Task #812
closedCreate init application data
Added by Radek Tomiška about 7 years ago. Updated over 4 years ago.
100%
Description
When application is installed, then default init data should be created:
- default admin identity
- default user role - see https://wiki.czechidm.com/devel/dev/security/authorization#default_settings_of_permissions_for_an_identity_profile
- default LRT
- default organization structure
- ...
- Init application data contains admin user now.
- Demo data contains user role now. So user role will be moved into init application stage and configuration to not recreate init data will be added (the same as demo data).
- default LRT are initialized now - IdentityContractExpirationTaskExecutor, IdentityRoleExpirationTaskExecutor, IdentityRoleValidRequestTaskExecutor, HrEnableContractProcess, ProvisioningQueueTaskExecutor, RetryProvisioningTaskExecutor are scheduled over night - so only documentation will be added here https://wiki.czechidm.com/devel/dev/configuration/scheduled_tasks
- default organization structure with code ORGANIZATION is created now in demo data - will be moved into init application stage.
Related issues
Updated by Radek Tomiška about 7 years ago
- Description updated (diff)
- Assignee changed from Radek Tomiška to Marcel Poul
Some init data are in description.
Marcel, could yor pls check and add roles with their autorization policies (helpDesk?) or other init data here?
Updated by Marcel Poul about 7 years ago
Hi,
basic info about default roles like helpdesk are there:
https://wiki.czechidm.com/instalacni_balicek#definice_opravneni_v_identity_manageru
Please check.
Other default data I will consult with Zdenek and Lukáš and let you know till tomorrow.
Updated by Marcel Poul about 7 years ago
Other default data (in addition to what is written in previous comments)
Roles:
Helpdesk - see all tasks of all users (in future can see history of task and filter history) + is configures to approve Role change in the process (but the approval round is still disabled)
No role has "can be requested" flag checked.
Security - Helpdesk + is configured to approve Role change in the process (but the approval round is still disabled)
ManagerOfUsers - Helpdesk + edit all users + is configured to approve Role change in the process (but the approval round is still disabled)
Roles change approval:
every approval round has its role assigned (but the approval rounds are still disabled unless "split tu subprocess")
I personally do not like step 2 - user's manager - there every user's manager (regardless user's contracts) can approve the role change. This step MUST be turned off by default.
Role criticality:
There are at least 4 criticalities defined (0 - no one , 1 - by user's manager (by the contract), 2 - by role guarantee (role's attribute), 3 - manager and then guarantee - this is to discuss.
LRTs:
All LRTs are defined and planned to run - HR processes 1 time a day after midnight. LRTs have dependencies defined. LRT that are not needed are turned off - like
TreeNodes:
There is default tree node type defined
Role Catalogue
There is a node "CzechIdM Roles", all default roles (superAdmin, Helpdesk, Security, userRole etc. are placed there)
EAV Forms
All entities have 1 default EAV form (I think Tree Nodes does not have it now)
Modules:
Example module is disabled (if it is available at all)
ACC and IC modules are enabled
VS? - I vote for disabled.
Connectors:
In future add AD and Exchange connectors to the bundle
Manager of the user:
Think of to restrict the role change request only for user's contracts by which the applicant is the manager. e.g.
User A has 2 contracts:
contract_X (managers: user_M), contract_Y (managers: user_N).
User_N cannot remove roles from User_A's contract_X
Can we make such a filter and make it default?
Notifications
Almost all of them turn off - to be revised.
Updated by Radek Tomiška about 7 years ago
Marcel Poul wrote:
Manager of the user:
Think of to restrict the role change request only for user's contracts by which the applicant is the manager. e.g.
User A has 2 contracts:
contract_X (managers: user_M), contract_Y (managers: user_N).
User_N cannot remove roles from User_A's contract_XCan we make such a filter and make it default?
This is not possible, this feature was never implemented.
