Table of Contents

Contractual relationship (CR)

They define the link between the identity and the tree structure. In the application, we advance the logic according to which every identity has at least one CR. This is why there is one CR which is formed automatically to every identity after its creation according to the configuration of the default organizational structure. If default element of the structure is configured, then this one is used when creating the default CR ⇒ the identity is "positioned" on the default position of the organizational structure in question. If there is no selected default element of the structure, the identity is "positioned" on the position named as "Default" without being included in the organizational structure.

The CR plays a significant, if not the main role when assigning role to the identity - the role is always assigned to the CR, not directly to the identity. This is a way of ensuring that the authorization evaluation will always pass through one way through the CR where a tree (organizational) structure can figure ⇒ the authorizations can be linked through these structures / positions in the organization.

Another intended functional feature is that when the CR ceases to exist / is invalidated, all the roles ensuing from this CR will cease to exist as well. For the periodic review of invalid CR, a task which can be scheduled has been created IdentityContractExpirationTaskExecutor.

Through CR, users are searched in the elements agenda of the tree structure / organizational structure, who are "positioned" on the selected element. In the agenda, only the users related to a certain type of the structure are displayed ⇒theyhavean CR with a selectedtype.

Prime contract position

CR can be flagged as "main". Can be flagged more than one main CR or non. Prime contract is computed by CR priority:

  1. main
  2. valid (valid by from-till and not disabled)
  3. with working position with default tree type
  4. with working position with any tree type
  5. with undefined valid from
  6. other with lowest valid from

Search managers by CR

Managers could be found:

Searching managers and subordines could by overriden in custom module by implementing SubordinatesCriteriaBuilder interface.

CR state, validity

When CR validity ends, then all roles assigned to given CR is removed. Its not possible to assign roles to invalid contracts. Invalid contract is defined by:

HR processes

HR processes depends on CR state and validity:

This automatic processes can be configured two ways, by:

Choosing the way is configurable - processor can be disabled, long running tasks can be scheduled or not.

Other contract positions

Other positions can be configured for the contract. Other contract positions are used just for assigning of automatic roles by the tree structure. Filtering and evaluating managers and subordinates are not supported by other contract positions.

Tree structures indexing

To make queries in an efficient manner, a separate library on the tree structure has been created ForestIndex which builds an index next to the tree structure with the following advantages:

The documentation and an an example of getting involved in the project can be found here.

Searching through index is linked to:

To rebuild the index, the task RebuildTreeNodeIndexTaskExecutor where you need to enter the code of the structure which should be re-indexed.

Automatically assigned roles

The intro is described in the admin section here.

Heredity of assigned roles

If the role is assigned to an organizational structure component, the following behaviour may occur:

  A
  |
  B
 / \
C   D
   / \
  E   F

Audit

All changes in assigning roles to the organizational structure will be audited. The minimum indicated in the audit log will be:

Change of user's roles

An update (adding and removing) of automatically assigned roles within an identity occurs at least in the following cases:

Implementation details