IdStory Identity Manager

Hi,
basic info about default roles like helpdesk are there:

https://wiki.czechidm.com/instalacni_balicek#definice_opravneni_v_identity_manageru

Please check.

Other default data I will consult with Zdenek and Lukáš and let you know till tomorrow.

Other default data (in addition to what is written in previous comments)

Roles:
Helpdesk - see all tasks of all users (in future can see history of task and filter history) + is configures to approve Role change in the process (but the approval round is still disabled)
No role has "can be requested" flag checked.
Security - Helpdesk + is configured to approve Role change in the process (but the approval round is still disabled)
ManagerOfUsers - Helpdesk + edit all users + is configured to approve Role change in the process (but the approval round is still disabled)

Roles change approval:
every approval round has its role assigned (but the approval rounds are still disabled unless "split tu subprocess")
I personally do not like step 2 - user's manager - there every user's manager (regardless user's contracts) can approve the role change. This step MUST be turned off by default.

Role criticality:
There are at least 4 criticalities defined (0 - no one , 1 - by user's manager (by the contract), 2 - by role guarantee (role's attribute), 3 - manager and then guarantee - this is to discuss.

LRTs:
All LRTs are defined and planned to run - HR processes 1 time a day after midnight. LRTs have dependencies defined. LRT that are not needed are turned off - like

TreeNodes:
There is default tree node type defined

Role Catalogue
There is a node "CzechIdM Roles", all default roles (superAdmin, Helpdesk, Security, userRole etc. are placed there)

EAV Forms
All entities have 1 default EAV form (I think Tree Nodes does not have it now)

Modules:
Example module is disabled (if it is available at all)
ACC and IC modules are enabled
VS? - I vote for disabled.

Connectors:
In future add AD and Exchange connectors to the bundle

Manager of the user:

Think of to restrict the role change request only for user's contracts by which the applicant is the manager. e.g.
User A has 2 contracts:
contract_X (managers: user_M), contract_Y (managers: user_N).
User_N cannot remove roles from User_A's contract_X

Can we make such a filter and make it default?

Notifications
Almost all of them turn off - to be revised.

Marcel Poul wrote:

Manager of the user:

Think of to restrict the role change request only for user's contracts by which the applicant is the manager. e.g.
User A has 2 contracts:
contract_X (managers: user_M), contract_Y (managers: user_N).
User_N cannot remove roles from User_A's contract_X

Can we make such a filter and make it default?

This is not possible, this feature was never implemented.

scheduler.task.queue.process should be lower (e.g. 1000) in the default IdM package. When admins manually start some task, they expect that it starts "immediately", not "sometime during the following minute".
(I write it here, but maybe it should be put directly to the code of the release? profile)

Just a comment based on our discussion with Ondra - in CzechIdM 7.7 there is a set of new role permissions TASK, READ;EXECUTE. Both have to be configured on userRole with basepermissionevaluator for init data too. Also Identity, autocomplete on userRole.

The default userRole must have the evaluator RoleCanBeRequestedEvaluator for IdmRole. Otherwise the users could request for "non-requestable" roles.
I changed this in the online demo.

• changeIdentityRole - informing the user about change in his roles may not be desired (at least during pilot period when we manually repair data)
• passwordChanged (identity-set-password-processor, identity-password-change-notification) - reseting the user's password during activation (there could be other specific ways to set initial password), notifying user about password change

AccountProtectionExpirationTaskExecutor - this should be planned by default

Alena:

Revision of default settings of notifications

improve default settings of notifications on fresh installation of CzechIdM (code, tutorials, documentation of backward compatibility)
Some of current default settings is a bit surprising for admin and must be checked after installation (https://wiki.czechidm.com/tutorial/adm/notifications_standard).
E.g. what is surprising for me:
the notification about creating a new approval task is not sent by default
the notification about changing roles is sent by default to the user whose role were changed
I will discuss it with the team.

I downloade nigthly and I miss for testing data and others. These are tiny details that make CzechIdM onboarding easier for clients to make first impressions. Please this request is not urgent, but have high impact.

1. add 3-4 users with different roles - Heldesk
2. add tiny org tree - 3-4 suborgs
3. add 3-4 roles
4. default all modules - acc, vs, report, cert ...
5. add 1 virtual system
6. Roles / Select role: dialog is still loading... possibly bug?

I've enabled demo data again - 3 identities (+anonymized), roles, organizations, default user role configured, all product modules are enabled - will be included in 9.4.0-rc.1.

https://github.com/bcvsolutions/CzechIdMng/commit/013dacbe4e552b2c400c9025726b854499fc234d

Default password policy - set temporary blocking after unsuccessful login attempts (https://wiki.czechidm.com/tutorial/adm/block_user_unsuccessful_login_attemps)

• add role for VS implementers (#794)
• don't schedule ProvisioningQueueTaskExecutor at all - the asynchronous provisioning is obsolete
• RetryProvisioningTaskExecutor is scheduled every 5 minutes, so All tasks is usually full of it, even if it usually doesn't do anything. Maybe it could be less often, e.g. once an hour.
• the 3 HR processes (a little connected to #1790) - either start them all, or none of them. I vote for all of them. I think that this is nothing dangerous, because the IdentityContractExpirationTaskExecutor is already scheduled by default. (Though this will be then useless, if HrEndContractProcess was scheduled.)
• don't schedule SelectCurrentContractSliceTaskExecutor by default - the contract slices aren't used by most of the projects. And even if they are used, we will not use the default schedule, but we will schedule it after synchronization of HR system.

Review notes:

• In some cases I do not see a role type select box (even if roleType=system is returns from the REST).
• Role type should be not mandatory on FE.

Thx for review notes above about role type, fixed:
https://github.com/bcvsolutions/CzechIdMng/commit/ecfc94fd2aac017dc7d2837e064b6accb4c4a5ee