Updated by Radek Tomiška about 7 years ago
- Assignee changed from Marcel Poul to Radek Tomiška
- Estimated time changed from 8.00 h to 12.00 h
Updated by Alena Peterová about 7 years ago
scheduler.task.queue.process should be lower (e.g. 1000) in the default IdM package. When admins manually start some task, they expect that it starts "immediately", not "sometime during the following minute".
(I write it here, but maybe it should be put directly to the code of the release? profile)
Updated by Vít Švanda about 7 years ago
- Target version changed from Forsterite (7.6.0) to Garnet (7.7.0)
Updated by Marcel Poul almost 7 years ago
Just a comment based on our discussion with Ondra - in CzechIdM 7.7 there is a set of new role permissions TASK, READ;EXECUTE. Both have to be configured on userRole with basepermissionevaluator for init data too. Also Identity, autocomplete on userRole.
Updated by Radek Tomiška almost 7 years ago
- Target version deleted (
Garnet (7.7.0))
Updated by Alena Peterová almost 7 years ago
The default userRole must have the evaluator RoleCanBeRequestedEvaluator for IdmRole. Otherwise the users could request for "non-requestable" roles.
I changed this in the online demo.
Updated by Marcel Poul over 6 years ago
- Priority changed from Normal to High
I urge this ticket, since this can easily save up our time on project. We do the same manual work all the time.
thx guys
Updated by Alena Peterová over 6 years ago
- changeIdentityRole - informing the user about change in his roles may not be desired (at least during pilot period when we manually repair data)
- passwordChanged (identity-set-password-processor, identity-password-change-notification) - reseting the user's password during activation (there could be other specific ways to set initial password), notifying user about password change
Updated by Alena Peterová about 6 years ago
AccountProtectionExpirationTaskExecutor - this should be planned by default
Updated by Marcel Poul about 6 years ago
- Related to Defect #1314: "Required confirmation by the implementer" should be checked by default added
Updated by Marcel Poul about 6 years ago
- Copied from Task #1264: Revision of default settings of notifications added
Updated by Marcel Poul about 6 years ago
Alena:
Revision of default settings of notifications
improve default settings of notifications on fresh installation of CzechIdM (code, tutorials, documentation of backward compatibility)
Some of current default settings is a bit surprising for admin and must be checked after installation (https://wiki.czechidm.com/tutorial/adm/notifications_standard).
E.g. what is surprising for me:
the notification about creating a new approval task is not sent by default
the notification about changing roles is sent by default to the user whose role were changed
I will discuss it with the team.
Updated by Lukáš Cirkva about 6 years ago
I downloade nigthly and I miss for testing data and others. These are tiny details that make CzechIdM onboarding easier for clients to make first impressions. Please this request is not urgent, but have high impact.
Configs:- add 3-4 users with different roles - Heldesk
- add tiny org tree - 3-4 suborgs
- add 3-4 roles
- default all modules - acc, vs, report, cert ...
- add 1 virtual system
- Roles / Select role: dialog is still loading... possibly bug?
Updated by Radek Tomiška about 6 years ago
I've enabled demo data again - 3 identities (+anonymized), roles, organizations, default user role configured, all product modules are enabled - will be included in 9.4.0-rc.1.
