Feature #936
Updated by Marcel Poul almost 7 years ago
The task is a bit complex. Many projects do some "business" with users, their roles and account before they actually start the job or new contract. USECASES: * *Approve roles in advance* - New employee is fetched from HR system with his contract starting in 7 days. His boss want to make a request for some roles for the contract. Request is approved. Roles are assign to user, but assignment is inactive (grey coloured role on user's profile roles list). Roles are assigned the day the contract starts (grey turns into black). * *Create account on end system in advance* - This can be applied in situations when the account should be present on end system (usually LDAP, AD) since some actions especially manual ones should follow it as are Creating mailbox, preparing shared folders, requesting certificates etc... This behaviour has some consequences like ** the user should not get the password for the end system until it is enabled on the system. In fact this depends (sometimes the password is sent in advance to the user or helpdesk) depends. ** The same apply for the CzechIdM - user should get IdM password as soon as he is enabled in CzechIdM. * *Add role and apply to system in advance* - In fact sometimes the user should be created on end system by manual action in CzechIdM. This is a little bit of combination of previous 2 points. Admin create a user (e.g. external contractor) that starts his job in 7 days. He assign him basic LDAP role in advance, approve and want the user to be provisioned into LDAP now. ** *One future contract, one active contract* - If the user has approved roles for future contract (manual or automatic) *only some* (typically LDAP_User or AD_User) are provisioned. Otherwise user would get permissions (group membership) that he should not have. *Solutions:* * It makes sense for me now that the automatic roles have new option whether to assign it in advance (hence do account management and provisioning). It would also be nice that in request form the default value of the assignment start time in manually assigned role would be the same as the contract start date if contract starts in future. * There is also a possibility of filtering the requests on system level (account management)