====== Roles assignment deduplication ======
{{tag>deduplication duplicity duplici role identityrole identity remove assigment admin}}
Yes, CzechIdM allows assigning two identical roles to the same contract. Why?
* Assigned manually directly and from a business role - simply the process of defining business roles is in progress.
* Assigned manually directly and from an automatic role - for example, an administrator has previously added a new role to a contract and then defined a new automatic role with a definition that the identity meets.
* Assigned manually directly and manually directly - usually users get it during data migration or by users mistakes during role requests process.
===== Deduplication (bulk action) =====
Deduplication is a bulk action that is available **on User agenda**.
Deduplication removes only manually added roles. Roles that were assigned by automatic roles or by business roles will never be removed.
Bulk action deduplication has several options that change the manner of checking whether two roles are duplicates. All options that are available:
* Approve - remove roles will process through workflow process,
* check role attributes - the equals process will check role attributes and their values.
{{ :devel:documentation:roles:adm:role_deduplication.png |}}
==== Evaluate algorithm ====
2 roles assignments are duplicated if they pass all these rules:
* the same role (role code attribute),
* on the same identity contract,
* assigned automatically and manually directly, or manually directly and manually directly, or manually directly and by business role (automatically or manually)
* must have same role parameters expect same values
* are valid "at the same time" - **this is a bit tricky, see the Examples below**
The evaluation algorithm or the whole deduplication process can be implemented for [[..dev:identity-role-deduplication| custom needs]] in your project.
=== Examples ===
We resolve duplicity of two assigned roles by their validity or validity on contract. For a better overview there are some examples with a commentary:
In this case, both roles are assigned manually and ''role A'' has infinite validity. The process will remove ''B role''.
B
A |---------|
<----|---------------->
______|_________|____________
|
now
----
In this case, both roles are assigned manually and both roles have infinite validity. In this case the algorithm **removes the role that has been assigned earlier**.
B
A <--------->
<-------------------->
___________________________
|
now
----
In this case, both roles are assigned manually and the ''role B'' is in validity range of ''role A''. ''Role B'' will be removed.
B
A |-------------|
|-------------------------|
______|____|_____________|______|_____
|
now
----
In this case, both roles are assigned manually and both have the same validity. In this case algorithm **removes the role that has bee assigned earlier**.
B
|-------------|
A |-------------|
_________|_____________|_______
|
now
----
In this case both roles were assigned manually and **contract has infinite validity**. In this case, no role will be removed.
B
A |------|
|----------| | |
______|__________|_______|______|_____
|
now
----
In this case is both roles were assigned manually and the contract has the same valid till as valid till as ''role A''. The process will remove ''B role''.
B
A |------|
|----------| | |
______|__________|___|______|_____
| |
now contract
valid till
----
In this case the ''role MAN'' was manually added and the ''role AUTO'' is automatically added. The process will remove the ''MAN role''.
MAN
AUTO |--------------|
<----------------------------->
__________|______________|____
|
now
----
In this case the ''role MAN'' was manually added and the ''role AUTO'' is automatically added. The process will remove ''MAN role'', because the automatic role has the same validity as the contract and the manually added role is now invalid.
MAN
AUTO |-----|
|--------| | |
______|________|____|_____|__
|
now
----
In this case the ''role MAN'' was manually added and the ''role AUTO'' was automatically added. Both roles have filled validity but valid till of ''role MAN'' is a little bit shorter than ''role AUTO''. The process will remove the ''MAN role''.
MAN
|--------------|
AUTO |-------------------|
_________|______________|____|___
|
now
----
In this case the ''role MAN'' was manually added and ''role AUTO'' was automatically added. Both roles have filled validity but valid from for the ''role MAN'' is little bit longer than the ''role AUTO''. The process will remove the ''MAN role''.
MAN
|-----------------------|
| |--------------| AUTO
______|________|______________|_______
|
now
----
In this case the ''role MAN'' was manually added and the ''role AUTO'' was automatically added. Both roles will be valid in future. No role will be removed.
MAN
<--------------------------->
|-----| AUTO
___________|_____|_____________
|
now
----
In this case the ''role MAN'' was manually added and the ''role AUTO'' was automatically added. ''Role MAN'' has infinity validity and the process will remove the ''MAN role'', because ''AUTO role'' has the same validity as the contract.
MAN
<--------------------------->
|-----| AUTO
___________|_____|_____________
|
now
----