Task #468
closed
Account management is synchronous with Role add operation
Added by Marcel Poul over 7 years ago.
Updated over 6 years ago.
Category:
Account managment
Description
When we add the role that has some account mapping for managed system, to some user - e.g. LDAP, the account management is started synchronously. It also counts the attributes for the account including the transform scripts. It would not be so bad if you assign the role manually, but there are other features like Automatic roles and Identity automated processes. Altogether when there is an error in script on system mapping (and with current system of script sendboxes, there will be errors all the time), you are not able to run e.g. LRT for automatic roles.
Separation of account management from role assignment would be really good there, but I know that new queue would be necessary (or move it to provisioning queue)
https://wiki.czechidm.com/priv/program800/dirty_flag
- Priority changed from Low to Normal
We experienced another case which is influenced by this issue. Now, there is no account management for tree nodes. So tree nodes is provisioned (and created accounts, etc.) to every system with tree node schema. We have 3 systems for tree nodes, but some a provisioning processor blocks provisioning to certain systems based on organization type (eav attribute). But the account management is still performed for the tree nodes. And the problem is, that creation of the AccAccount account fails (due to unique constraints) for organizations, which even shouldn't be provisioned to that system. This fail rollbacks the whole update of the tree node, which is unpleasant.
Filip Měšťánek wrote:
This fail rollbacks the whole update of the tree node, which is unpleasant.
In other words, synchronization from source system to IdM fails due to some error which is really close to provisioning process.
- Target version set to Diamond (7.4.0)
- Priority changed from Normal to High
This seems to be more and more urgent. Now I wanted to just edit the user's contracted position and it fails with some error on groovy script. So if there is an error on provisioning script, I am not able to edit identity in IdM. %%@#$^^^$#
- Related to Task #495: Account mappings for all provisioned systems must have separate transactions added
Another usecase where synchronous account management is a burden is manager recalculation.
Situation:
- user A is manager for organization O
- users B, C and D are A's subordinates
- when A changes work position to another organization, manager for B, C, D is recomputed -> triggers provisioning
- FE waits until B, C and D are provisioned, only afterwards is loading screen removed
Having 3 users as subordinates is fine, I guess, but with 100 this feature immediately becomes unusable.
- Related to Task #561: resave user performance added
Another usecase, when the account management transformation scripts makes trouble is Task #561. When scripts are slow, common operations in CzechIdM are slow too (maybe unsuable too).
Usecases:
- selfregistration (it adds user to organization, so gives him automatic roles too and of course start account managmenent, especially scripts for transformation)
- user edit
Another usecase:
LRT IdentityRoleExpirationTaskExecutor removes roles so starts account management and runs transformation scritps.
- Target version deleted (
Diamond (7.4.0))
- Copied to Task #897: Generated UID is null added
- Status changed from New to In Progress
- Target version set to Hematite (8.0.0)
- Estimated time set to 80.00 h
- Description updated (diff)
- % Done changed from 0 to 50
Basic mechanism is implemented and works for identity provisioning and account management, remains:
- multi thread event processing
- parametrize event processing - execute date, priority
- websockets notification - task run on backgroud
- security (now are events available for app_admin only)
- better result codes
- tests, doc
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 50 to 90
I've added skip notify event property. Could be used, when notify is not needed.
- Status changed from Needs feedback to Closed
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I readed all code and did review.
I tried to break it, but without success (go to hell ;)).
- It works very well.
- Basic request for async of account management fully works.
- I tested async of automatic role recalculation and it works fine too.
Thanks for that. You are awesome.
- Related to Defect #2350: Cannot view active operations in provisioning queue (error in communication with server) added
- Related to Defect #2903: Event: Prevent to use original source from parent event (wrong original source is propaged in event and cannot be used) added
Also available in: Atom
PDF