Actions
Defect #3406
open
Values from roles which don't create accounts are provisioned even for future contracts and future role assignments
Status:
New
Priority:
High
Assignee:
Tomáš Chalupa
Category:
Account managment
Target version:
-
Start date:
06/26/2023
Due date:
% Done:
0%
Estimated time:
Description
Tested on 12.2.5 and 13.0.6 RC.
Steps to reproduce:- create a role filling some multivalued attribute on a system, deactivate the option "Automatically create accounts" and leave deactivated "Forward account management"
- in contrast, create a similar role and only leave the option "Automatically create accounts" active
- assign this role to a user and fill "valid from" to some future date.
(On 12.2.5, this is prefilled from the future contract or by current date. On 13.0.5, you have to set the date manually - see #3405)
- resave the user (or invoke provisioning in some other way)
- the value from the role which "doesn't create accounts" is provisioned. The value from the other role is not.
Note: the behavior doesn't depend on the state of the contract, only on the validity of the assigned role. The contract in the example is valid in the future, because that is in my opinion the most important use case, which is broken by this behavior:
- I want to have a "login" role for AD and create accounts only based on this role.
- I need future employees in AD before they start working, so the login role uses "Forward account management".
- Roles for other groups don't create accounts and many of them are assigned automatically based on organization structure (e.g. distribution groups).
- I don't want to put users into groups before they start working, so the roles don't use forward ACM.
Files
Actions