Defect #3397
closed
Groups assigned to accounts aren't removed from end systems after removal of the role
Added by Alena Peterová 11 months ago.
Updated 7 months ago.
Category:
Account managment
Files
- Target version set to 13.0.6
Is the behavior same for all types of accounts. You mentioned main personal account but how about other personal accounts and technical accounts?
Tested also for other personal account, the behavior is the same as for main personal accounts.
I found out, that if you explicitly invoke provisioning afterwards, the group value is removed from the end system. So the problems are:
- removal of the role, which was originally assigned to an account, doesn't cause provisioning
- empty links to accounts (without "assigned by role") are never deleted => the accounts would never be deleted or moved to account protection, even if all contracts of the user ended.
This was most likely already solved in #3348, but we did not backport it to patch version 13.0.x. It was only done on the develop branch. I did port it and will test it tomorrow.
- Status changed from New to In Progress
- % Done changed from 0 to 80
I tested it on the current 13.0.6-LTS branch, which contains the full implementation of account management for accounts (#3348) and it works as it should. When the role is assigned to the account, the group is provisioned on the target system and when the role is unassigned, the account is removed from the group. No weird links to accounts are being created either.
Setting the status to "In progress" since i still need to create "testable" image.
I tested it again on 13.0.6-LTS branch, commit b82fb6f083efe7aaab83fb9d433c7628cb2fda66, together with newer version of idm-tech. Provisioning (add/remove of group membership) works well for me now. However, empty AccIdentityAccounts are still created, when a role is assigned for a personal other account, and are never removed.
Technical accounts work well.
- Status changed from In Progress to Needs feedback
- Assignee changed from Peter Štrunc to Alena Peterová
I have solved the mentioned issue by explicitly allowing entity account (IdmIdentityAccount or TechnicalAccountAccount) creation only by IdmIdentityRoleDto. This means, that no links to accounts are being created when assigning roles to accounts (personal, other, or technical). Provisioning for other role assignment types works as if the role system had account creation turned off.
PR is here: https://github.com/bcvsolutions/CzechIdMng/pull/407
@apeterova could you check it out, please? I added the commit to the LTS version as well.
- Assignee changed from Alena Peterová to Peter Štrunc
It works well, good job!
I approved the pull request, please merge it.
- Status changed from Needs feedback to Resolved
- % Done changed from 80 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF
