Feature #984
closed
Delegations in IdM
100%
Description
I have a situation on a project where a role approver/manager or virtual system administrator is temporary unavailable (e. g. is on vacation, due to illness/injury is unable to work, etc.). In this case I as an IdM administrator I want to provide him/her a way to delegate his/her agenda to another person who has identity in IdM and I don't want to do it myself manually or by some data-based hacks or workflow changes. Currently the whole delegation agenda is managed by another IT system that covers a work attendance management and can be synchronized to IdM - both pushed via IdM's API or pulled by IdM during resource synchronization. The user can configure different delegations for each of his/her contracts to different persons, IdM should allow it.
There should also be a way to configure delegations in IdM manually, e. g. as a feature of identity's contract.
The requested feature should work like this (the main use-case) - the feature description matches also request for automatically synchronized delegations:
- User logs in IdM and goes to Delegation's config
- Selects an agenda (role approving, virtual system task resolving, subordinates management)
- Selects date from and date to (let's discuss a possibility of permanent delegation, e. g. a head of department might want to move her/his agenda to a subordinate permanently)
- Selects identity (or it's contract) to whom the agenda will be delegated. There can be selected one or more identities.
- Finally confirms delegation request.
- Then there starts a delegation approving worflow (at least the identity to whom the delegation is created must approve it, in some cases I can imagine that also security manager or IdM manager would want to approve a delegation)
The assignment is here: https://wiki.czechidm.com/priv/features/delegace
Related issues
Updated by Radek Tomiška almost 4 years ago
- Category set to Workflow
- Assignee changed from Radek Tomiška to Vít Švanda
- Target version set to 10.4.0
Updated by Vít Švanda almost 4 years ago
- % Done changed from 30 to 40
Basic implementation for workflow task and approving role by manager works now.
Updated by Vít Švanda almost 4 years ago
- % Done changed from 40 to 50
Added task state, implemented listeners for the activiti (on task completed and activity cancelled).
Updated by Vít Švanda almost 4 years ago
- Related to Task #2298: Workflow tasks - Allow to see all tasks for the user involved in the process. added
Updated by Vít Švanda almost 4 years ago
- % Done changed from 50 to 70
Permissions (4 eveluators) implemented.
Updated by Radek Tomiška almost 4 years ago
Merged into develop, commit:
https://github.com/bcvsolutions/CzechIdMng/commit/b6926e705dd0e1e96d9a50a40faf05a774f26c00
Updated by Radek Tomiška almost 4 years ago
- Related to Task #2342: Split role request approval by contract managers for single role approval added
Updated by Radek Tomiška almost 4 years ago
- Related to Task #2220: Split role request approval by contract managers added
Updated by Radek Tomiška almost 4 years ago
I did test and code review, it works, thx! I like delegation type can be registered from custom module and split delegation by contracts, it's complex.
Review notes:
- IdmDelegationDefinitionController, IdmDelegationController - count method is missing (even COUNT permission is defined).
- DELEGATIONDEFINITION group permission is used for delegation instances too - DELEGATION group permission should be created and used in all layers. Evaluators for delegation instances already exist and can be configured - it will be possible to configure read all delegation instaces (e.g. for audit person) without read configured delegation configurations.
- IdmDelegationDefinitionFilter, IdmDelegationFilter - wrong dto (IdmExportImportDto) is defined.
- IdmDelegationDefinitionFilter, IdmDelegationFilter - lookupService for delegator and delegate can be used to support codeable identifier (on controller layer).
- DelegationDefinitionEvent, DelegationEvent - wrong content type (IdmExportImportDto) is defined.
- DefaultIdmDelegationDefinitionService#deleteInternal - @Transactional is missing.
- IdmDelegationDefinitionFilter#getSupportedRoutes - copied from projections.
Just notes:
- Logged user is set as delagate to 'other' user-> logged use creates request whith delegation is defined from 'other' user to logged user > logged user is evaluated as delegate to created request (= is in approvers), then this request is not approved automatically (not skipped as in standard approval without delegations).
- When currently logged user is in task approvers and delegation is configured for different approver, then task is shown as delegated - but currently logged user is not related to this delegation.
- LookupService can be used to get owner id (for dtos, filters ...). Benefit: type check is implemented there.
- LookupService can be used to get owner type (for dtos, filters ...).Benefit: type check is implemented there.
- DelegationDefinitionCreateNotificationProcessor#63 - assert for content is not null can be removed - content is required in event processing (same in DelegationDefinitionDeleteNotificationProcessor).
- DelegationManager, DelegationType - public, static and final modifiers can be removed in interfaces.
- IdmDelegationDefinitionDto - abbrevation is used in relation annotation (vs. full name used in controller methods).
- FE: component:delegation icon can be registered (alias to 'fa:dolly' :))
- FE: I'm not sure, if infinity symbol used in notifications will be understand by normal user, but i like it :)
I fixed some minors (typo etc.):
https://github.com/bcvsolutions/CzechIdMng/commit/4ceb4e8d9fd823b2f86267660c12edfb3b9f6ace
Updated by Vít Švanda almost 4 years ago
Thanks for review. You have good eye.
Review notes:
- ✅ IdmDelegationDefinitionController, IdmDelegationController - count method is missing (even COUNT permission is defined).
- I consider the definition and instance of the delegation to be the same object. So if you don't have bad emotions, I'd leave it unchanged. DELEGATIONDEFINITION group permission is used for delegation instances too - DELEGATION group permission should be created and used in all layers. Evaluators for delegation instances already exist and can be configured - it will be possible to configure read all delegation instaces (e.g. for audit person) without read configured delegation configurations.
- ✅ IdmDelegationDefinitionFilter, IdmDelegationFilter - wrong dto (IdmExportImportDto) is defined.
- IdmDelegationDefinitionFilter, IdmDelegationFilter - lookupService for delegator and delegate can be used to support codeable identifier (on controller layer).
- ✅ DelegationDefinitionEvent, DelegationEvent - wrong content type (IdmExportImportDto) is defined.
- ✅ DefaultIdmDelegationDefinitionService#deleteInternal - @Transactional is missing.
- ✅ IdmDelegationDefinitionFilter#getSupportedRoutes - copied from projections.
Just notes:
- Good point, I will add this as note to the documentation. Logged user is set as delagate to 'other' user-> logged use creates request whith delegation is defined from 'other' user to logged user to logged user is evaluated as delegate to created request (= is in approvers), then this request is not approved automatically (not skipped as in standard approval without delegations).
LookupService can be used to get owner id (for dtos, filters ...). Benefit: type check is implemented there.
- LookupService can be used to get owner type (for dtos, filters ...).Benefit: type check is implemented there.
- ✅ DelegationDefinitionCreateNotificationProcessor#63 - assert for content is not null can be removed - content is required in event processing (same in DelegationDefinitionDeleteNotificationProcessor).
- ✅ DelegationManager, DelegationType - public, static and final modifiers can be removed in interfaces.
- ✅ IdmDelegationDefinitionDto - abbrevation is used in relation annotation (vs. full name used in controller methods).
- FE: component:delegation icon can be registered (alias to 'fa:dolly' :))
- FE: I'm not sure, if infinity symbol used in notifications will be understand by normal user, but i like it :)
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/815f65b685333be07a69b206ad5fb842179781a2
Updated by Vít Švanda almost 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 70 to 80
I made improvement with show delegation on the task detail only if logged user is candidate. This filter is used only if logged user is not admin or is not workflow-task-admin.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/16f643b4b000db4fa28e91ff10da421509338b4c
Updated by Radek Tomiška almost 4 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Radek Tomiška to Vít Švanda
Updated by Vít Švanda almost 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 80 to 90
Documentation completed here:
https://wiki.czechidm.com/devel/documentation/delegation
https://wiki.czechidm.com/devel/documentation/adm/delegation
Updated by Radek Tomiška almost 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 90 to 100
Doc is ok, thx
Updated by Radek Tomiška almost 4 years ago
- Status changed from Resolved to Closed
Updated by Radek Tomiška over 3 years ago
- Related to Defect #2383: After approving the task, a new notification is sent about the same task added