Project

General

Profile

Actions

Task #812

closed

Create init application data

Added by Radek Tomiška over 6 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
High
Assignee:
Radek Tomiška
Category:
Configuration
Target version:
Start date:
11/02/2017
Due date:
% Done:

100%

Estimated time:
24.00 h
Owner:

Description

When application is installed, then default init data should be created:
- default admin identity
- default user role - see https://wiki.czechidm.com/devel/dev/security/authorization#default_settings_of_permissions_for_an_identity_profile
- default LRT
- default organization structure
- ...

Implemetation notes:
  • Init application data contains admin user now.
  • Demo data contains user role now. So user role will be moved into init application stage and configuration to not recreate init data will be added (the same as demo data).
  • default LRT are initialized now - IdentityContractExpirationTaskExecutor, IdentityRoleExpirationTaskExecutor, IdentityRoleValidRequestTaskExecutor, HrEnableContractProcess, ProvisioningQueueTaskExecutor, RetryProvisioningTaskExecutor are scheduled over night - so only documentation will be added here https://wiki.czechidm.com/devel/dev/configuration/scheduled_tasks
  • default organization structure with code ORGANIZATION is created now in demo data - will be moved into init application stage.

Related issues

Related to IdStory Identity Manager - Defect #1314: "Required confirmation by the implementer" should be checked by defaultClosedRadek Tomiška10/11/2018

Actions
Related to IdStory Identity Manager - Defect #858: Properties are created after initApplicationDataRejectedRadek Tomiška11/29/2017

Actions
Related to IdStory Identity Manager - Task #931: Task import add new triggerNewRadek Tomiška01/26/2018

Actions
Related to IdStory Identity Manager - Task #467: Enhance application data init stageRejectedRadek Tomiška05/31/2017

Actions
Related to IdStory Identity Manager - Feature #2042: Schedule AccountProtectionExpirationTaskExecutor automatically with trigger for every dayClosedRadek Tomiška02/06/2020

Actions
Related to IdStory Identity Manager - Task #794: Automatically create a role for Virtual System implementersClosedRadek Tomiška10/27/2017

Actions
Related to IdStory Identity Manager - Task #2434: Notification: improve default settings of notificationsNewRadek Tomiška08/13/2020

Actions
Related to IdStory Identity Manager - Feature #2441: Roles: support business roles for default roleClosedRadek Tomiška08/18/2020

Actions
Related to IdStory Identity Manager - Task #2869: Monitoring: init database and synchronization monitoring evaluatorsClosedRadek Tomiška06/28/2021

Actions
Copied from IdStory Identity Manager - Task #1264: Revision of default settings of notificationsClosedAlena Peterová09/21/2018

Actions
Actions #1

Updated by Radek Tomiška over 6 years ago

  • Description updated (diff)
  • Assignee changed from Radek Tomiška to Marcel Poul

Some init data are in description.
Marcel, could yor pls check and add roles with their autorization policies (helpDesk?) or other init data here?

Actions #2

Updated by Marcel Poul over 6 years ago

Hi,
basic info about default roles like helpdesk are there:

https://wiki.czechidm.com/instalacni_balicek#definice_opravneni_v_identity_manageru

Please check.

Other default data I will consult with Zdenek and Lukáš and let you know till tomorrow.

Actions #3

Updated by Marcel Poul over 6 years ago

Other default data (in addition to what is written in previous comments)

Roles:
Helpdesk - see all tasks of all users (in future can see history of task and filter history) + is configures to approve Role change in the process (but the approval round is still disabled)
No role has "can be requested" flag checked.
Security - Helpdesk + is configured to approve Role change in the process (but the approval round is still disabled)
ManagerOfUsers - Helpdesk + edit all users + is configured to approve Role change in the process (but the approval round is still disabled)

Roles change approval:
every approval round has its role assigned (but the approval rounds are still disabled unless "split tu subprocess")
I personally do not like step 2 - user's manager - there every user's manager (regardless user's contracts) can approve the role change. This step MUST be turned off by default.

Role criticality:
There are at least 4 criticalities defined (0 - no one , 1 - by user's manager (by the contract), 2 - by role guarantee (role's attribute), 3 - manager and then guarantee - this is to discuss.

LRTs:
All LRTs are defined and planned to run - HR processes 1 time a day after midnight. LRTs have dependencies defined. LRT that are not needed are turned off - like

TreeNodes:
There is default tree node type defined

Role Catalogue
There is a node "CzechIdM Roles", all default roles (superAdmin, Helpdesk, Security, userRole etc. are placed there)

EAV Forms
All entities have 1 default EAV form (I think Tree Nodes does not have it now)

Modules:
Example module is disabled (if it is available at all)
ACC and IC modules are enabled
VS? - I vote for disabled.

