This is an old revision of the document!
Copying and deduplicating assigned roles
In this section, we describe in more detail what it entails to copy assigned roles, and to deduplicate assigned roles.
Copying assigned roles from one user to another
Cloning roles (e.g. to be used in a different environment)
Deduplicating roles (through an identity role bulk action)
Deduplication is a bulk action that is available on User agenda. Deduplication allows removing only manually added roles that are duplicite with another automatic role or another manually added role.
The deduplication process can be overridden by each project, for specific project equals between roles see Identity role deduplication
Bulk action deduplication has several options that change the manner of checking whether two roles are duplicite. All options that are available:
- Approve - remove roles will process trough workflow process,
- check role attributes - the equals process will checked role attributes and their values.
Logic behind role removal
Keep in mind that a bulk action doesn't remove roles assigned by the system. For example, automatic or business roles. Removed will be only manually added roles (always). In product behavior that solve duplicity (this behavior can be overridden by project, see Identity role deduplication). Compared identity roles must pass these rules: * must assign the same role, * must be on the same identity contract, * must be automatic and manually, or manually and manually, * one of roles must be in validity range the second one (please see section with validity comparison), * must have same role parameters expecting same values.
Comparing validity of two roles
We resolve duplicity of two assigned roles by their validity or contract's validity. For a better overview there are some examples with a commentary:
Examples
In the case two roles are assigned manually and role A
has infinity validity, B role
is removed.
B A |---------| <----|----------------> ______|_________|____________ | now
When two roles had been assigned manually and both roles have infinite validity, the role that is more recently assigned than the other one is removed.
B A <---------> <--------------------> ___________________________ | now
In the following case, two roles had been assigned manually and role B
is within the validity range of role A
. Role B
is removed.
B A |-------------| |-------------------------| ______|____|_____________|______|_____ | now
When two roles are assigned manually and both have the same validity, the role that is most recently assigned is removed.
B |-------------| A |-------------| _________|_____________|_______ | now
When two roles are assigned manually and contracts have infinite validity, no role is removed.
B A |------| |----------| | | ______|__________|_______|______|_____ | now
Let's consider another case, two roles had been assigned manually and both the contract and the role A
indicate the same validity. The process then removes B role
.
B A |------| |----------| | | ______|__________|___|______|_____ | | now contract valid till
Another scenario, role MAN
had been added manually, and role AUTO
had been assigned automatically. The process removes MAN role
.
MAN AUTO |--------------| <-----------------------------> __________|______________|____ | now
In this case is role MAN
manually added and role AUTO
is automatically added. The process will remove MAN role
, because the validity of the automatic role is the same as that of the contract, and so now the manually added role is invalid.
MAN AUTO |-----| |--------| | | ______|________|____|_____|__ | now
In this case, role MAN
had been added manually, while role AUTO
automatically. Both roles feature filled validities, with the "valid till" value being little bit longer for role MAN
than for role AUTO
. The process removes MAN role
.
MAN |--------------| AUTO |-------------------| _________|______________|____|___ | now
In this case, role MAN
had been added manually, while role AUTO
automatically. Both roles have validity entries, and the valid-from value for role MAN
is a little bit longer than that of role AUTO
. The process removes MAN role
.
MAN |-----------------------| | |--------------| AUTO ______|________|______________|_______ | now
In this case, role MAN
had been assigned manually, and role AUTO
had been added automatically. Both roles are going to be valid in the future. No role will be removed.
MAN <---------------------------> |-----| AUTO ___________|_____|_____________ | now
In this case role MAN
had been manually added, and role AUTO
had been automatically added. Role MAN
has infinite validity, and the process removes MAN role
, since AUTO role
has the same validity as the contract.
MAN <---------------------------> |-----| AUTO ___________|_____|_____________ | now