https://github.com/bcvsolutions/CzechIdMng/commit/013dacbe4e552b2c400c9025726b854499fc234d
Updated by Vít Švanda over 5 years ago
- Estimated time changed from 12.00 h to 24.00 h
Updated by Radek Tomiška over 5 years ago
- Status changed from New to In Progress
Updated by Radek Tomiška over 5 years ago
- Related to Defect #858: Properties are created after initApplicationData added
Updated by Radek Tomiška over 5 years ago
- Related to Task #931: Task import add new trigger added
Updated by Vít Švanda over 5 years ago
- Target version changed from Quartz (9.6.0) to Rhyolite (9.7.0)
Updated by Vít Švanda over 5 years ago
- Target version deleted (
Rhyolite (9.7.0))
Updated by Radek Tomiška about 5 years ago
- Related to Task #467: Enhance application data init stage added
Updated by Ondřej Kopr almost 5 years ago
- Related to Feature #2042: Schedule AccountProtectionExpirationTaskExecutor automatically with trigger for every day added
Updated by Alena Peterová almost 5 years ago
Default password policy - set temporary blocking after unsuccessful login attempts (https://wiki.czechidm.com/tutorial/adm/block_user_unsuccessful_login_attemps)
Updated by Radek Tomiška over 4 years ago
- Status changed from New to In Progress
Updated by Alena Peterová over 4 years ago
- add role for VS implementers (#794)
- don't schedule ProvisioningQueueTaskExecutor at all - the asynchronous provisioning is obsolete
- RetryProvisioningTaskExecutor is scheduled every 5 minutes, so All tasks is usually full of it, even if it usually doesn't do anything. Maybe it could be less often, e.g. once an hour.
- the 3 HR processes (a little connected to #1790) - either start them all, or none of them. I vote for all of them. I think that this is nothing dangerous, because the IdentityContractExpirationTaskExecutor is already scheduled by default. (Though this will be then useless, if HrEndContractProcess was scheduled.)
- don't schedule SelectCurrentContractSliceTaskExecutor by default - the contract slices aren't used by most of the projects. And even if they are used, we will not use the default schedule, but we will schedule it after synchronization of HR system.
Updated by Radek Tomiška over 4 years ago
- Target version changed from 10.4.0 to 10.5.0
Updated by Radek Tomiška over 4 years ago
- Related to Task #794: Automatically create a role for Virtual System implementers added
Updated by Radek Tomiška over 4 years ago
- % Done changed from 0 to 30
Basic mechanism is implemented and previously defined init + demo data was moved to product provided roles (~person = admin, user). Role authorization policies can be updated automatically, after new product version is installed (e.g. new permission was added => change log + e.g. user role is updated by product).
TODO:
- other roles (helpdeskRole, userManagerRole, roleManagerROle, virtualApproverROle etc.) from notes above
- other notes above :) and related tasks
- change log
- documentation
Updated by Radek Tomiška over 4 years ago
- Related to Task #2434: Notification: improve default settings of notifications added
Updated by Radek Tomiška over 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 30 to 90
All notes implemented, except:
- notification moved to related #2434 (analysis should be done before).
- RetryProvisioningTaskExecutor - the first next affemt is computed 2 minutes after operation fails => 5 minute schedule remain the same (until default retry sequence will be changed too).
- vs module is enabled by default - user without role (with default 'userRole' only) does not see it (needed role from #794).
Documentation (+ change log):
https://wiki.czechidm.com/devel/documentation/architecture/dev/events/init-data
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#examples_of_configuration
https://github.com/bcvsolutions/CzechIdMng/blob/develop/CHANGELOG.md#1050
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/de8cc6d6dff07476a7c988f4f2989c6ac6a4409b
Could you provide me a feedback, please?
Note: Demo deta was improved too - user with product provided roles are created, form projection for externe user is created.
Updated by Radek Tomiška over 4 years ago
- Related to Feature #2441: Roles: support business roles for default role added
Updated by Vít Švanda over 4 years ago
Review notes:
- In some cases I do not see a role type select box (even if roleType=system is returns from the REST).
- Role type should be not mandatory on FE.
Updated by Radek Tomiška over 4 years ago
Thx for review notes above about role type, fixed:
https://github.com/bcvsolutions/CzechIdMng/commit/ecfc94fd2aac017dc7d2837e064b6accb4c4a5ee
Updated by Vít Švanda over 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did reivew and tested this awesome feature. Thanks for that. LGTM
Updated by Radek Tomiška over 4 years ago
- Status changed from Resolved to Closed
Updated by Radek Tomiška over 3 years ago
- Related to Task #2869: Monitoring: init database and synchronization monitoring evaluators added