Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:architecture:dev:events:init-data [2020/08/18 11:36] tomiskar [Scheduled tasks] |
devel:documentation:architecture:dev:events:init-data [2021/10/06 12:20] (current) tomiskar |
||
---|---|---|---|
Line 4: | Line 4: | ||
@since 10.5.0 | @since 10.5.0 | ||
+ | |||
+ | Application init data are checked and created (updated), when application is started. Init data contains product provided roles, form definitions, | ||
Application initialization and init data is created by registered processors. Init data is created, when application starts. | Application initialization and init data is created by registered processors. Init data is created, when application starts. | ||
+ | |||
+ | {{ : | ||
Product provided processors: | Product provided processors: | ||
Line 17: | Line 21: | ||
| core | core-init-codelist-processor | Init base codelists (environment). | -300 | no | | | core | core-init-codelist-processor | Init base codelists (environment). | -300 | no | | ||
| core | core-init-form-definition-processor | Init default extended form definitions for formable types (identity, role, contract, tree node). | -200 | no | | | core | core-init-form-definition-processor | Init default extended form definitions for formable types (identity, role, contract, tree node). | -200 | no | | ||
- | | core | core-init-password-policy-processor | Init base password policies for password validate and generate, when no other policy is defined. Validation policy set 30s fogin blocking time with 5 unsuccessful login attempts. Generate policy is configured to generate 8-12 char length passwords with 2 lower, 2 upper, 2 number and 2 special chars. | -150 | yes | | ||
| core | core-init-generator-processor | Init value generators for set default values of extended form attributes (for identity, role request concepts and assigned role attributes). | -100 | no | | | core | core-init-generator-processor | Init value generators for set default values of extended form attributes (for identity, role request concepts and assigned role attributes). | -100 | no | | ||
| core | core-init-role-catalogue-processor | Init product provided role catalogue item ' | | core | core-init-role-catalogue-processor | Init product provided role catalogue item ' | ||
Line 29: | Line 32: | ||
| acc | acc-init-role-manager-role-processor | Init role manager role for acc module (by configuration ' | | acc | acc-init-role-manager-role-processor | Init role manager role for acc module (by configuration ' | ||
| core | core-init-user-manager-role-processor | Init user manager role for core module (by configuration ' | | core | core-init-user-manager-role-processor | Init user manager role for core module (by configuration ' | ||
+ | | core | core-init-delegation-role-processor | Init role with permissions for a delegations. Role is created, when not exist. Role will not be created, when configuration property is empty (defined, but empty string is given). Role is created with ' | ||
| core | core-init-admin-identity-processor | Init administrator identity with ' | | core | core-init-admin-identity-processor | Init administrator identity with ' | ||
| core | core-init-organization-processor | Init default organization type ' | | core | core-init-organization-processor | Init default organization type ' | ||
| core | core-init-demo-data-processor | Initialize demo data for application. | 3000 | has own additional property, see below | | | core | core-init-demo-data-processor | Initialize demo data for application. | 3000 | has own additional property, see below | | ||
+ | | core | core-init-password-policy-processor | Init base password policies for password validate and generate, when no other policy is defined. Validation policy set 30s fogin blocking time with 5 unsuccessful login attempts, minimum 8 char length passwords. Generate policy is configured to generate 8-12 char length passwords with 2 lower, 2 upper, 2 number and 2 special chars. | 5000 | yes | | ||
| core | core-init-scheduled-task-processor | Schedule core long running tasks. | 10000 | no | | | core | core-init-scheduled-task-processor | Schedule core long running tasks. | 10000 | no | | ||
| acc | acc-init-scheduled-task-processor | Schedule acc long running tasks. | 10100 | no | | | acc | acc-init-scheduled-task-processor | Schedule acc long running tasks. | 10100 | no | | ||
+ | | core | core-init-monitoring-processor | Init monitoring manager and product provided monitoring evaluators. | 11000 | yes | | ||
+ | | acc | acc-init-monitoring-processor | Init product provided monitoring evaluators. | 11010 | yes | | ||
+ | | vs | vs-init-monitoring-processor | Init product provided monitoring evaluators. | 11020 | yes | | ||
