Defect #3397
closed
Groups assigned to accounts aren't removed from end systems after removal of the role
100%
Description
My use-case - I have an AD group which has the flag "automatically create accounts". When I assign the role directly to the account, account gets the groups. However, when I remove the role, account isn't removed from the group.
Steps to reproduce - detail:- have a user who has an account on end system (here AD, the role creating this account is AD-test1)
- create a role which assigns the system, has the flag "Automatically create accounts" and fills some value to the multi-valued attribute. Here "AD new test role" filling the value "test new role".
- assign this role to the main personal account
- it creates an empty link to account (i.e. a link without "assigned by role") - this is probably the cause of the problem later
- the value is provisioned correctly
- remove the role
- the value from the role is not removed from the values on the system. Also, the link to the account stays there.
Files
Updated by Alena Peterová 11 months ago
I found out, that if you explicitly invoke provisioning afterwards, the group value is removed from the end system. So the problems are:
- removal of the role, which was originally assigned to an account, doesn't cause provisioning
- empty links to accounts (without "assigned by role") are never deleted => the accounts would never be deleted or moved to account protection, even if all contracts of the user ended.
Updated by Peter Štrunc 11 months ago
- Status changed from New to In Progress
- % Done changed from 0 to 80
I tested it on the current 13.0.6-LTS branch, which contains the full implementation of account management for accounts (#3348) and it works as it should. When the role is assigned to the account, the group is provisioned on the target system and when the role is unassigned, the account is removed from the group. No weird links to accounts are being created either.
Setting the status to "In progress" since i still need to create "testable" image.
Updated by Alena Peterová 11 months ago
I tested it again on 13.0.6-LTS branch, commit b82fb6f083efe7aaab83fb9d433c7628cb2fda66, together with newer version of idm-tech. Provisioning (add/remove of group membership) works well for me now. However, empty AccIdentityAccounts are still created, when a role is assigned for a personal other account, and are never removed.
Technical accounts work well.
Updated by Peter Štrunc 10 months ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Peter Štrunc to Alena Peterová
I have solved the mentioned issue by explicitly allowing entity account (IdmIdentityAccount or TechnicalAccountAccount) creation only by IdmIdentityRoleDto. This means, that no links to accounts are being created when assigning roles to accounts (personal, other, or technical). Provisioning for other role assignment types works as if the role system had account creation turned off.
PR is here: https://github.com/bcvsolutions/CzechIdMng/pull/407
@apeterova could you check it out, please? I added the commit to the LTS version as well.