers (https://wiki.czechidm.com/devel/documentation/architecture/dev/filters#guaranteesubordinatesfilter), then managers can see the identities in the list of users, but aren't able to open them.
Please:
- make the default behavior of different algorithms consistent
- allow us to configure (without implementation) per project, if the managers may see/edit their left subordinate, or not (we need both options for different customers)
Current behavior on version 12.2, steps to reproduce:
- create manager and their subordinate, deactivate the subordinate by their contract's valid till
- login as manager -> Users -> clear the filter. You cannot see the inactive subordinate at all:
- use the direct managers configuration:
idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter
idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=guaranteeSubordinatesFilter
- login as manager -> Users -> clear the filter. You can see the inactive subordinate:
- try to open the inactive subordinate => insufficient access rights
Note: userRole contains userManagerRole, no other changes in default permissions were made
Files
- Description updated (diff)
- Tracker changed from Task to Defect
- Target version set to 13.1.0
- Affected versions 12.1.3, 12.4.0 added
- Assignee changed from Tomáš Doischer to Jan Potočiar
- Sprint set to Sprint 13.1-2 (bře 08 - bře 22)
- Estimated time set to 32.00 h
- Sprint changed from Sprint 13.1-2 (bře 08 - bře 22) to Sprint 13.1-3 (bře 22 - dub 05)
I understand the issue, but am not sure about the solution:
- What should the configuration look like? How shall it be set? By whom?
- If the manager can see his inactive subordinate in the list o users, should he also be able to see his details? (not possible now -> insufficient permissions)
- Related to Task #3129: The EavCodeContractByManagerFilter returns subordinates from expired contracts added
- Sprint changed from Sprint 13.1-3 (bře 22 - dub 05) to Sprint 13.1-4 (dub 05 - dub 19)
Plan (todo list):
- introduce new field to properties config file
- name:
idm.sec.core.filter.IdmIdentity.managerInvalidSubordinateAccess
- type: boolean
- purpose: to configure if managers can see (and edit?) their inactive subordinates
- default value?
- adjust DefaultSubordinatesFilter to accept the new config field
- true scenario
- false scenario
- adjust GuaranteeSubordinatesFilter to accept the new config field
- true scenario
- false scenario
- fix - inactive suboordinates displayed in the user list view should also have their details accessable
- should work for both DefaultSubordinatesFilter and GuaranteeSubordinatesFilter
- tests
- % Done changed from 0 to 20
- Status changed from New to In Progress
- % Done changed from 20 to 0
- % Done changed from 0 to 20
Question: how should the new config option work with the existing filter for "Inactive" users? Should the filter be disabled for managers who don't have the rights to access users who left the company?
- % Done changed from 20 to 70
- Sprint changed from Sprint 13.1-4 (dub 05 - dub 19) to Sprint 13.1-5 (dub 19 - kvě 03)
- Sprint changed from Sprint 13.1-5 (Apr 19 - May 03) to Sprint 13.0.5 - 1 (May 03 - May 17)
- Sprint changed from Sprint 13.0.5 - 1 (May 03 - May 17) to Sprint 13.0.5 - 2 (May 17 - May 29)
- Sprint changed from Sprint 13.0.5 - 2 (May 17 - May 29) to Sprint 13.0.5 - 1 (May 03 - May 17)
- Status changed from In Progress to Needs feedback
- Assignee changed from Jan Potočiar to Peter Štrunc
- % Done changed from 70 to 80
- Sprint changed from Sprint 13.0.5 - 1 (May 03 - May 17) to Sprint 13.0.5 - 2 (May 17 - May 29)
- Sprint changed from Sprint 13.0.5 - 2 (May 17 - May 29) to Sprint 13.0.5 - 3 (May 29 - Jun 12)
- Owner set to Jan Potočiar
- Status changed from Needs feedback to In Progress
- Assignee changed from Peter Štrunc to Jan Potočiar
I reviewed the code. It looks good, thanks for the fix. I had one issue with the configuration property, which is described in the PR on GitHub. Once this is resolved, you can close this ticket.
- Sprint changed from Sprint 13.0.5 - 3 (May 29 - Jun 12) to Sprint 13.0.5 - 4 (Jun 12 - Jun 26)
- Sprint changed from Sprint 13.0.5 - 4 (Jun 12 - Jun 26) to Sprint 13.0.6 - 5 (Jun 27 - Jun 28)
- Sprint changed from Sprint 13.0.6 - 5 (Jun 27 - Jun 28) to Sprint 13.0.7 - 6 (Jul 12 - Jul 26)
- Sprint changed from Sprint 13.0.7 - 6 (Jul 12 - Jul 26) to Sprint JIP-KAAS / IdStory Hub - 7 (Jul 24 - Aug 07)
- Sprint changed from Sprint JIP-KAAS / IdStory Hub - 7 (Jul 24 - Aug 07) to Sprint PoC / IdStory Hub - 8 (Aug 07 - Sep 04)
- Sprint changed from Sprint PoC / IdStory Hub - 8 (Aug 07 - Sep 04) to Next Backlog (Oct 30 - Nov 13)
- Sprint deleted (
Next sprint candidates (Oct 30 - Nov 13))
Also available in: Atom
PDF
