Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:modules_rec [2019/08/08 10:26] poulm testing |
devel:documentation:modules_rec [2020/03/22 21:05] (current) poulm remove link to deprecated ca module |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Modules - Recertification [rec] ====== | ====== Modules - Recertification [rec] ====== | ||
- | <- .: | + | <- .: |
{{tag> recertification role}} | {{tag> recertification role}} | ||
Line 9: | Line 9: | ||
When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed). | When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed). | ||
+ | {{ : | ||
<note tip> | <note tip> | ||
===== Terminology ===== | ===== Terminology ===== | ||
Line 25: | Line 26: | ||
<note important> | <note important> | ||
- | ===== Configuration ===== | ||
- | |||
- | Module configuration properties | ||
- | |||
- | In the application profile (application.properties) and overloadable via ConfigurationService. | ||
- | |||
- | <code properties> | ||
- | # Recertification due date - default will be now() + 30 days. | ||
- | # default: 30 [days] | ||
- | idm.sec.rec.configuration.dueDateDays=30 | ||
- | # Recertification interval - default will be 0 days. Set to zero, when recertification will be created for already certified items. | ||
- | # default: 0 [days] | ||
- | idm.sec.rec.configuration.recertificationInterval=0 | ||
- | # If more than given recipients by given role is found, then limit is applied (prevent to spam all identities). | ||
- | # default: 50 | ||
- | idm.sec.rec.configuration.notification.recipientLimit=50 | ||
- | </ | ||
- | |||
- | ===== Notification ===== | ||
- | |||
- | Module provides notifications and topics: | ||
- | |||
- | - '' | ||
- | - '' | ||
- | |||
- | Templates were created for topic above with the same name (uppercase without ':' | ||
- | |||
- | ===== Long running task ===== | ||
- | |||
- | Module provides tasks: | ||
- | |||
- | ==== RecertificationDueDateWarningTaskExecutor ==== | ||
- | |||
- | Sends warning notification before recertification request is expired (due date). Task is not configured by default. | ||
- | |||
- | === Parameters | ||
- | |||
- | * '' | ||
- | |||
- | |||
- | ===== Security ===== | ||
- | |||
- | Implemented autorization evaluators: | ||
- | |||
- | === RecertificationRequestByRecertificationActionEvaluator === | ||
- | |||
- | Permissions to recertification request by action. | ||
- | |||
- | === RecertificationItemByRecertificationRequestEvaluator === | ||
- | |||
- | Permissions to items by recertification request. | ||
- | |||
- | === RecertificationRequestByApproverEvaluator === | ||
- | |||
- | Permissions to recertification request by approver. | ||
- | |||
- | ==== Example of security setting ==== | ||
- | |||
- | === Person - security === | ||
- | |||
- | Person can create recertification action and requests - see bulk actions and both agendas. Cannot execute created requests. | ||
- | |||
- | Set the role authorization policies as follows: | ||
- | |||
- | * Users (IdmIdentity)| Read | BasePermissionEvaluator | ||
- | * Roles (IdmRole)| Read, Update, Delete | BasePermissionEvaluator | ||
- | * Role recertification - actions (RecRecertificationAction) | Create, Read, View in select box (autocomplete) | BasePermissionEvaluator | ||
- | * Role recertification - requests (RecRecertificationRequest) | - | RecertificationRequestByRecertificationActionEvaluator | ||
- | * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator | ||
- | * Scheduler (IdmLongRunningTask) | Read | BasePermissionEvaluator | ||
- | * Scheduler (IdmProcessedTaskItem) | Read | BasePermissionEvaluator | ||
- | |||
- | // * Scheduler permissions are optional - user will see recertification action progress, when is started. // | ||
- | |||
- | //* All role permissions ('' | ||
- | |||
- | //* '' | ||
- | |||
- | === Person - approver === | ||