**Column disableable** - processor can be disabled by additional property '' | **Column disableable** - processor can be disabled by additional property '' | ||
Line 39: | Line 47: | ||
Processors are registered to event type '' | Processors are registered to event type '' | ||
- | <note tip>All registered processors are available in agenda (Settings - Modules - Processors).</ | + | <note tip>All registered processors are available in agenda (Settings - Modules - Processors |
===== Product provided roles ===== | ===== Product provided roles ===== | ||
Roles to cover basic IdM usecases were designed and provided from product (~person). Product roles are checked, when application is started - they are created for new instalations and updated, when new IdM version is installed, or role definition is changed (e.g. when some required authorization policy has been deleted). | Roles to cover basic IdM usecases were designed and provided from product (~person). Product roles are checked, when application is started - they are created for new instalations and updated, when new IdM version is installed, or role definition is changed (e.g. when some required authorization policy has been deleted). | ||
- | Configured role authorization policies are created or updated after application has started. Additional authorization policies can be configured. | ||
- | **Role type enumeration is used now for product provided roles**. Role type '' | + | Configured role authorization policies are created or updated after application has started. Additional authorization policies can be configured. Authorization policy can be disabled, if is not needed - policy will be not enabled after application has started. |
+ | |||
+ | **Role type enumeration is used now for product provided roles**. Role type '' | ||
+ | |||
+ | <note tip> | ||
+ | Configured **authorization policies are updated by** complex key - combination of **authorizable type and evaluator type**. | ||
+ | |||
+ | Examples: | ||
+ | * When authorization policy is removed - then is created again after application starts. | ||
+ | * When authorization policy is changed | ||
+ | * When authorization policy is added to product provided role - it's preserved without change. **Be careful - different combination of authorizable type and evaluator type can be added only**. | ||
+ | * When authorization policy is disabled, then is updated to product provided configuration again after application starts, but it's still disabled. | ||
+ | |||
+ | **[[..: | ||
+ | * [[..: | ||
+ | * '' | ||
+ | * If product provided role contains authorization policy, which is not needed => policy can be disabled and is not effective anymore. | ||
+ | </ | ||
<note tip> | <note tip> | ||
- | Product provided role codes (=names) | + | Product provided role codes can be changed by [[..: |
Product provided roles: | Product provided roles: | ||
Line 61: | Line 85: | ||
| Role manager | roleManagerRole | Role manager - [[..: | | Role manager | roleManagerRole | Role manager - [[..: | ||
| Virtual system implementer | virtualSystemImplementerRole | Approve requests for virtual system - [[..: | | Virtual system implementer | virtualSystemImplementerRole | Approve requests for virtual system - [[..: | ||
+ | | Delegation | delegationRole| Default permissions for delegations - [[..: | ||
Roles are created by registered processors. Role is not created, when processor is disabled by [[..: | Roles are created by registered processors. Role is not created, when processor is disabled by [[..: | ||
+ | |||
+ | <note important> | ||
===== Scheduled tasks ===== | ===== Scheduled tasks ===== | ||
Line 71: | Line 98: | ||
| core | HrEnableContractProcess | - | Start of contract validity - before end and expire. | 0.35 | | | core | HrEnableContractProcess | - | Start of contract validity - before end and expire. | 0.35 | | ||
| core | IdentityRoleValidRequestTaskExecutor | - | Start of assigned role validity. | 0.45 | | | core | IdentityRoleValidRequestTaskExecutor | - | Start of assigned role validity. | 0.45 | | ||
- | | core | HrEndContractProcess | - | End of contract validity - scheduled before default contract expiration (this task works with disabled state too). | 0.50 | | + | | core | HrEndContractProcess | - | End of contract validity - scheduled before default contract expiration (this task works with disabled state too and set identity state by contract state). | 0.50 | |
| core | HrContractExclusionProcess | - | Exclude contract. | 0.55 | | | core | HrContractExclusionProcess | - | Exclude contract. | 0.55 | | ||
| core | IdentityContractExpirationTaskExecutor | - | Remove roles by expired identity contracts (=> removes assigned roles). | 1.00 | | | core | IdentityContractExpirationTaskExecutor | - | Remove roles by expired identity contracts (=> removes assigned roles). | 1.00 | |