Table of Contents
Module - Recertification
What do you need before you start
- You need to have CzechIdM 9.7.0 (or higher) installed.
- You need to be logged in as admin (or an identity with superAdminRole).
- You need to enable the Recertification module.
- For hard recertification you will need plan new LRT - RecertificationRemoveRolesTaskExecutor (since module version 3.2.0)
Two new agendas were created under main menu Roles→Recertification:
- Recertification requests - contains created recertification requests.
- Recertification - contains created recertification actions. It contains requests grouped by recertification action executed by bulk actions.
Dashboard
Dashboard with recertification requests was created - it shows unresolved requests, which can be approved by a logged user with appropriate rights. The table of recertification request is the same as below - the default filter shows the currently logged user and only unresolved requests. The dashboard is hidden when no requests are found.
Recertification requests
Request table:
On the recertification request detail there are following tabs:
- with items - contains basic information about the request and items to approve.
- with approvers - shows current available approvers by recertification type (contract managers or role guarantee defined by user or role).
- with role requests - when assigned role represented by a recertification item is removed, the assigned role is removed by role request. You can see the state of this request.
Recertification actions
Contains requests grouped by recertification action executed by bulk actions.
Identity and role detail
Tab with recertified assigned roles was added to role and identity detail.
READ permission for recertification items is needed. Transitive authorization evaluators (by recertification request and action) were prepared, see the security chapter.
Identity and role table
Bulk action for starting a recertification action is available on identity and role table.
Bulk action modal window
Notification before recertification ends
Configurable task is standard long running task, configuration is set in task planner. Task search for recertifications with due date near end and send notification.
Configuration
- Number of days before recertification ends - ie. 5
- Script - script for overload recipient search. Without script (default behavior) LRT finds recertification approver. With custom search script different recipients can be found, input is RecRecertificationDto, output is List<IdmIdentityDto>.
- Notification topic - Topic for notification, default value is: rec:recertificationDueDateWarning (notification with url), second one is rec:recertificationDueDateWarningSubordinates (information about recertification approvers etc.).
- Merge notification for one identity - information about all recertifications are sorted by identity (recipient), each identity get one notification with list of all recertifications where it is recipient.
With module, 2 standard script for search recipients are provided:
- recFindIdentitiesWithHelpdeskRole - find all active identities with role.
- recFindRecertificationApproversManagers - find recertification approvers and for every identity finds its manager.
Hard (force) recertification
For every recertification (since 3.2.0 module version) can be setup boolean flag "Hard recertification". Every recertification will be after the due date checked and all not processed recertification will be processed with new task (RecertificationRemoveRolesTaskExecutor) and role will be removed.
Long running task RecertificationRemoveRolesTaskExecutor isn't planned by default. For hard recertification is required to plan the task at least one per day.
For project that updates from older versions will be for all recertification setup the new hard recertification flag to false = hard recertification disabled.
Long running task RecertificationRemoveRolesTaskExecutor has only one configuration - days after. The paramter days after is for configuration how long after due date by recertification will be roles removed. By default is the parameter zero. This is equivalent to remove roles directly after due date.
LRT for regular identity recertification
Since version 14.0.0 of the module, a long running task Recertification of users’ assigned roles has been available, allowing scheduled regular identity recertification. The parameters are similar to those of the bulk recertification action on the users’ agenda, with two differences:
- instead of selecting users, it is possible to recertify only role assignments on contracts within selected tree nodes
- instead of an absolute deadline (a specific date), the number of days after the start of the recertification until the deadline is specified
LRT Configuration
| Attribute | Description |
| Tree node | If any tree nodes are selected, only the roles assigned to contracts within the selected tree nodes or their subordinate nodes (at any level, with complete subtrees taken into account) will be recertified. If no unit is selected, all roles assigned to contracts will be recertified. |
| Recertification type | If Approve by identity contracted position is selected, the assigned role is approved by the manager of the user to whom the role is assigned. If Approve by role authorizer is selected, the assigned role is approved by the guarantor of that role. |
| Authorizer type | This attribute is available if the guarantee-type code list exists and contains at least one item. If a value is selected, then during role recertification only guarantors of the selected type act as approvers. If no value is selected, all guarantors of the role act as approvers. |
| Recertificate selected roles only | If any roles are selected, only the assignments of these roles to user contracts are recertified. If no role is selected, all assigned roles are recertified. |
| Number of days | The number of days from the start of the recertification after which the recertification window expires, and in the case of a hard recertification, assigned roles that were not approved are removed. Example: If this parameter is set to 30 and the task is started on September 1, the deadline will expire on October 1. |
| Hard recertification | If checked, assigned roles that were not approved will be removed after the recertification deadline expires. |
Scheduling
The task can be scheduled using the standard scheduler, for example, to run once a month on the first day at 1:00 AM as follows:
If more advanced scheduling is needed, for example, twice a year on January 1 and July 1 at 3:00 AM, a CRON expression can be used - in this case: 0 0 3 1 1,7 ?.
