Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
devel:documentation:modules_rec [2019/08/01 11:32]
tomiskar [Identity and role table] 		devel:documentation:modules_rec [2020/03/22 21:05] (current)
poulm remove link to deprecated ca module
Line 1: Line 1:
 ====== Modules - Recertification [rec] ====== ====== Modules - Recertification [rec] ======
  
-<- .:modules_crt |  ^ .:start | Documentation ^ .:modules_ca ->+<- .:modules_crt |  ^ .:start | Documentation ^ .:modules_sms ->
  
 {{tag> recertification role}} {{tag> recertification role}}
Line 9: Line 9:
 When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed). When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed).
  
 +{{ :devel:documentation:rect.jpg?nolink |}}
 +<note tip>CzechIdM version >= 9.7.0 is required.</note>
 ===== Terminology ===== ===== Terminology =====
  
Line 19: Line 21:
 Recertification type defines, who can approve role recertification request and define request content: Recertification type defines, who can approve role recertification request and define request content:
  
-  - **Approve by user contract manager** - recertification request is created for each user contract included in recerrrtification action. Managers defined by user contract can approve this request. +  - **Approve by user contract manager** (''CONTRACT''- recertification request is created for each user contract included in recerrrtification action. Managers defined by user contract can approve this request. 
-  - **Approve by role guarantee** - recertification request is created for each role included in recerrrtification action. Role guarantees defined by user or by role can approve this request.+  - **Approve by role guarantee** (''ROLE''- recertification request is created for each role included in recerrrtification action. Role guarantees defined by user or by role can approve this request.
  
 <note important>When **no approver** is found for given request, then **recertification is blocked** after creation - apporovers have to be configured properly by the recertification type and then recertification action can be executed again.</note> <note important>When **no approver** is found for given request, then **recertification is blocked** after creation - apporovers have to be configured properly by the recertification type and then recertification action can be executed again.</note>
  
-===== Configuration ===== 
  
-Module configuration properties 
  
-In the application profile (application.properties) and overloadable via ConfigurationService.+===== Future improvements =====
  
