Project

General

Profile

Actions

Defect #3397

closed

Groups assigned to accounts aren't removed from end systems after removal of the role

Added by Alena Peterová over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
High
Assignee:
Peter Štrunc
Category:
Account managment
Target version:
Start date:
06/19/2023
Due date:
% Done:

100%

Estimated time:
Affected versions:
Owner:

Description

My use-case - I have an AD group which has the flag "automatically create accounts". When I assign the role directly to the account, account gets the groups. However, when I remove the role, account isn't removed from the group.

Steps to reproduce - detail:
  • have a user who has an account on end system (here AD, the role creating this account is AD-test1)
  • create a role which assigns the system, has the flag "Automatically create accounts" and fills some value to the multi-valued attribute. Here "AD new test role" filling the value "test new role".
  • assign this role to the main personal account
  • it creates an empty link to account (i.e. a link without "assigned by role") - this is probably the cause of the problem later
  • the value is provisioned correctly
  • remove the role
  • the value from the role is not removed from the values on the system. Also, the link to the account stays there.

Files

00_role_automatically_create_account.png (90.3 KB) 00_role_automatically_create_account.png Alena Peterová, 06/19/2023 05:57 PM
04_provisioning.png (14.2 KB) 04_provisioning.png Alena Peterová, 06/19/2023 05:57 PM
03_links_to_accounts.png (45.5 KB) 03_links_to_accounts.png Alena Peterová, 06/19/2023 05:57 PM
02_assign_role_to_account.png (74.1 KB) 02_assign_role_to_account.png Alena Peterová, 06/19/2023 05:57 PM
01_start_roles.png (30.7 KB) 01_start_roles.png Alena Peterová, 06/19/2023 05:57 PM
05_roles_are_still_there.png (4.17 KB) 05_roles_are_still_there.png Alena Peterová, 06/19/2023 06:05 PM
Actions #2

Updated by Peter Štrunc over 1 year ago

  • Target version set to 13.0.6
Actions #3

Updated by Vladimír Kotýnek over 1 year ago

Is the behavior same for all types of accounts. You mentioned main personal account but how about other personal accounts and technical accounts?

Actions #4

Updated by Alena Peterová over 1 year ago

Tested also for other personal account, the behavior is the same as for main personal accounts.
I found out, that if you explicitly invoke provisioning afterwards, the group value is removed from the end system. So the problems are:
  • removal of the role, which was originally assigned to an account, doesn't cause provisioning
  • empty links to accounts (without "assigned by role") are never deleted => the accounts would never be deleted or moved to account protection, even if all contracts of the user ended.
Actions #5

Updated by Peter Štrunc over 1 year ago

This was most likely already solved in #3348, but we did not backport it to patch version 13.0.x. It was only done on the develop branch. I did port it and will test it tomorrow.

Actions #6

Updated by Peter Štrunc over 1 year ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 80

I tested it on the current 13.0.6-LTS branch, which contains the full implementation of account management for accounts (#3348) and it works as it should. When the role is assigned to the account, the group is provisioned on the target system and when the role is unassigned, the account is removed from the group. No weird links to accounts are being created either.

Setting the status to "In progress" since i still need to create "testable" image.

Actions #7

Updated by Alena Peterová over 1 year ago

I tested it again on 13.0.6-LTS branch, commit b82fb6f083efe7aaab83fb9d433c7628cb2fda66, together with newer version of idm-tech. Provisioning (add/remove of group membership) works well for me now. However, empty AccIdentityAccounts are still created, when a role is assigned for a personal other account, and are never removed.
Technical accounts work well.

Actions #8

Updated by Peter Štrunc over 1 year ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Peter Štrunc to Alena Peterová

I have solved the mentioned issue by explicitly allowing entity account (IdmIdentityAccount or TechnicalAccountAccount) creation only by IdmIdentityRoleDto. This means, that no links to accounts are being created when assigning roles to accounts (personal, other, or technical). Provisioning for other role assignment types works as if the role system had account creation turned off.

PR is here: https://github.com/bcvsolutions/CzechIdMng/pull/407

@apeterova could you check it out, please? I added the commit to the LTS version as well.

Actions #9

Updated by Alena Peterová over 1 year ago

  • Assignee changed from Alena Peterová to Peter Štrunc

It works well, good job!
I approved the pull request, please merge it.

Actions #10

Updated by Peter Štrunc over 1 year ago

  • Status changed from Needs feedback to Resolved
  • % Done changed from 80 to 100

Merged

Actions #11

Updated by Peter Štrunc about 1 year ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF