Project

General

Profile

Task #812

Create init application data

Added by Radek Tomiška about 1 year ago. Updated about 1 month ago.

Status:
New
Priority:
High
Category:
Configuration
Target version:
-
Start date:
11/02/2017
Due date:
% Done:

0%

Estimated time:
12.00 h

Description

When application is installed, then default init data should be created:
- default admin identity
- default user role - see https://wiki.czechidm.com/devel/dev/security/authorization#default_settings_of_permissions_for_an_identity_profile
- default LRT
- default organization structure
- ...

Implemetation notes:
  • Init application data contains admin user now.
  • Demo data contains user role now. So user role will be moved into init application stage and configuration to not recreate init data will be added (the same as demo data).
  • default LRT are initialized now - IdentityContractExpirationTaskExecutor, IdentityRoleExpirationTaskExecutor, IdentityRoleValidRequestTaskExecutor, HrEnableContractProcess, ProvisioningQueueTaskExecutor, RetryProvisioningTaskExecutor are scheduled over night - so only documentation will be added here https://wiki.czechidm.com/devel/dev/configuration/scheduled_tasks
  • default organization structure with code ORGANIZATION is created now in demo data - will be moved into init application stage.

Related issues

Related to CzechIdM - Defect #1314: "Required confirmation by the implementer" should be checked by default Closed 10/11/2018
Copied from CzechIdM - Task #1264: Revision of default settings of notifications Closed 09/21/2018

History

#1 Updated by Radek Tomiška about 1 year ago

  • Description updated (diff)
  • Assignee changed from Radek Tomiška to Marcel Poul

Some init data are in description.
Marcel, could yor pls check and add roles with their autorization policies (helpDesk?) or other init data here?

#2 Updated by Marcel Poul about 1 year ago

Hi,
basic info about default roles like helpdesk are there:

https://wiki.czechidm.com/instalacni_balicek#definice_opravneni_v_identity_manageru

Please check.

Other default data I will consult with Zdenek and Lukáš and let you know till tomorrow.

#3 Updated by Marcel Poul about 1 year ago

Other default data (in addition to what is written in previous comments)

Roles:
Helpdesk - see all tasks of all users (in future can see history of task and filter history) + is configures to approve Role change in the process (but the approval round is still disabled)
No role has "can be requested" flag checked.
Security - Helpdesk + is configured to approve Role change in the process (but the approval round is still disabled)
ManagerOfUsers - Helpdesk + edit all users + is configured to approve Role change in the process (but the approval round is still disabled)

Roles change approval:
every approval round has its role assigned (but the approval rounds are still disabled unless "split tu subprocess")
I personally do not like step 2 - user's manager - there every user's manager (regardless user's contracts) can approve the role change. This step MUST be turned off by default.

Role criticality:
There are at least 4 criticalities defined (0 - no one , 1 - by user's manager (by the contract), 2 - by role guarantee (role's attribute), 3 - manager and then guarantee - this is to discuss.

LRTs:
All LRTs are defined and planned to run - HR processes 1 time a day after midnight. LRTs have dependencies defined. LRT that are not needed are turned off - like

TreeNodes:
There is default tree node type defined

Role Catalogue
There is a node "CzechIdM Roles", all default roles (superAdmin, Helpdesk, Security, userRole etc. are placed there)

EAV Forms
All entities have 1 default EAV form (I think Tree Nodes does not have it now)

Modules:
Example module is disabled (if it is available at all)
ACC and IC modules are enabled
VS? - I vote for disabled.

Connectors:
In future add AD and Exchange connectors to the bundle

Manager of the user:

Think of to restrict the role change request only for user's contracts by which the applicant is the manager. e.g.
User A has 2 contracts:
contract_X (managers: user_M), contract_Y (managers: user_N).
User_N cannot remove roles from User_A's contract_X

Can we make such a filter and make it default?

Notifications
Almost all of them turn off - to be revised.

