Task #468
closed
Account management is synchronous with Role add operation
100%
Description
When we add the role that has some account mapping for managed system, to some user - e.g. LDAP, the account management is started synchronously. It also counts the attributes for the account including the transform scripts. It would not be so bad if you assign the role manually, but there are other features like Automatic roles and Identity automated processes. Altogether when there is an error in script on system mapping (and with current system of script sendboxes, there will be errors all the time), you are not able to run e.g. LRT for automatic roles.
Separation of account management from role assignment would be really good there, but I know that new queue would be necessary (or move it to provisioning queue)
Related issues
Updated by Filip Měšťánek almost 7 years ago
- Priority changed from Low to Normal
We experienced another case which is influenced by this issue. Now, there is no account management for tree nodes. So tree nodes is provisioned (and created accounts, etc.) to every system with tree node schema. We have 3 systems for tree nodes, but some a provisioning processor blocks provisioning to certain systems based on organization type (eav attribute). But the account management is still performed for the tree nodes. And the problem is, that creation of the AccAccount account fails (due to unique constraints) for organizations, which even shouldn't be provisioned to that system. This fail rollbacks the whole update of the tree node, which is unpleasant.
Updated by Marcel Poul almost 7 years ago
Filip Měšťánek wrote:
This fail rollbacks the whole update of the tree node, which is unpleasant.
In other words, synchronization from source system to IdM fails due to some error which is really close to provisioning process.
Updated by Radek Tomiška almost 7 years ago
- Target version set to Diamond (7.4.0)
Updated by Marcel Poul almost 7 years ago
- Priority changed from Normal to High
This seems to be more and more urgent. Now I wanted to just edit the user's contracted position and it fails with some error on groovy script. So if there is an error on provisioning script, I am not able to edit identity in IdM. %%@#$^^^$#
Updated by Jan Helbich almost 7 years ago
- Related to Task #495: Account mappings for all provisioned systems must have separate transactions added
Updated by Jan Helbich almost 7 years ago
Situation:
- user A is manager for organization O
- users B, C and D are A's subordinates
- when A changes work position to another organization, manager for B, C, D is recomputed -> triggers provisioning
- FE waits until B, C and D are provisioned, only afterwards is loading screen removed
Having 3 users as subordinates is fine, I guess, but with 100 this feature immediately becomes unusable.
Updated by Marcel Poul almost 7 years ago
- Related to Task #561: resave user performance added
Updated by Marcel Poul almost 7 years ago
Another usecase, when the account management transformation scripts makes trouble is Task #561. When scripts are slow, common operations in CzechIdM are slow too (maybe unsuable too).
Usecases:- selfregistration (it adds user to organization, so gives him automatic roles too and of course start account managmenent, especially scripts for transformation)
- user edit
Updated by Marcel Poul almost 7 years ago
Another usecase:
LRT IdentityRoleExpirationTaskExecutor removes roles so starts account management and runs transformation scritps.
Updated by Vít Švanda over 6 years ago
- Target version deleted (
Diamond (7.4.0))
Updated by Radek Tomiška over 6 years ago
- Copied to Task #897: Generated UID is null added
Updated by Radek Tomiška about 6 years ago
- Status changed from New to In Progress
- Target version set to Hematite (8.0.0)
- Estimated time set to 80.00 h
Updated by Radek Tomiška about 6 years ago
- Related to Feature #915: Add entity state agenda added
Updated by Radek Tomiška about 6 years ago
- % Done changed from 0 to 50
Basic mechanism is implemented and works for identity provisioning and account management, remains:
- multi thread event processing
- parametrize event processing - execute date, priority
- websockets notification - task run on backgroud
- security (now are events available for app_admin only)
- better result codes
- tests, doc
Updated by Radek Tomiška about 6 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 50 to 90
Asynchronous event mechanism is implemented and orchestrated with identity account management and subordinates provisioning.
Doc:
https://wiki.czechidm.com/devel/documentation/application_configuration/dev/events#asynchronous_event_processing
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/6ae82b33ffe1d9f337d4726aa9b1a7f7a5b8cfa1
Could you do a feedback pls?
Updated by Radek Tomiška about 6 years ago
I've added skip notify event property. Could be used, when notify is not needed.
Updated by Radek Tomiška about 6 years ago
I've implemented asynchronous account management even for tree, role and role catalogue.
https://github.com/bcvsolutions/CzechIdMng/commit/a111bfd83f30f6f21ba138207140c3f35d144e16
Updated by Radek Tomiška about 6 years ago
I've implemented asynchronous automatic roles by tree and by attribute:
https://github.com/bcvsolutions/CzechIdMng/commit/4f6fda0a3b82f6c0689fb9b7f02fecaa968af8f0
Updated by Vít Švanda about 6 years ago
- Status changed from Needs feedback to Closed
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I readed all code and did review.
I tried to break it, but without success (go to hell ;)).
- It works very well.
- Basic request for async of account management fully works.
- I tested async of automatic role recalculation and it works fine too.
Thanks for that. You are awesome.
Updated by Radek Tomiška over 3 years ago
- Related to Defect #2350: Cannot view active operations in provisioning queue (error in communication with server) added
Updated by Radek Tomiška over 2 years ago
- Related to Defect #2903: Event: Prevent to use original source from parent event (wrong original source is propaged in event and cannot be used) added