Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
devel:documentation:architecture:dev:events:init-data [2020/08/31 07:41]
tomiskar 		devel:documentation:architecture:dev:events:init-data [2021/10/06 12:20] (current)
tomiskar
Line 8: Line 8:
  
 Application initialization and init data is created by registered processors. Init data is created, when application starts. Application initialization and init data is created by registered processors. Init data is created, when application starts.
 +
 +{{ :devel:documentation:architecture:dev:events:produc-provided-roles.png |}}
  
 Product provided processors: Product provided processors:
Line 19: Line 21:
 | core | core-init-codelist-processor | Init base codelists (environment). | -300 | no | | core | core-init-codelist-processor | Init base codelists (environment). | -300 | no |
 | core | core-init-form-definition-processor | Init default extended form definitions for formable types (identity, role, contract, tree node). | -200 | no | | core | core-init-form-definition-processor | Init default extended form definitions for formable types (identity, role, contract, tree node). | -200 | no |
-| core | core-init-password-policy-processor | Init base password policies for password validate and generate, when no other policy is defined. Validation policy set 30s fogin blocking time with 5 unsuccessful login attempts. Generate policy is configured to generate 8-12 char length passwords with 2 lower, 2 upper, 2 number and 2 special chars. | -150 | yes | 
 | core | core-init-generator-processor | Init value generators for set default values of extended form attributes (for identity, role request concepts and assigned role attributes). | -100 | no | | core | core-init-generator-processor | Init value generators for set default values of extended form attributes (for identity, role request concepts and assigned role attributes). | -100 | no |
 | core | core-init-role-catalogue-processor | Init product provided role catalogue item 'CzechIdM Roles'. This item will contain all product provided roles (by person). Catalogue item is created, when no other catalogue item exists.If this processor is disabled, then catalogue item will not be created and product provided roles will be created without catalogue relation. | -50 | yes | | core | core-init-role-catalogue-processor | Init product provided role catalogue item 'CzechIdM Roles'. This item will contain all product provided roles (by person). Catalogue item is created, when no other catalogue item exists.If this processor is disabled, then catalogue item will not be created and product provided roles will be created without catalogue relation. | -50 | yes |
Line 31: Line 32:
 | acc | acc-init-role-manager-role-processor | Init role manager role for acc module (by configuration 'idm.sec.core.role.roleManager') - adds authorization policies for acc module. | 45 | yes  | | acc | acc-init-role-manager-role-processor | Init role manager role for acc module (by configuration 'idm.sec.core.role.roleManager') - adds authorization policies for acc module. | 45 | yes  |
 | core | core-init-user-manager-role-processor | Init user manager role for core module (by configuration 'idm.sec.core.role.userManager'). Role is created, when not exist. Role will not be created, when configuration property is empty (defined, but empty string is given). Role is created with 'SYSTEM' role type - type is checked, when role authorities are created (or updated).Role is placed into role catalogue 'CzechIdM Roles' item, if item is defined. | 50 | yes | | core | core-init-user-manager-role-processor | Init user manager role for core module (by configuration 'idm.sec.core.role.userManager'). Role is created, when not exist. Role will not be created, when configuration property is empty (defined, but empty string is given). Role is created with 'SYSTEM' role type - type is checked, when role authorities are created (or updated).Role is placed into role catalogue 'CzechIdM Roles' item, if item is defined. | 50 | yes |
 +| core | core-init-delegation-role-processor | Init role with permissions for a delegations. Role is created, when not exist. Role will not be created, when configuration property is empty (defined, but empty string is given). Role is created with 'SYSTEM' role type - type is checked, when role authorities are created (or updated). Role is placed into role catalogue 'CzechIdM Roles' item, if item is defined. | 60 | yes |
 | core | core-init-admin-identity-processor | Init administrator identity with 'admin' username. Admin identity is not created, when admin role is not created (not configured by property 'idm.sec.core.role.admin' or deleted). Admin identity is not created, when other identity with admin role (configured by property 'idm.sec.core.role.admin') exists. Admin identity is created with password with never ending expiration. Admin identity is created with profile with show system informaiton is enabled. Change admin password is recomended after identity is created. | 100 | no  | | core | core-init-admin-identity-processor | Init administrator identity with 'admin' username. Admin identity is not created, when admin role is not created (not configured by property 'idm.sec.core.role.admin' or deleted). Admin identity is not created, when other identity with admin role (configured by property 'idm.sec.core.role.admin') exists. Admin identity is created with password with never ending expiration. Admin identity is created with profile with show system informaiton is enabled. Change admin password is recomended after identity is created. | 100 | no  |
 | core | core-init-organization-processor | Init default organization type 'Organization structure' with one root tree node 'Root organization'. Tree type and node is created, if no other tree type exists. | 200 | yes | | core | core-init-organization-processor | Init default organization type 'Organization structure' with one root tree node 'Root organization'. Tree type and node is created, if no other tree type exists. | 200 | yes |
 | core | core-init-demo-data-processor | Initialize demo data for application. | 3000 | has own additional property, see below | | core | core-init-demo-data-processor | Initialize demo data for application. | 3000 | has own additional property, see below |
 +| core | core-init-password-policy-processor | Init base password policies for password validate and generate, when no other policy is defined. Validation policy set 30s fogin blocking time with 5 unsuccessful login attempts, minimum 8 char length passwords. Generate policy is configured to generate 8-12 char length passwords with 2 lower, 2 upper, 2 number and 2 special chars. | 5000 | yes |
 | core | core-init-scheduled-task-processor | Schedule core long running tasks. | 10000 | no | | core | core-init-scheduled-task-processor | Schedule core long running tasks. | 10000 | no |
 | acc | acc-init-scheduled-task-processor | Schedule acc long running tasks. | 10100 | no | | acc | acc-init-scheduled-task-processor | Schedule acc long running tasks. | 10100 | no |
 +| core | core-init-monitoring-processor | Init monitoring manager and product provided monitoring evaluators. | 11000 | yes |
 +| acc | acc-init-monitoring-processor | Init product provided monitoring evaluators. | 11010 | yes |
 +| vs | vs-init-monitoring-processor | Init product provided monitoring evaluators. | 11020 | yes |
  
 **Column disableable** - processor can be disabled by additional property ''idm.sec.core.init.data.enabled=false''. Each processor can be disabled by standard [[..:..:..:application_configuration:dev:backend#entity_event_processors|processor configuration]] with processor identifier usage. **Column disableable** - processor can be disabled by additional property ''idm.sec.core.init.data.enabled=false''. Each processor can be disabled by standard [[..:..:..:application_configuration:dev:backend#entity_event_processors|processor configuration]] with processor identifier usage.
Line 47: Line 53:
 Roles to cover basic IdM usecases were designed and provided from product (~person). Product roles are checked, when application is started - they are created for new instalations and updated, when new IdM  version is installed, or role definition is changed (e.g. when some required authorization policy has been deleted). Roles to cover basic IdM usecases were designed and provided from product (~person). Product roles are checked, when application is started - they are created for new instalations and updated, when new IdM  version is installed, or role definition is changed (e.g. when some required authorization policy has been deleted).
  
-Configured role authorization policies are created or updated after application has started. Additional authorization policies can be configured.+Configured role authorization policies are created or updated after application has started. Additional authorization policies can be configured. Authorization policy can be disabled, if is not needed - policy will be not enabled after application has started.
  
 **Role type enumeration is used now for product provided roles**. Role type ''SYSTEM'' is used for all product provided roles and is checked before update role authorization policies, when new CzechIdM version is installed. **Authorization policies updates can be disabled by changing the role type to any other => role policies will not be updated** and vice versa, authorization policies updates for roles created before IdM version 10.5.0 can be enabled (e.g. for user role) by changing the role type to ''SYSTEM'' **Role type enumeration is used now for product provided roles**. Role type ''SYSTEM'' is used for all product provided roles and is checked before update role authorization policies, when new CzechIdM version is installed. **Authorization policies updates can be disabled by changing the role type to any other => role policies will not be updated** and vice versa, authorization policies updates for roles created before IdM version 10.5.0 can be enabled (e.g. for user role) by changing the role type to ''SYSTEM''
Line 58: Line 64:
   * When authorization policy is changed (permissions or additional configuration properties) - then is updated to product provided configuration again after application starts.   * When authorization policy is changed (permissions or additional configuration properties) - then is updated to product provided configuration again after application starts.
   * When authorization policy is added to product provided role - it's preserved without change. **Be careful - different combination of authorizable type and evaluator type can be added only**.   * When authorization policy is added to product provided role - it's preserved without change. **Be careful - different combination of authorizable type and evaluator type can be added only**.
 +  * When authorization policy is disabled, then is updated to product provided configuration again after application starts, but it's still disabled.
  
-**[[..:..:..:security:dev:authorization#default_policies|Default user role]] can be changed** two ways (best practice):+**[[..:..:..:security:dev:authorization#default_policies|Default user role]] can be changed** three ways (best practice):
   * [[..:..:..:security:dev:authorization#default_policies|Default user role]] supports sub roles @since 10.5.0 version - **new authorization policies can be configured to new role and role can be defined as sub role**,   * [[..:..:..:security:dev:authorization#default_policies|Default user role]] supports sub roles @since 10.5.0 version - **new authorization policies can be configured to new role and role can be defined as sub role**,
   * ''SYSTEM'' role type of default user role can be removed - when authorization policy has to be removed (~ prevent to update role policies after restart).   * ''SYSTEM'' role type of default user role can be removed - when authorization policy has to be removed (~ prevent to update role policies after restart).
 +  * If product provided role contains authorization policy, which is not needed => policy can be disabled and is not effective anymore.
 </note> </note>
  
Line 77: Line 85:
 | Role manager | roleManagerRole | Role manager - [[..:..:..:security:dev:authorization#default_settings_of_permissions_for_a_role_detail|authorization policies configuration]] | ''idm.sec.core.role.roleManager'' | core-init-role-manager-role-processor| | Role manager | roleManagerRole | Role manager - [[..:..:..:security:dev:authorization#default_settings_of_permissions_for_a_role_detail|authorization policies configuration]] | ''idm.sec.core.role.roleManager'' | core-init-role-manager-role-processor|
 | Virtual system implementer | virtualSystemImplementerRole | Approve requests for virtual system - [[..:..:..:security:dev:authorization#settings_of_permissions_for_virtual_system_implementer|authorization policies configuration]] | ''idm.sec.vs.role.implementer'' | vs-init-implementer-role-processor | | Virtual system implementer | virtualSystemImplementerRole | Approve requests for virtual system - [[..:..:..:security:dev:authorization#settings_of_permissions_for_virtual_system_implementer|authorization policies configuration]] | ''idm.sec.vs.role.implementer'' | vs-init-implementer-role-processor |
 +| Delegation | delegationRole| Default permissions for delegations - [[..:..:..:security:dev:authorization#default_settings_of_permissions_for_delegations|authorization policies configuration]] | ''idm.sec.core.role.delegation'' | core-init-delegation-role-processor |
  
 Roles are created by registered processors. Role is not created, when processor is disabled by [[..:..:..:application_configuration:dev:backend#entity_event_processors|configuration]]. Roles are created by registered processors. Role is not created, when processor is disabled by [[..:..:..:application_configuration:dev:backend#entity_event_processors|configuration]].
Line 89: Line 98:
 | core | HrEnableContractProcess | - | Start of contract validity - before end and expire. | 0.35 | | core | HrEnableContractProcess | - | Start of contract validity - before end and expire. | 0.35 |
 | core | IdentityRoleValidRequestTaskExecutor | - | Start of assigned role validity. | 0.45 | | core | IdentityRoleValidRequestTaskExecutor | - | Start of assigned role validity. | 0.45 |
-| core | HrEndContractProcess | - | End of contract validity - scheduled before default contract expiration (this task works with disabled state too). | 0.50 |+| core | HrEndContractProcess | - | End of contract validity - scheduled before default contract expiration (this task works with disabled state too and set identity state by contract state). | 0.50 |
 | core | HrContractExclusionProcess | - | Exclude contract. | 0.55 | | core | HrContractExclusionProcess | - | Exclude contract. | 0.55 |
 | core | IdentityContractExpirationTaskExecutor | - | Remove roles by expired identity contracts (=> removes assigned roles). | 1.00 | | core | IdentityContractExpirationTaskExecutor | - | Remove roles by expired identity contracts (=> removes assigned roles). | 1.00 |
  • by tomiskar