Task #413
closed
Apply for role and role catalogue
100%
Description
Add new property (boolean) to role and role catalogue - apply for them. (flyway...)
New created role/folders (role catalogue) has set this property to true.
On role request will be hidden role and folders that has this attribute set to false.
Dont forget check this flag also on BE, i'm able create request for role through rest.
With questions you can contact me (OK)
Updated by Marcel Poul almost 7 years ago
- role becomes deprecated or is being replaced by another one. Role should still be active, but users should not be able to apply for it.
- role is new, but is not intended for user's applications yet - e.g. the administrator is now preparing role in IdM, but do not want to show them for users yet.
- role will never be able to apply for - some admin roles, strategic end system roles etc.
So the question is. Should we really implement the "apply for" attribut check on FE as well as BE? I think yes, but we have to find a solutions that can meet the point 3 usecase, but we should still be able to add the role to the user manually.
The other question is where to impelement the attribute - role or roleCalalogue. I think both solutions are possible and in fact are complementary. Catalog attribute turns on and off the visibility of the object in GUI. Role is more complex - it is more about applying for a role then just the visibility
Updated by Peter Štrunc almost 7 years ago
I would not distinguish between the role and role catalogue attributes. It should both have the same behavior:
On role: If true -> users can apply for role
On catalogue: If true -> users can apply for any role under this folder
The only thing left is to decide, whether attribute on role would have greater priority (you can apply for role in forbidden catalogue if it has set this attribute to true). I think that this is subject for bigger discussion.
As for the ability to be able to assign forbidden roles, it looks to me, that it should be bound with some kind of permission so we can somehow say that these people can assign forbidden roles.
Updated by Peter Štrunc almost 7 years ago
So after consulting this with Marcel and Ondra we came up with this plan:
For now, implementation of this attribute will be only on roles. This will suffice for all usecases we currently need. However when time comes and we will be implementing richer behavior around this, then I propose to change this boolean value to enum, which will support direct setting of value on role (APPLYABLE, NOT_APPLYABLE) and some kind of inheritance (INHERIT_SUPER_ROLE, INHERIT_CONTAINER). I think that this approach is more straightforward and readable for users since they will exactly know what is happening when they set this property as opposed to having to remember priorities of some boolean field in object hierarchy.
Updated by Peter Štrunc almost 7 years ago
- Status changed from New to Needs feedback
- Assignee changed from Peter Štrunc to Ondřej Kopr
- % Done changed from 0 to 70
I implemented new flag on role and evaluator that uses this flag to filter roles. I also implemented tests for the new evaluator.
Implementation is in psourek/requestableFlagRole.
I did not test UPDATE and DELETE operations with evaluator since IdmRoleService is not yet refactored to use DTOs. I implemented tests, but save and delete parts are commented now with some TODOs.
I have one question regarding default value of canBeRequested attribute. What should it be? Now it is false (when creating from backend and not setting it explicitly).
Someone please provide feedback, thanks.
Updated by Radek Tomiška almost 7 years ago
- Assignee changed from Ondřej Kopr to Radek Tomiška
Updated by Radek Tomiška almost 7 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Radek Tomiška to Peter Štrunc
- % Done changed from 70 to 90
- InitDemoData - add autocomplete permission to self eveluator (it was broken aftet global autocomplete policy removal)
- InitDemoData - add autocomplete permission to newly added evaluator (enable requestable roles at default)
- IdmRoleDto.requestable vs IdmRole.canBeRequested ... renamed to canBeRequested on both sides (i like requestable more, but dto is unused for now ... :))
- FE - fixed role detail formating
I merged it into develop (change script was renamed to) and deleted branch, thx for new feature .)
Add please doc about newly added evaluator (maybe default example usage too):
https://proj.bcvsolutions.eu/ngidm/doku.php?id=roztridit:autorizacni_model#zakladni_autorizacni_evaluatory
Updated by Peter Štrunc almost 7 years ago
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
Documentation added.