Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:modules_rec [2019/08/08 13:56]
regulat [Modules - Recertification [rec]] 		devel:documentation:modules_rec [2019/08/08 14:09]
regulat update
Line 9: Line 9:
 When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed). When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed).
  
-{{ :devel:documentation:rct.jpg?nolink |}}+{{ :devel:documentation:rct1.jpg?nolink |}}
  
 <note tip>CzechIdM version >= 9.7.0 is required.</note> <note tip>CzechIdM version >= 9.7.0 is required.</note>
Line 27: Line 27:
 <note important>When **no approver** is found for given request, then **recertification is blocked** after creation - apporovers have to be configured properly by the recertification type and then recertification action can be executed again.</note> <note important>When **no approver** is found for given request, then **recertification is blocked** after creation - apporovers have to be configured properly by the recertification type and then recertification action can be executed again.</note>
  
-===== Configuration ===== 
- 
-Module configuration properties 
- 
-In the application profile (application.properties) and overloadable via ConfigurationService. 
- 
-<code properties> 
-# Recertification due date - default will be now() + 30 days.  
-# default: 30 [days] 
-idm.sec.rec.configuration.dueDateDays=30 
-# Recertification interval - default will be 0 days. Set to zero, when recertification will be created for already certified items. 
-# default: 0 [days] 
-idm.sec.rec.configuration.recertificationInterval=0 
-# If more than given recipients by given role is found, then limit is applied (prevent to spam all identities).  
-# default: 50  
-idm.sec.rec.configuration.notification.recipientLimit=50 
-</code> 
- 
-===== Notification ===== 
- 
-Module provides notifications and topics: 
- 
-  - ''rec:newRecertificationRequest'' - New recertification request was created. The notification shall be sent to the available approvers. 
-  - ''rec:recertificationDueDateWarning'' - Sends warning notification before recertification request is expired (due date). See ''RecertificationDueDateWarningTaskExecutor'' task. 
- 
-Templates were created for topic above with the same name (uppercase without ':'). Topic have ''email'' sender configured by default. 
- 
-===== Long running task ===== 
- 
-Module provides tasks: 
- 
-==== RecertificationDueDateWarningTaskExecutor ==== 
- 
-Sends warning notification before recertification request is expired (due date). Task is not configured by default. 
- 
-=== Parameters  === 
- 
-  * ''days-before'' - Number of days before due date expires. 
- 
- 
-===== Security ===== 
- 
-Implemented autorization evaluators: 
- 
-=== RecertificationRequestByRecertificationActionEvaluator === 
- 
-Permissions to recertification request by action. 
- 
-=== RecertificationItemByRecertificationRequestEvaluator === 
- 
-Permissions to items by recertification request. 
- 
-=== RecertificationRequestByApproverEvaluator === 
- 
-Permissions to recertification request by approver. 
- 
-==== Example of security setting ==== 
- 
-=== Person - security === 
- 
-Person can create recertification action and requests - see bulk actions and both agendas. Cannot execute created requests.  
- 
-Set the role authorization policies as follows: 
- 
-  * Users (IdmIdentity)| Read | BasePermissionEvaluator 
-  * Roles (IdmRole)| Read, Update, Delete | BasePermissionEvaluator 
-  * Role recertification - actions (RecRecertificationAction) | Create, Read, View in select box (autocomplete) | BasePermissionEvaluator 
-  * Role recertification - requests (RecRecertificationRequest) | - | RecertificationRequestByRecertificationActionEvaluator 
-  * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator 
-  * Scheduler (IdmLongRunningTask) | Read | BasePermissionEvaluator 
-  * Scheduler (IdmProcessedTaskItem) | Read | BasePermissionEvaluator 
- 
-// * Scheduler permissions are optional - user will see recertification action progress, when is started. // 
- 
-//* All role permissions (''READ'', ''UPDATE'', ''DELETE'') is needed for execute recertification action on selected role. // 
- 
-//* ''DELETE'' permission can be added to action to enable removing created action and requests (e.g. security can remove blocked or old records). // 
- 
-=== Person - approver === 
- 
-Person can see and approve recertification requests, where is in available approvers. Cannot see and create recertification actions. 
