Differences

This shows you the differences between two versions of the page.

--- devel:documentation:modules_rec [2019/08/08 11:02]
regulat [Admin guide]
+++ devel:documentation:modules_rec [2020/03/22 21:05] (current)
poulm remove link to deprecated ca module
@@ Line 1: / Line 1: @@
 ====== Modules - Recertification [rec] ======
-<- .:modules_crt |  ^ .:start | Documentation ^ .:modules_ca ->
+<- .:modules_crt |  ^ .:start | Documentation ^ .:modules_sms ->
 {{tag> recertification role}}
@@ Line 9: / Line 9: @@
 When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed).
+{{ :devel:documentation:rect.jpg?nolink |}}
 <note tip>CzechIdM version >= 9.7.0 is required.</note>
 ===== Terminology =====
@@ Line 25: / Line 26: @@
 <note important>When **no approver** is found for given request, then **recertification is blocked** after creation - apporovers have to be configured properly by the recertification type and then recertification action can be executed again.</note>
-===== Configuration =====
-Module configuration properties
-In the application profile (application.properties) and overloadable via ConfigurationService.
-<code properties>
-# Recertification due date - default will be now() + 30 days.
-# default: 30 [days]
-idm.sec.rec.configuration.dueDateDays=30
-# Recertification interval - default will be 0 days. Set to zero, when recertification will be created for already certified items.
-# default: 0 [days]
-idm.sec.rec.configuration.recertificationInterval=0
-# If more than given recipients by given role is found, then limit is applied (prevent to spam all identities).
-# default: 50
-idm.sec.rec.configuration.notification.recipientLimit=50
-</code>
-===== Notification =====
-Module provides notifications and topics:
-  - ''rec:newRecertificationRequest'' - New recertification request was created. The notification shall be sent to the available approvers.
-  - ''rec:recertificationDueDateWarning'' - Sends warning notification before recertification request is expired (due date). See ''RecertificationDueDateWarningTaskExecutor'' task.
-Templates were created for topic above with the same name (uppercase without ':'). Topic have ''email'' sender configured by default.
-===== Long running task =====
-Module provides tasks:
-==== RecertificationDueDateWarningTaskExecutor ====
-Sends warning notification before recertification request is expired (due date). Task is not configured by default.
-=== Parameters  ===
-  * ''days-before'' - Number of days before due date expires.
-===== Security =====
-Implemented autorization evaluators:
-=== RecertificationRequestByRecertificationActionEvaluator ===
-Permissions to recertification request by action.
-=== RecertificationItemByRecertificationRequestEvaluator ===
-Permissions to items by recertification request.
-=== RecertificationRequestByApproverEvaluator ===
-Permissions to recertification request by approver.
-==== Example of security setting ====
-=== Person - security ===
-Person can create recertification action and requests - see bulk actions and both agendas. Cannot execute created requests.
-Set the role authorization policies as follows:
-  * Users (IdmIdentity)| Read | BasePermissionEvaluator
-  * Roles (IdmRole)| Read, Update, Delete | BasePermissionEvaluator
-  * Role recertification - actions (RecRecertificationAction) | Create, Read, View in select box (autocomplete) | BasePermissionEvaluator
-  * Role recertification - requests (RecRecertificationRequest) | - | RecertificationRequestByRecertificationActionEvaluator
-  * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator
-  * Scheduler (IdmLongRunningTask) | Read | BasePermissionEvaluator
-  * Scheduler (IdmProcessedTaskItem) | Read | BasePermissionEvaluator
-// * Scheduler permissions are optional - user will see recertification action progress, when is started. //
-//* All role permissions (''READ'', ''UPDATE'', ''DELETE'') is needed for execute recertification action on selected role. //
-//* ''DELETE'' permission can be added to action to enable removing created action and requests (e.g. security can remove blocked or old records). //
-=== Person - approver ===
-Person can see and approve recertification requests, where is in available approvers. Cannot see and create recertification actions.