- | |||
- | Person can see and approve recertification requests, where is in available approvers. Cannot see and create recertification actions. | ||
- | |||
- | Set the role authorization policies as follows: | ||
- | |||
- | * Users (IdmIdentity)| Read | BasePermissionEvaluator | ||
- | * Roles (IdmRole)| Read | BasePermissionEvaluator | ||
- | * Role recertification - requests (RecRecertificationRequest) | Execute, Read, Update | RecertificationRequestByApproverEvaluator | ||
- | * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator | ||
- | |||
- | <note tip>When you want to disable possibility to remove assigned roles by approver (just approve), then don't add '' | ||
- | |||
- | <note tip>All roles and identities have '' | ||
- | |||
- | <note tip> | ||
- | |||
- | |||
- | ===== Filters ===== | ||
- | |||
- | New filter were registred to core: | ||
- | |||
- | ==== IdentityByRecertificationRequestApproverFilter ==== | ||
- | |||
- | Filter identities, which can approve given recertification request by recertification type: | ||
- | * '' | ||
- | * '' | ||
- | |||
- | === Parameters=== | ||
- | |||
- | * '' | ||
- | |||
- | ==== IdentityRoleByRecertificationIntervalFilter ==== | ||
- | |||
- | Filter identity roles by recertification interval => assigned roles, which was not recertified in given interval. | ||
- | |||
- | === Parameters=== | ||
- | |||
- | * '' | ||
- | |||
- | ==== RoleRequestByRecertificationRequestFilter==== | ||
- | |||
- | Filter role requests, which were created by given recertification request. | ||
- | |||
- | === Parameters=== | ||
- | |||
- | * '' | ||
- | |||
- | ===== Frontend ===== | ||
- | |||
- | Two new agendas were created under **Roles** main menu: | ||
- | * **Recertification requests** - contains created recertification requests. | ||
- | * **Recertification** - contains created recertification action. Contains requests grouped by recertification action executed by bulk actions. | ||
- | |||
- | ==== Recertification requests ==== | ||
- | |||
- | Request table: | ||
- | |||
- | {{ : | ||
- | |||
- | On recertification request detail is tabs: | ||
- | * with items - contains basic information about request and items to approve. | ||
- | * with approvers - shows current available approvers by recertification type (contract managers or role guarantee defined by user or role). | ||
- | * with role requests - when assigned role representing by recertification item is removed, when assigned role is removed by role request. You can se state of this request. | ||
- | |||
- | {{ : | ||
- | |||
- | ==== Recertification actions ==== | ||
- | |||
- | Contains requests grouped by recertification action executed by bulk actions. | ||
- | |||
- | {{ : | ||
- | |||
- | ==== Identity and role detail ==== | ||
- | |||
- | Tab with recertified assigned roles was added to role and identity detail. | ||
- | |||
- | {{ : | ||
- | |||
- | <note tip>'' | ||
- | |||
- | ==== Identity and role table ==== | ||
- | |||
- | Bulk action for start recertification action is available on identity and role table. | ||
- | |||
- | {{ : | ||
- | |||
- | Bulk action modal window | ||
- | |||
- | {{ : | ||
- | |||
- | <note tip> | ||
- | |||
- | |||
- | <note tip> | ||
- | |||
- | |||
- | ==== Dashboard ==== | ||
- | |||
- | Dashboard with recertification requests was created - shows unresolved requests, which can be approved by logged user. Table of recertification request is the same as above - filter is only preseted by logged user and only unresolved requests are shown. Dashboard is hidden, when no requests are found. | ||
- | |||
- | {{ : | ||
Line 215: | Line 36: | ||
==== Admin guide ==== | ==== Admin guide ==== | ||
- | * [[devel: | + | * [[devel: |
+ | * [[devel: | ||
+ | ==== Admin tutorial ==== | ||
+ | * [[tutorial: | ||
+ | ==== Devel guide ==== | ||
+ | * [[devel: | ||