You are viewing the documentation for the current version.
This page is also available in versions: 9.4, 9.5 (current), devel

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

9.5:documentation:role_attributes [2019/02/01 12:10] (current)
Line 1: Line 1:
 +<- .:​universal_requests| ^ .:start | Documentation ^ .:​role_catalogue | Role Catalogue ->
  
 +====== Attributes of role ======
 +{{tag>​role attributes}}
 +
 +===== What are role attributes =====
 +**Role attributes determine** what additional information **can (must)** be filled in a user's **assigned role**. A typical example can be the **IP address** of a user's end station, which must be filled in a role assignment request.
 +
 +The **definitions of what attributes** are to be filled for the role are managed on the **role detail** (role attributes tab). Here, you define not only what attributes to show in the request, but also their **default values** and **validation settings**. This definition is part of the **role approval** process (off by default).
 +
 +
 +===== How it works =====
 +
 +==== Definition ====
 +First, you need to **create the main definition** of all attributes which could be used in role **sub-definition**. The **main form definition** can be created in the **Form definitions** agenda.
 +<​note>​Attributes from the **main definition** can be used multiple times in multiple roles.</​note>​
 +<note tip>​**Main definition** must be created for type **IdmIdentityRole**.</​note>​
 +
 +Then, you need to **create sub-definition** of attributes witch should be filled in requesting a role. 
 +Sub-definition can be created on the role detail on the **Role attributes** tab. In sub-definition you can select an attributes only from main definition. So first what you need to do, is select main definition and save it. Then you can create **attribute definition for the role**.
 +
 +{{ :​devel:​documentation:​role-attributes-detail.png |}}
 +
 +**Attribute definition for the role** define:
 +
 +* **Definition of attribute** from the main definition.
 +* **Overrides the default value**. Default value from attribute in main definition will be prefilled (only on frontend).
 +* **Overrides the validation settings**. Validation settings from attribute in main definition will be prefilled (only on frontend).
 +
 +<note important>​**Only** attributes defined in the **sub-definition** will be show on role requesting!</​note>​
 +
 +{{ :​devel:​documentation:​role-attributes-list.png |}}
 +
 +==== Using on the role request ====
 +
 +If some requested role **has attributes**,​ then is rendered form on **role concept detail**:
 +
 +{{ :​devel:​documentation:​request-add-detail.png |}}
 +
 +<note important>​Form with role's attributes is rendered only if **one role is selected**! If are selected more roles on the detail, then user **cannot fill the attribute'​s values** directly. In this case user can create role-concepts for more roles and then editing the values of attributes for each concept **one by one**. </​note>​
 +
 +**If you add multiple roles** in one request and some from this roles will have **required attribute** (without default value), then will be created concept **not valid**. In this case you will see **warning icon** on the unvalid concept.
 +
 +{{ :​devel:​documentation:​concepts-validation-warn.png |}}
 +
 +You can **modified existing attribute value** in assigned role. For this case was created new mode for **highlight** changes on detail of role concept:
 +
 +{{ :​devel:​documentation:​request-modified-detail.png |}}
 +
 +If a **request** that contains **attribute roles** is submitted, a standard **approving process is executes**. If the role with the attributes is approval, then the detail of the concept role, including the attributes, **is displayed in the detail of the approval user task**.
 +
 +{{ :​devel:​documentation:​request-task-detail.png |}}
 +
 +Upon successful **completion of the request**, the resulting concept role attributes are **copied** to the **assigned role** (**IdmIdentityRole**). Attributes assigned to roles can be displayed on the **identity detail** (**Roles** -> **detail** -> Tab "​**Role'​s attributes**"​).
 +
 +{{ :​devel:​documentation:​identity-role-attributes-detail.png |}} 
 +
 +===== Provisioning of assigned roles =====
 +For the purpose of provisioning assigned roles, new attributes (**User assigned roles** and **User assigned roles (for this system)**) were created, which can be used in system mapping for provisioning identities.
 +Input of the transformation into the system is a list of valid assigned identity roles. This assignment is represented by the ** AssignedRoleDto ** object, which mirrors the object ** IdmIdentityRoleDto ** and tries to simplify the work with assigned roles in the transform. This simplification is primarily based on the fact that the object contains the entire DTO (role, identityContract,​ ...) instead of the UUID and mainly contains a **map of all the attributes of the assigned role** (where the key is the attribute code and the value is a list of all attribute values).
 +
 +<note tip>​Input for transforming into the system (**attributeValue**) is a list of all valid user roles (list of **AssignedRoleDto**). This attribute is only for **provisioning** and for default strategy (SET).</​note>​
 +
 +<​note>​Structure of **AssignedRoleDto** is [[https://​github.com/​bcvsolutions/​CzechIdMng/​blob/​develop/​Realization/​backend/​acc/​src/​main/​java/​eu/​bcvsolutions/​idm/​acc/​domain/​AssignedRoleDto.java|here]].</​note>​
 +<​note>​Input of transformation for attribute ** User assigned roles (for this system) ** will contain only valid assigned user roles assigned this system!</​note>​
 +
 +=== Example script for print assgined roles to the string: ===
 +<code java>
 +import eu.bcvsolutions.idm.acc.domain.AssignedRoleDto;​
 +import eu.bcvsolutions.idm.core.api.dto.IdmRoleDto;​
 +
 +if (attributeValue) {
 +    String result = "";​
 +    for(AssignedRoleDto dto : attributeValue){
 +        result = result + "Role: [" + dto.getRole().getCode() + "] Attributes: [" + dto.getAttributes().toString() + "​]";​
 +        ​
 +    }
 +    return result;
 +}
 +return "";​
 +</​code>​
 +
 +== Output of this script: ==
 +<code java>
 +Role: [Helpdesk] Attributes: [[:]]
 +Role: [RoleWithOneAttribute] Attributes: [[IP:​[192.168.0.122]]]
 +Role: [RoleWithTwoAttributes] Attributes: [[Number of fingers:​[20],​ IP:​[168.192.0.10]]]
 +</​code>​
 +
 +
 +===== Admin guide (to be completed)=====
 +  * [[.attributes:​adm:​attributes|Role attributes]]