Defect #3230
Updated by Alena Peterová about 2 years ago
When we use the default settings of managers and subordinates by tree structures (https://wiki.czechidm.com/devel/documentation/architecture/dev/filters#defaultmanagersfilter), the managers are not able to see their inactive subordinates. If we use finding managers/subordinates by directly configured managers (https://wiki.czechidm.com/devel/documentation/architecture/dev/filters#guaranteesubordinatesfilter), then managers can see the identities in the list of users, but aren't able to open them. Please: * make the default behavior of different algorithms consistent * allow us to *configure* (without implementation) per project, if the managers may see/edit their left subordinate, or not (we need both options for different customers) --------------------------------------------------------- Current behavior on version 12.2, behavior, steps to reproduce: * create manager and their subordinate, deactivate the subordinate by their contract's valid till !suboridnate_inactive.png! * login as manager -> Users -> clear the filter. You cannot see the inactive subordinate at all: !default_subordinates.png! * use the direct managers configuration: idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=guaranteeSubordinatesFilter * login as manager -> Users -> clear the filter. You can see the inactive subordinate: !guaranteefilter_users.png! * try to open the inactive subordinate => insufficient access rights !guaranteefilter_open_inactive_user.png! Note: userRole contains userManagerRole, no other changes in default permissions were made