Task #580
openTreeNode sync. sefety checks
0%
Description
In our project we came across following situation.
One of the TreeNode (ORG A) in the Tree structure was not linked with the entity on HR system. There is a reconcitiation taking place every day. When in finished, the structure in IdM was damaged so that all TreeNodes below the ORG A were now roots.
This has fatal consequences:- usually basic Roles for systems like (LDAP - User, AD - User) are automatic roles in the structure with spreading down. So "new" roots lost their automatic role -> Users lost their roles -> DELETE is sent to end system
- very often org structure is provisioned to managed systems and users account are placed in the structure there (e.g. users DN is built based on the org tree). When tree is damaged, user are effectively moved from ther places and end system can stop functioning.
Altogether if this happed to some org that is relatively high in the structure, it would STOP the whole company.
Regardless of what caused the unlinked TreeNode, This is very dangerous safety problem and we MUST think of some improvement to the org. structure synchronization.
I can think of some other cases that may cause the same - missing account in HR - e.g. HR system returns incomplete treeStructure or HR employee delete the attribute value that we use for building a tree, or some communication error etc...
One way of how to solve this may be Skipping the TreeNodes (and Nodes below it) that are in some strange state (missing account, unlinked).
Updated by Vít Švanda about 7 years ago
- Target version deleted (
Diamond (7.4.0))