Connectors:
In future add AD and Exchange connectors to the bundle

Manager of the user:

Think of to restrict the role change request only for user's contracts by which the applicant is the manager. e.g.
User A has 2 contracts:
contract_X (managers: user_M), contract_Y (managers: user_N).
User_N cannot remove roles from User_A's contract_X

Can we make such a filter and make it default?

Notifications
Almost all of them turn off - to be revised.

Actions #4

Updated by Radek Tomiška over 6 years ago

Marcel Poul wrote:

Manager of the user:

Think of to restrict the role change request only for user's contracts by which the applicant is the manager. e.g.
User A has 2 contracts:
contract_X (managers: user_M), contract_Y (managers: user_N).
User_N cannot remove roles from User_A's contract_X

Can we make such a filter and make it default?

This is not possible, this feature was never implemented.

Actions #5

Updated by Radek Tomiška over 6 years ago

  • Assignee changed from Marcel Poul to Radek Tomiška
  • Estimated time changed from 8.00 h to 12.00 h
Actions #6

Updated by Alena Peterová over 6 years ago

scheduler.task.queue.process should be lower (e.g. 1000) in the default IdM package. When admins manually start some task, they expect that it starts "immediately", not "sometime during the following minute".
(I write it here, but maybe it should be put directly to the code of the release? profile)

Actions #7

Updated by Vít Švanda over 6 years ago

  • Target version changed from Forsterite (7.6.0) to Garnet (7.7.0)
Actions #8

Updated by Marcel Poul about 6 years ago

Just a comment based on our discussion with Ondra - in CzechIdM 7.7 there is a set of new role permissions TASK, READ;EXECUTE. Both have to be configured on userRole with basepermissionevaluator for init data too. Also Identity, autocomplete on userRole.

Actions #9

Updated by Radek Tomiška about 6 years ago

  • Target version deleted (Garnet (7.7.0))
Actions #10

Updated by Alena Peterová about 6 years ago

The default userRole must have the evaluator RoleCanBeRequestedEvaluator for IdmRole. Otherwise the users could request for "non-requestable" roles.
I changed this in the online demo.

Actions #11

Updated by Marcel Poul almost 6 years ago

  • Priority changed from Normal to High

I urge this ticket, since this can easily save up our time on project. We do the same manual work all the time.
thx guys

Actions #12

Updated by Alena Peterová over 5 years ago

It would be really helpful to have some list of notifications, which are by default sent from IdM. This list should be at the end of installation manual to check. Some notifications are not desired in some projects, e.g.:
  • changeIdentityRole - informing the user about change in his roles may not be desired (at least during pilot period when we manually repair data)
  • passwordChanged (identity-set-password-processor, identity-password-change-notification) - reseting the user's password during activation (there could be other specific ways to set initial password), notifying user about password change
Actions #13

Updated by Alena Peterová over 5 years ago

AccountProtectionExpirationTaskExecutor - this should be planned by default

Actions #14

Updated by Marcel Poul over 5 years ago

  • Related to Defect #1314: "Required confirmation by the implementer" should be checked by default added
Actions #15

Updated by Marcel Poul over 5 years ago

  • Copied from Task #1264: Revision of default settings of notifications added
Actions #16

Updated by Marcel Poul over 5 years ago

Alena:

Revision of default settings of notifications

improve default settings of notifications on fresh installation of CzechIdM (code, tutorials, documentation of backward compatibility)
Some of current default settings is a bit surprising for admin and must be checked after installation (https://wiki.czechidm.com/tutorial/adm/notifications_standard).
E.g. what is surprising for me:
the notification about creating a new approval task is not sent by default
the notification about changing roles is sent by default to the user whose role were changed
I will discuss it with the team.

Actions #17

Updated by Lukáš Cirkva over 5 years ago

I downloade nigthly and I miss for testing data and others. These are tiny details that make CzechIdM onboarding easier for clients to make first impressions. Please this request is not urgent, but have high impact.

Configs:
  1. add 3-4 users with different roles - Heldesk
  2. add tiny org tree - 3-4 suborgs
  3. add 3-4 roles
  4. default all modules - acc, vs, report, cert ...
  5. add 1 virtual system
  6. Roles / Select role: dialog is still loading... possibly bug?
Actions #18

Updated by Radek Tomiška over 5 years ago

I've enabled demo data again - 3 identities (+anonymized), roles, organizations, default user role configured, all product modules are enabled - will be included in 9.4.0-rc.1.

https://github.com/bcvsolutions/CzechIdMng/commit/013dacbe4e552b2c400c9025726b854499fc234d

Actions #19

Updated by Vít Švanda almost 5 years ago

  • Estimated time changed from 12.00 h to 24.00 h
Actions #20

Updated by Vít Švanda almost 5 years ago

  • Target version set to Quartz (9.6.0)
Actions #21

Updated by Radek Tomiška almost 5 years ago

  • Status changed from New to In Progress
Actions #22

Updated by Radek Tomiška almost 5 years ago

  • Related to Defect #858: Properties are created after initApplicationData added
Actions #23

