This is an old revision of the document!
Modules - Recertification [rec]
Role recertification module approves assigned user roles again.
When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed).
Terminology
- Recertification action - recertification action (bulk action) creates recertification requests. Action can be executed from user or role table.
- Recertification request - recertification request is created for single user contract or role (by recertification type, see below) an contains items.
- Recertification item - single assigned role, which schould be apporoved in recertification request. Item = assigned user role can be approved (~recertificated) or removed.
Recertification types
Recertification type defines, who can approve role recertification request and define request content:
- Approve by user contract manager - recertification request is created for each user contract included in recerrrtification action. Managers defined by user contract can approve this request.
- Approve by role guarantee - recertification request is created for each role included in recerrrtification action. Role guarantees defined by user or by role can approve this request.
Configuration
Module configuration properties
In the application profile (application.properties) and overloadable via ConfigurationService.
# Recertification due date - default will be now() + 30 days. # default: 30 [days] idm.sec.rec.configuration.dueDateDays=30 # Recertification interval - default will be 0 days. Set to zero, when recertification will be created for already certified items. # default: 0 [days] idm.sec.rec.configuration.recertificationInterval=0 # If more than given recipients by given role is found, then limit is applied (prevent to spam all identities). # default: 50 idm.sec.rec.configuration.notification.recipientLimit=50
Notification
Module provides notifications and topics:
rec:newRecertificationRequest
- New recertification request was created. The notification shall be sent to the available approvers.rec:recertificationDueDateWarning
- Sends warning notification before recertification request is expired (due date). SeeRecertificationDueDateWarningTaskExecutor
task.
Templates were created for topic above with the same name (uppercase without ':'). Topic have email
sender configured by default.
Long running task
Module provides tasks:
RecertificationDueDateWarningTaskExecutor
Sends warning notification before recertification request is expired (due date). Task is not configured by default.
Parameters
days-before
- Number of days before due date expires.
Security
Implemented autorization evaluators:
RecertificationRequestByRecertificationActionEvaluator
Permissions to recertification request by action.
RecertificationItemByRecertificationRequestEvaluator
Permissions to items by recertification request.
RecertificationRequestByApproverEvaluator
Permissions to recertification request by approver.
Example of security setting
Person - security
Person can create recertification action and requests - see bulk actions and both agendas. Cannot execute created requests.
Set the role authorization policies as follows:
- Users (IdmIdentity)| Read | BasePermissionEvaluator
- Roles (IdmRole)| Read, Update, Delete | BasePermissionEvaluator
- Role recertification - actions (RecRecertificationAction) | Create, Read, View in select box (autocomplete) | BasePermissionEvaluator
- Role recertification - requests (RecRecertificationRequest) | - | RecertificationRequestByRecertificationActionEvaluator
- Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator
- Scheduler (IdmLongRunningTask) | Read | BasePermissionEvaluator
- Scheduler (IdmProcessedTaskItem) | Read | BasePermissionEvaluator
* Scheduler permissions are optional - user will see recertification acion progress, when is started
* All role permissions (READ
, UPDATE
, DELETE
) is needed for execute recertification action on selected role.
* DELETE
permission can be added to action to enable removing created action and requests (e.g. security can remove blocked or old records).
Person - approver
Person can see and approve recertification requests, where is in available approvers. Cannot see and create recertification actions.
Set the role authorization policies as follows:
- Users (IdmIdentity)| Read | BasePermissionEvaluator
- Roles (IdmRole)| Read | BasePermissionEvaluator
- Role recertification - requests (RecRecertificationRequest) | Execute, Read, Update | RecertificationRequestByApproverEvaluator
- Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator
UPDATE
persmission to recertification request (item is secured transitivelly by request).
READ
permission. Replace this permissions with your project specific setting (e.g. just subordinates can be shown, only some roles)
Filters
New filter were registred to core:
IdentityByRecertificationRequestApproverFilter
Filter identities, which can approve given recertification request by recertification type:
CONTRACT
: user contract managersROLE
: role guarantees
Parameters
approveRecertificationRequestId
- a key parameter; uuid of the request for which approvers will be searched.
IdentityRoleByRecertificationIntervalFilter
Filter identity roles by recertification interval ⇒ assigned roles, which was not recertified in given interval.
Parameters
recertificationInterval
- a key parameter; recertification interval in days.
RoleRequestByRecertificationRequestFilter
Filter role requests, which were created by given recertification request.
Parameters
recertificationRequestId
- a key parameter; uuid of the request for which requests will be searched.
Frontend
Two new agendas were created under Roles main menu:
- Recertification requests - contains created recertification requests.
- Recertification - contains created recertification action. Contains requests grouped by recertification action executed by bulk actions.
Recertification requests
Request table:
On recertification request detail is tabs:
- with items - contains basic information about request and items to approve.
- with approvers - shows current available approvers by recertification type (contract managers or role guarantee defined by user or role).
- with role requests - when assigned role representing by recertification item is removed, when assigned role is removed by role request. You can se state of this request.
Recertification actions
Identity and role detail
Tab with recertified assigned roles was added to role and identity detail.
READ
recertification items persmission is needed. Transitive authorization evaluators (by recertification request and action) were prepared, see security chapter.
Identity and role table
Bulk action for start recertification action is available on identity and role table.
Bulk action modal window
Dashboard
Dashboard with recertification requests was created - shows unresolved requests, which can be approved by logged user. Table of recertification request is the same as above - filter is only preseted by logged user and only unresolved requests are shown. Dashboard is hidden, when no requests are found.
Future improvements
- #1760: Move tab from identity detail to roles tab. - #1759: Run recertification action again.