Project

General

Profile

Actions

Task #820

closed

Manually delete accounts in protected state

Added by Marcel Poul about 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Radek Tomiška
Category:
Account managment
Target version:
Start date:
11/05/2017
Due date:
% Done:

100%

Estimated time:
Owner:

Description

CzechIdM should support manual deletion of objects on connected system (e.g. user account) even though they are in protected state.


Related issues

Related to IdStory Identity Manager - Task #824: Security for AccAccountClosedVít Švanda11/07/2017

Actions
Actions #1

Updated by Radek Tomiška about 7 years ago

  • Related to Task #824: Security for AccAccount added
Actions #2

Updated by Radek Tomiška about 7 years ago

  • Status changed from New to Needs feedback
  • % Done changed from 0 to 20
I've added attributes 'inProtection' and 'endOfProtection' to account detail and their are editable now. Delete account in protected state is possible now:
  1. change 'inProtection' and 'endOfProtection' attributes
  2. then delete account.

It's little complicated, i know (two steps), but on the other side, removing accounts by bulk operation directly from table could be dangerous.
Is this behavior acceptable? Could be tested on develop.

Note: We added authorization policies support to account agenda (#824) and we are able to set base permissions for accounts => update accounts permission should have only 'account admin'.

Actions #3

Updated by Marcel Poul about 7 years ago

Nice work

removing accounts by bulk operation directly from table could be dangerous

I think it is always dangerous, no matter how do you delete account it. On the first look I would prefer easiest way by bulk action or a delete button. In that case, you can popup red warning for the admin. We can discuss tomorrow.

Actions #4

Updated by Vít Švanda about 7 years ago

  • Category changed from Feedback to Account managment
  • Status changed from Needs feedback to In Progress
  • Assignee changed from Marcel Poul to Vít Švanda
  • Target version set to Forsterite (7.6.0)

Manual delete of unprotected account on the protected system was changed.

  • Now will be the account marked as the protected. All connected relations (identity-accounts) will be deleted (until the last one).
  • I had to transformed AccAccountService for uses the events.

I have to create some tests and modify the documentation yet.

Actions #5

Updated by Vít Švanda about 7 years ago

  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 20 to 80

- Tests created
- Documentation completed.

Actions #6

Updated by Radek Tomiška about 7 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Ondřej Kopr
  • % Done changed from 80 to 90

I made attribute 'inProtection' to be read only. To delete account in protected state is posible to set end of protection dat to the past, documentation:
https://wiki.czechidm.com/devel/dev/account-management/protection-system

Could you do a feedback pls?

Actions #7

Updated by Ondřej Kopr about 7 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Ondřej Kopr to Radek Tomiška
  • % Done changed from 90 to 100

I did feedback, set "Protected until" works as you describe, it is necessary to set it in past (set null not enough, null value = protection forever), attribute inProtection is readonly, manualy remove accounts works awesome, thank you for this feature.

Actions #8

Updated by Radek Tomiška about 7 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF