Deduplication for automatic roles by organization

The feature is very usefull for CzechIdM environment that has defined many same automatic roles by organization strcuture. For example:

In this case exists organization structure with three levels. In last three level automatic roles are defined. Automatic roles are defined for same role.

The long running task for deduplication process each level, organization node and their automatic roles. Every automatic role for organization node will be compared with another automatic roles in same level and then build new virtual organization structure with new automatic role definitions.

In our case new organization structure with automatic role definitions will be looked like the second image:

The role role1 was moved on root node. Every node on third level has same automatic role definition and every node has assigned some contracts. On the second level doesn't exist automatic role definiton or assiged contract so role can be moved one more level up = root node.

Two automatic role definitons are same when meet together every rules below:

• role definition must be same,
• both roles must be assigned - when one of role are not assigned the roles are not same,
• both roles cannot have recursion type UP,
• role cannot be processed while has recursion NO and exists child organization element,
• both roles must have same recursion type, there is one exception for which this does not apply see section recursion DOWN and NO.

When all these rules are meet the automatic role can be moved up.

These rules must meet for every automatic role on same level.

Deduplication is implemented as long running task. You must go to Settings → Task scheduler → Scheduled tasks and in the agenda just plan new long running task with name Deduplication of automatic roles by tree structure (AutomaticRoleByTreeNodeDeduplicationExecutor).

The long running task has these configurations:

• Tree node - for selected organization node will be executed deduplication. Deduplication will by proceed recursively for all children selected node.
• Ignore contracts with expired validity - the task will ignore contracts with expired validity or disabled contracts. As a result, if a tree node only contains contracts with expired validity, it will be considered to be empty.
• Dry run - long running doesn't allow run task with standard product dry run because taks process trought heterogenie set of data. When you checked dry run. New virtual organization strcutre will be composed but without saving. Processed items and logs are available inside application log,
• Log prefix - for better grep or exporting logs to file is every important log prefixed by the defined string.

We have this situation:

Same role is assigned on same organization level. But for right side exits third level, for left side is organization node the leaf.

In this case recursion isn't same DOWN and NO (see arrow and dot). But for recursion NO doesn't exist child nodes.

The result will be that role will be marked as same. And role will be moved up.

After new virtual organization structure will be composed task will execute standard events for create and delete automatic role by organization structure (synchronously in this order create → delete).

Task is defensive = for every removed role for user must be added new one.

New role will be added first by task ProcessAutomaticRoleByTreeTaskExecutor and after each new role will be created then duplicit role will be removed by task RemoveAutomaticRoleTaskExecutor.

• Task doesn't work for UP recursion,
• task doesn't compare role parameters for assigned roles,
• task process every item synchronously,
• for big organization structures and many automatic role will be process very slow.