-<code properties> +- [[https://redmine.czechidm.com/issues/1760|#1760]]: Move tab from identity detail to roles tab. 
-# Recertification due date default will be now() + 30 days.  +[[https://redmine.czechidm.com/issues/1759|#1759]]: Run recertification action again.
-# default: 30 [days] +
-idm.sec.rec.configuration.dueDateDays=30 +
-# Recertification interval - default will be 0 days. Set to zero, when recertification will be created for already certified items. +
-# default: 0 [days] +
-idm.sec.rec.configuration.recertificationInterval=0 +
-# If more than given recipients by given role is found, then limit is applied (prevent to spam all identities).  +
-# default50  +
-idm.sec.rec.configuration.notification.recipientLimit=50 +
-</code> +
- +
-===== Notification ===== +
- +
-Module provides notifications and topics: +
- +
-  - ''rec:newRecertificationRequest'' - New recertification request was created. The notification shall be sent to the available approvers. +
-  - ''rec:recertificationDueDateWarning'' - Sends warning notification before recertification request is expired (due date). See ''RecertificationDueDateWarningTaskExecutor'' task. +
- +
-Templates were created for topic above with the same name (uppercase without ':'). Topic have ''email'' sender configured by default. +
- +
-===== Long running task ===== +
- +
-Module provides tasks: +
- +
-==== RecertificationDueDateWarningTaskExecutor ==== +
- +
-Sends warning notification before recertification request is expired (due date). Task is not configured by default. +
- +
-=== Parameters  === +
- +
-  * ''days-before'' - Number of days before due date expires. +
- +
- +
-===== Security ===== +
- +
-Implemented autorization evaluators: +
- +
-=== RecertificationRequestByRecertificationActionEvaluator === +
- +
-Permissions to recertification request by action. +
- +
-=== RecertificationItemByRecertificationRequestEvaluator === +
- +
-Permissions to items by recertification request. +
- +
-=== RecertificationRequestByApproverEvaluator === +
- +
-Permissions to recertification request by approver. +
- +
-==== Example of security setting ==== +
- +
-=== Person - security === +
- +
-Person can create recertification action and requests - see bulk actions and both agendas. Cannot execute created requests.  +
- +
-Set the role authorization policies as follows: +
- +
-  * Users (IdmIdentity)| Read | BasePermissionEvaluator +
-  * Roles (IdmRole)| Read, Update, Delete | BasePermissionEvaluator +
-  * Role recertification - actions (RecRecertificationAction) | Create, Read, View in select box (autocomplete) | BasePermissionEvaluator +
-  * Role recertification - requests (RecRecertificationRequest) | - | RecertificationRequestByRecertificationActionEvaluator +
-  * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator +
-  * Scheduler (IdmLongRunningTask) | Read | BasePermissionEvaluator +
-  * Scheduler (IdmProcessedTaskItem) | Read | BasePermissionEvaluator +
- +
-//* Scheduler permissions are optional - user will see recertification acion progress, when is started // +
- +
-//* All role permissions (''READ'', ''UPDATE'', ''DELETE'') is needed for execute recertification action on selected role// +
- +
-//* ''DELETE'' permission can be added to action to enable removing created action and requests (e.g. security can remove blocked or old records). // +
- +
-=== Person - approver === +
- +
-Person can see and approve recertification requests, where is in available approvers. Cannot see and create recertification actions. +
- +
-Set the role authorization policies as follows: +
- +
-  * Users (IdmIdentity)Read | BasePermissionEvaluator +
-  * Roles (IdmRole)| Read | BasePermissionEvaluator +
-  * Role recertification - requests (RecRecertificationRequest) | Execute, Read, Update | RecertificationRequestByApproverEvaluator +
-  * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator +
- +
-<note tip>When you want to disable possibility to remove assigned roles by approver (just approve), then don't add ''UPDATE'' persmission to recertification request (item is secured transitivelly by request).</note> +
- +
-<note tip>All roles and identities have ''READ'' permission. Replace this permissions with your project specific setting (e.g. just subordinates can be shown, only some roles)</note> +
- +
-<note tip>[[.:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|Default user role]] setting is expected.</note> +
- +
- +
-===== Filters ===== +
- +
-New filter were registred to core: +
- +
-==== IdentityByRecertificationRequestApproverFilter ==== +
- +
-Filter identities, which can approve given recertification request by recertification type: +
-  * ''CONTRACT'': user contract managers +
-  * ''ROLE'': role guarantees +
- +
-=== Parameters=== +
- +
-  * ''approveRecertificationRequestId'' - a key parameter; uuid of the request for which approvers will be searched. +
- +
-==== IdentityRoleByRecertificationIntervalFilter ==== +
- +
-Filter identity roles by recertification interval => assigned roles, which was not recertified in given interval. +
- +
-=== Parameters=== +
- +
-  * ''recertificationInterval'' - a key parameter; recertification interval in days. +
- +
-==== RoleRequestByRecertificationRequestFilter==== +
- +
-Filter role requests, which were created by given recertification request. +
- +
-=== Parameters=== +
- +
-  * ''recertificationRequestId'' - a key parameter; uuid of the request for which requests will be searched. +
- +
-===== Frontend ===== +
- +
-Two new agendas were created under **Roles** main menu: +
-  * **Recertification requests** - contains created recertification requests. +
-  * **Recertification** - contains created recertification action. Contains requests grouped by recertification action executed by bulk actions. +
- +
-==== Recertification requests ==== +
- +
-Request table: +
- +
-{{ :devel:documentation:recertification-requests.png |}} +
- +
-On recertification request detail is tabs: +
-  * with items - contains basic information about request and items to approve. +
-  * with approvers - shows current available approvers by recertification type (contract managers or role guarantee defined by user or role). +
-  * with role requests - when assigned role representing by recertification item is removed, when assigned role is removed by role request. You can se state of this request. +
- +
-{{ :undefined:recertification-request-detail.png |}} +
- +
-==== Recertification actions ==== +
- +
-Contains requests grouped by recertification action executed by bulk actions. +
- +
-{{ :devel:documentation:recertification-actions.png |}} +
- +
-==== Identity and role detail ==== +
- +
-Tab with recertified assigned roles was added to role and identity detail. +
- +
-{{ :devel:documentation:recertification-identity-tab.png |}} +
- +
-<note tip>''READ'' recertification items persmission is needed. Transitive authorization evaluators (by recertification request and action) were prepared, see security chapter.</note> +
- +
-==== Identity and role table ==== +
- +
-Bulk action for start recertification action is available on identity and role table. +
- +
-{{ :devel:documentation:recertification-bulk-action.png |}} +
- +
-Bulk action modal window +
- +
-{{ :devel:documentation:recertification-bulk-action-detail.png |}} +
- +
-<note tip>Recertification action name will be filled automatically by selected roles or identities (if more than 15 records is selected, thne name will be truncated to prevent long names).</note> +
- +
- +
-<note tip>Recertification due date is required and prefilled by [[#configuration|configuration]].</note> +
- +
- +
-==== Dashboard ==== +
- +
-Dashboard with recertification requests was created - shows unresolved requests, which can be approved by logged user. Table of recertification request is the same as above - filter is only preseted by logged user and only unresolved requests are shown. Dashboard is hidden, when no requests are found. +
- +
-{{ :devel:documentation:recertification-dashboard.png |}} +
- +
- +
-===== Future improvements =====+
  
-- #1760: Move tab from identity detail to roles tab. +===== Read More =====
-- #1759: Run recertification action again.+
  
 +==== Admin guide ====
 +  * [[devel:documentation:modules_rec:adm:security| Security]]
 +  * [[devel:documentation:modules_rec:adm:configuration| Configuration]]
  
 +==== Admin tutorial ====
 +  * [[tutorial:adm:module_recertification| Module - Recertification]]
  
 +==== Devel guide ====
 +  * [[devel:documentation:modules_rec:dev:filters| Filters]]
  
  
  
  
  • by tomiskar