-Set the role authorization policies as follows:
-  * Users (IdmIdentity)| Read | BasePermissionEvaluator
-  * Roles (IdmRole)| Read | BasePermissionEvaluator
-  * Role recertification - requests (RecRecertificationRequest) | Execute, Read, Update | RecertificationRequestByApproverEvaluator
-  * Role recertification - request items (RecRecertificationItem) | - | RecertificationItemByRecertificationRequestEvaluator
-<note tip>When you want to disable possibility to remove assigned roles by approver (just approve), then don't add ''UPDATE'' persmission to recertification request (item is secured transitivelly by request).</note>
-<note tip>All roles and identities have ''READ'' permission. Replace this permissions with your project specific setting (e.g. just subordinates can be shown, only some roles)</note>
-<note tip>[[.:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|Default user role]] setting is expected.</note>
-===== Filters =====
-New filter were registred to core:
-==== IdentityByRecertificationRequestApproverFilter ====
-Filter identities, which can approve given recertification request by recertification type:
-  * ''CONTRACT'': user contract managers
-  * ''ROLE'': role guarantees
-=== Parameters===
-  * ''approveRecertificationRequestId'' - a key parameter; uuid of the request for which approvers will be searched.
-==== IdentityRoleByRecertificationIntervalFilter ====
-Filter identity roles by recertification interval => assigned roles, which was not recertified in given interval.
-=== Parameters===
-  * ''recertificationInterval'' - a key parameter; recertification interval in days.
-==== RoleRequestByRecertificationRequestFilter====
-Filter role requests, which were created by given recertification request.
-=== Parameters===
-  * ''recertificationRequestId'' - a key parameter; uuid of the request for which requests will be searched.
-===== Frontend =====
-Two new agendas were created under **Roles** main menu:
-  * **Recertification requests** - contains created recertification requests.
-  * **Recertification** - contains created recertification action. Contains requests grouped by recertification action executed by bulk actions.
-==== Recertification requests ====
-Request table:
-{{ :devel:documentation:recertification-requests.png |}}
-On recertification request detail is tabs:
-  * with items - contains basic information about request and items to approve.
-  * with approvers - shows current available approvers by recertification type (contract managers or role guarantee defined by user or role).
-  * with role requests - when assigned role representing by recertification item is removed, when assigned role is removed by role request. You can se state of this request.
-{{ :undefined:recertification-request-detail.png |}}
-==== Recertification actions ====
-Contains requests grouped by recertification action executed by bulk actions.
-{{ :devel:documentation:recertification-actions.png |}}
-==== Identity and role detail ====
-Tab with recertified assigned roles was added to role and identity detail.
-{{ :devel:documentation:recertification-identity-tab.png |}}
-<note tip>''READ'' recertification items persmission is needed. Transitive authorization evaluators (by recertification request and action) were prepared, see security chapter.</note>
-==== Identity and role table ====
-Bulk action for start recertification action is available on identity and role table.
-{{ :devel:documentation:recertification-bulk-action.png |}}
-Bulk action modal window
-{{ :devel:documentation:recertification-bulk-action-detail.png |}}
-<note tip>Recertification action name will be filled automatically by selected roles or identities (if more than 15 records is selected, thne name will be truncated to prevent long names).</note>
-<note tip>Recertification due date is required and prefilled by [[#configuration|configuration]].</note>
-==== Dashboard ====
-Dashboard with recertification requests was created - shows unresolved requests, which can be approved by logged user. Table of recertification request is the same as above - filter is only preseted by logged user and only unresolved requests are shown. Dashboard is hidden, when no requests are found.
-{{ :devel:documentation:recertification-dashboard.png |}}
@@ Line 216: / Line 37: @@
 ==== Admin guide ====
   * [[devel:documentation:modules_rec:adm:security| Security]]
+  * [[devel:documentation:modules_rec:adm:configuration| Configuration]]
+==== Admin tutorial ====
+  * [[tutorial:adm:module_recertification| Module - Recertification]]
+==== Devel guide ====
+  * [[devel:documentation:modules_rec:dev:filters| Filters]]