- 
-Set the role authorization policies as follows: 
- 
-  * Users (IdmIdentity)| Read | BasePermissionEvaluator 
-  * Roles (IdmRole)| Read | BasePermissionEvaluator 
-  * Role recertification - requests (RecRecertificationRequest) | Execute, Read, Update | RecertificationRequestByApproverEvaluator 
-  * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator 
- 
-<note tip>When you want to disable possibility to remove assigned roles by approver (just approve), then don't add ''UPDATE'' persmission to recertification request (item is secured transitivelly by request).</note> 
- 
-<note tip>All roles and identities have ''READ'' permission. Replace this permissions with your project specific setting (e.g. just subordinates can be shown, only some roles)</note> 
- 
-<note tip>[[.:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|Default user role]] setting is expected.</note> 
- 
- 
-===== Filters ===== 
- 
-New filter were registred to core: 
- 
-==== IdentityByRecertificationRequestApproverFilter ==== 
- 
-Filter identities, which can approve given recertification request by recertification type: 
-  * ''CONTRACT'': user contract managers 
-  * ''ROLE'': role guarantees 
- 
-=== Parameters=== 
- 
-  * ''approveRecertificationRequestId'' - a key parameter; uuid of the request for which approvers will be searched. 
- 
-==== IdentityRoleByRecertificationIntervalFilter ==== 
- 
-Filter identity roles by recertification interval => assigned roles, which was not recertified in given interval. 
- 
-=== Parameters=== 
- 
-  * ''recertificationInterval'' - a key parameter; recertification interval in days. 
- 
-==== RoleRequestByRecertificationRequestFilter==== 
- 
-Filter role requests, which were created by given recertification request. 
- 
-=== Parameters=== 
- 
-  * ''recertificationRequestId'' - a key parameter; uuid of the request for which requests will be searched. 
- 
-===== Frontend ===== 
- 
-Two new agendas were created under **Roles** main menu: 
-  * **Recertification requests** - contains created recertification requests. 
-  * **Recertification** - contains created recertification action. Contains requests grouped by recertification action executed by bulk actions. 
- 
-==== Recertification requests ==== 
- 
-Request table: 
- 
-{{ :devel:documentation:recertification-requests.png |}} 
- 
-On recertification request detail is tabs: 
-  * with items - contains basic information about request and items to approve. 
-  * with approvers - shows current available approvers by recertification type (contract managers or role guarantee defined by user or role). 
-  * with role requests - when assigned role representing by recertification item is removed, when assigned role is removed by role request. You can se state of this request. 
- 
-{{ :undefined:recertification-request-detail.png |}} 
- 
-==== Recertification actions ==== 
- 
-Contains requests grouped by recertification action executed by bulk actions. 
- 
-{{ :devel:documentation:recertification-actions.png |}} 
- 
-==== Identity and role detail ==== 
- 
-Tab with recertified assigned roles was added to role and identity detail. 
- 
-{{ :devel:documentation:recertification-identity-tab.png |}} 
- 
-<note tip>''READ'' recertification items persmission is needed. Transitive authorization evaluators (by recertification request and action) were prepared, see security chapter.</note> 
- 
-==== Identity and role table ==== 
- 
-Bulk action for start recertification action is available on identity and role table. 
- 
-{{ :devel:documentation:recertification-bulk-action.png |}} 
- 
-Bulk action modal window 
- 
-{{ :devel:documentation:recertification-bulk-action-detail.png |}} 
- 
-<note tip>Recertification action name will be filled automatically by selected roles or identities (if more than 15 records is selected, thne name will be truncated to prevent long names).</note> 
- 
- 
-<note tip>Recertification due date is required and prefilled by [[#configuration|configuration]].</note> 
- 
- 
-==== Dashboard ==== 
- 
-Dashboard with recertification requests was created - shows unresolved requests, which can be approved by logged user. Table of recertification request is the same as above - filter is only preseted by logged user and only unresolved requests are shown. Dashboard is hidden, when no requests are found. 
- 
-{{ :devel:documentation:recertification-dashboard.png |}} 
  
  
  • by poulm