Task #3390
closedAllow adding multiple system mappings to a single role
80%
Description
Usecase¶
System S1 (eg. Active Directory) containing
- User accounts
- Admin accounts
- Technical accounts
- Groups
All object types are being synchronized to the identity manager (User and admin accounts as identity accounts - Personal and other, Technical accounts as technical accounts and Groups as Roles).
We want to:
- Synchronize group memberships from the end system to the identity manager (role representing a given group is being assigned to the account owner in the IdM) - already possible
- Be able to add all of the mentioned objects to the group by assigning a role to either of them (Personal and technical accounts) - the aim of this ticket
The issue¶
Currently, it is forbidden to add multiple mapping to the same system to a single role. This in practice means that in order to achieve the use case above, the user must either:
- Create a specific role for each account type (system mapping), or
- Create multiple systems (one for each account type) and add mappings to those systems to the role representing the desired group.
Solution¶
To prevent the issue mentioned above, we will remove the constraint of adding multiple mappings from the same system to a single role. The goal of this ticket is to remove the constraint and analyze what was the initial need for having the constraint in place and make sure nothing breaks by removing the constraint
Updated by Peter Štrunc over 1 year ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Peter Štrunc to Ondřej Kopr
- % Done changed from 0 to 80
I removed the constraint here https://github.com/bcvsolutions/CzechIdMng/pull/400
I was not able to find any issue caused by this. The reason why it was introduced in the first place #631 is now obsolete since its main purpose was to forbid multiple uid attribute mapping and this was further narrowed in #663 by not allowing to override uid attributes from roles when uid attribute is already defined on the system.
I kept the constraint of only allowing unique attribute mappings, which should prevent any unwanted behavior while solving the issue described in this ticket.
@kopro could you check it out?
Updated by Alena Peterová over 1 year ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Ondřej Kopr to Peter Štrunc
We talked about the change with Ondra and decided that it's OK. I tested with a role which had different mappings for the same system and didn't found any issues.
I approved the request, merging initially showed a conflict on the line 55 in IdentityRoleDeleteProvisioningProcessor.java (two almost same changes), which I resolved. Pull request was merged by Ondra.
Thanks!