Updated by Radek Tomiška almost 5 years ago

  • Related to Task #931: Task import add new trigger added
Actions #24

Updated by Vít Švanda almost 5 years ago

  • Status changed from In Progress to New
Actions #25

Updated by Vít Švanda almost 5 years ago

  • Target version changed from Quartz (9.6.0) to Rhyolite (9.7.0)
Actions #26

Updated by Vít Švanda over 4 years ago

  • Target version deleted (Rhyolite (9.7.0))
Actions #27

Updated by Radek Tomiška over 4 years ago

  • Related to Task #467: Enhance application data init stage added
Actions #28

Updated by Ondřej Kopr about 4 years ago

  • Related to Feature #2042: Schedule AccountProtectionExpirationTaskExecutor automatically with trigger for every day added
Actions #29

Updated by Alena Peterová about 4 years ago

Default password policy - set temporary blocking after unsuccessful login attempts (https://wiki.czechidm.com/tutorial/adm/block_user_unsuccessful_login_attemps)

Actions #30

Updated by Radek Tomiška almost 4 years ago

  • Target version set to 10.4.0
Actions #31

Updated by Radek Tomiška over 3 years ago

  • Status changed from New to In Progress
Actions #32

Updated by Alena Peterová over 3 years ago

Something more to consider:
  • add role for VS implementers (#794)
  • don't schedule ProvisioningQueueTaskExecutor at all - the asynchronous provisioning is obsolete
  • RetryProvisioningTaskExecutor is scheduled every 5 minutes, so All tasks is usually full of it, even if it usually doesn't do anything. Maybe it could be less often, e.g. once an hour.
  • the 3 HR processes (a little connected to #1790) - either start them all, or none of them. I vote for all of them. I think that this is nothing dangerous, because the IdentityContractExpirationTaskExecutor is already scheduled by default. (Though this will be then useless, if HrEndContractProcess was scheduled.)
  • don't schedule SelectCurrentContractSliceTaskExecutor by default - the contract slices aren't used by most of the projects. And even if they are used, we will not use the default schedule, but we will schedule it after synchronization of HR system.
Actions #33

Updated by Radek Tomiška over 3 years ago

  • Target version changed from 10.4.0 to 10.5.0
Actions #34

Updated by Radek Tomiška over 3 years ago

  • Related to Task #794: Automatically create a role for Virtual System implementers added
Actions #35

Updated by Radek Tomiška over 3 years ago

  • % Done changed from 0 to 30

Basic mechanism is implemented and previously defined init + demo data was moved to product provided roles (~person = admin, user). Role authorization policies can be updated automatically, after new product version is installed (e.g. new permission was added => change log + e.g. user role is updated by product).

TODO:
- other roles (helpdeskRole, userManagerRole, roleManagerROle, virtualApproverROle etc.) from notes above
- other notes above :) and related tasks
- change log
- documentation

Actions #36

Updated by Radek Tomiška over 3 years ago

  • Related to Task #2434: Notification: improve default settings of notifications added
Actions #37

Updated by Radek Tomiška over 3 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 30 to 90

All notes implemented, except:
- notification moved to related #2434 (analysis should be done before).
- RetryProvisioningTaskExecutor - the first next affemt is computed 2 minutes after operation fails => 5 minute schedule remain the same (until default retry sequence will be changed too).
- vs module is enabled by default - user without role (with default 'userRole' only) does not see it (needed role from #794).

Documentation (+ change log):
https://wiki.czechidm.com/devel/documentation/architecture/dev/events/init-data
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#examples_of_configuration
https://github.com/bcvsolutions/CzechIdMng/blob/develop/CHANGELOG.md#1050

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/de8cc6d6dff07476a7c988f4f2989c6ac6a4409b

Could you provide me a feedback, please?

Note: Demo deta was improved too - user with product provided roles are created, form projection for externe user is created.

Actions #38

Updated by Radek Tomiška over 3 years ago

  • Related to Feature #2441: Roles: support business roles for default role added
Actions #39

Updated by Vít Švanda over 3 years ago

Review notes:

  • In some cases I do not see a role type select box (even if roleType=system is returns from the REST).
  • Role type should be not mandatory on FE.
Actions #40

Updated by Radek Tomiška over 3 years ago

Actions #41

Updated by Vít Švanda over 3 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 100

I did reivew and tested this awesome feature. Thanks for that. LGTM

Actions #42

Updated by Radek Tomiška over 3 years ago

  • Status changed from Resolved to Closed
Actions #43

Updated by Radek Tomiška over 2 years ago

  • Related to Task #2869: Monitoring: init database and synchronization monitoring evaluators added
Actions

Also available in: Atom PDF