#4 Updated by Radek Tomiška about 1 year ago

Marcel Poul wrote:

Manager of the user:

Think of to restrict the role change request only for user's contracts by which the applicant is the manager. e.g.
User A has 2 contracts:
contract_X (managers: user_M), contract_Y (managers: user_N).
User_N cannot remove roles from User_A's contract_X

Can we make such a filter and make it default?

This is not possible, this feature was never implemented.

#5 Updated by Radek Tomiška about 1 year ago

  • Assignee changed from Marcel Poul to Radek Tomiška
  • Estimated time changed from 8.00 h to 12.00 h

#6 Updated by Alena Peterová about 1 year ago

scheduler.task.queue.process should be lower (e.g. 1000) in the default IdM package. When admins manually start some task, they expect that it starts "immediately", not "sometime during the following minute".
(I write it here, but maybe it should be put directly to the code of the release? profile)

#7 Updated by Vít Švanda about 1 year ago

  • Target version changed from Forsterite (7.6.0) to Garnet (7.7.0)

#8 Updated by Marcel Poul about 1 year ago

Just a comment based on our discussion with Ondra - in CzechIdM 7.7 there is a set of new role permissions TASK, READ;EXECUTE. Both have to be configured on userRole with basepermissionevaluator for init data too. Also Identity, autocomplete on userRole.

#9 Updated by Radek Tomiška 12 months ago

  • Target version deleted (Garnet (7.7.0))

#10 Updated by Alena Peterová 11 months ago

The default userRole must have the evaluator RoleCanBeRequestedEvaluator for IdmRole. Otherwise the users could request for "non-requestable" roles.
I changed this in the online demo.

#11 Updated by Marcel Poul 10 months ago

  • Priority changed from Normal to High

I urge this ticket, since this can easily save up our time on project. We do the same manual work all the time.
thx guys

#12 Updated by Alena Peterová 5 months ago

It would be really helpful to have some list of notifications, which are by default sent from IdM. This list should be at the end of installation manual to check. Some notifications are not desired in some projects, e.g.:
  • changeIdentityRole - informing the user about change in his roles may not be desired (at least during pilot period when we manually repair data)
  • passwordChanged (identity-set-password-processor, identity-password-change-notification) - reseting the user's password during activation (there could be other specific ways to set initial password), notifying user about password change

#13 Updated by Alena Peterová 4 months ago

AccountProtectionExpirationTaskExecutor - this should be planned by default

#14 Updated by Marcel Poul 3 months ago

  • Related to Defect #1314: "Required confirmation by the implementer" should be checked by default added

#15 Updated by Marcel Poul about 2 months ago

  • Copied from Task #1264: Revision of default settings of notifications added

#16 Updated by Marcel Poul about 2 months ago

Alena:

Revision of default settings of notifications

improve default settings of notifications on fresh installation of CzechIdM (code, tutorials, documentation of backward compatibility)
Some of current default settings is a bit surprising for admin and must be checked after installation (https://wiki.czechidm.com/tutorial/adm/notifications_standard).
E.g. what is surprising for me:
the notification about creating a new approval task is not sent by default
the notification about changing roles is sent by default to the user whose role were changed
I will discuss it with the team.

#17 Updated by Lukas Cirkva about 2 months ago

I downloade nigthly and I miss for testing data and others. These are tiny details that make CzechIdM onboarding easier for clients to make first impressions. Please this request is not urgent, but have high impact.

Configs:
  1. add 3-4 users with different roles - Heldesk
  2. add tiny org tree - 3-4 suborgs
  3. add 3-4 roles
  4. default all modules - acc, vs, report, cert ...
  5. add 1 virtual system
  6. Roles / Select role: dialog is still loading... possibly bug?

#18 Updated by Radek Tomiška about 1 month ago

I've enabled demo data again - 3 identities (+anonymized), roles, organizations, default user role configured, all product modules are enabled - will be included in 9.4.0-rc.1.

https://github.com/bcvsolutions/CzechIdMng/commit/013dacbe4e552b2c400c9025726b854499fc234d

Also available in: Atom PDF