This is an old revision of the document!

Copying and deduplicating assigned roles

In this section, we describe in more detail what it entails to copy assigned roles, and to deduplicate assigned roles.

TO BE COMPLETED

Copying assigned roles from one user to another

Cloning roles (e.g. to be used in a different environment)

Deduplicating roles (through an identity role bulk action)

Deduplication is a bulk action that is available on User agenda. Deduplication allows removing only manually added roles that are duplicite with another automatic role or another manually added role.

Deduplication removes only manually added roles. Roles that were assigned by automatic roles will never be removed.

The deduplication process can be overridden by each project, for specific project equals between roles see Identity role deduplication

Bulk action deduplication has several options that change the manner of checking whether two roles are duplicite. All options that are available:

  • Approve - remove roles will process trough workflow process,
  • check role attributes - the equals process will checked role attributes and their values.

Logic behind role removal

Keep in mind that a bulk action doesn't remove roles assigned by the system. For example, automatic or business roles. Removed will be only manually added roles (always). In product behavior that solve duplicity (this behavior can be overridden by project, see Identity role deduplication). Compared identity roles must pass these rules: * must assign the same role, * must be on the same identity contract, * must be automatic and manually, or manually and manually, * one of roles must be in validity range the second one (please see section with validity comparison), * must have same role parameters expecting same values.

Comparing validity of two roles

Please pay attention to this section.

We resolve duplicity of two assigned roles by their validity or contract's validity. For a better overview there are some examples with a commentary:

Examples

In the case two roles are assigned manually and role A has infinity validity, B role is removed. 

            B
   A   |---------|
  <----|---------------->
 ______|_________|____________
             |
            now

When two roles had been assigned manually and both roles have infinite validity, the role that is more recently assigned than the other one is removed. 

            B
   A   <--------->
  <-------------------->
 ___________________________
             |
            now

In the following case, two roles had been assigned manually and role B is within the validity range of role A. Role B is removed. 

		   B
         A  |-------------|
       |-------------------------|
 ______|____|_____________|______|_____
                   |
                  now

When two roles are assigned manually and both have the same validity, the role that is most recently assigned is removed. 

		B
          |-------------|
        A |-------------|
 _________|_____________|_______
                 |
                now

When two roles are assigned manually and contracts have infinite validity, no role is removed. 

 			      B
            A             |------|
       |----------|       |      |
 ______|__________|_______|______|_____
            |
           now

Let's consider another case, two roles had been assigned manually and both the contract and the role A indicate the same validity. The process then removes B role. 

 			   B
            A         |------|
       |----------|   |      |
 ______|__________|___|______|_____
    |	          |
   now		contract
   		valid till

Another scenario, role MAN had been added manually, and role AUTO had been assigned automatically. The process removes MAN role. 

 		MAN
    AUTO  |--------------|
    <----------------------------->
__________|______________|____
                |
               now

In this case is role MAN manually added and role AUTO is automatically added. The process will remove MAN role, because the validity of the automatic role is the same as that of the contract, and so now the manually added role is invalid. 

 		      MAN
          AUTO      |-----|
      |--------|    |     |
______|________|____|_____|__
            |
           now

In this case, role MAN had been added manually, while role AUTO automatically. Both roles feature filled validities, with the "valid till" value being little bit longer for role MAN than for role AUTO. The process removes MAN role. 

 		MAN
         |--------------|
    AUTO |-------------------|
_________|______________|____|___
                  |
                 now

In this case, role MAN had been added manually, while role AUTO automatically. Both roles have validity entries, and the valid-from value for role MAN is a little bit longer than that of role AUTO. The process removes MAN role. 

 			 MAN
      |-----------------------|
      |        |--------------| AUTO
______|________|______________|_______
                       |
                      now

In this case, role MAN had been assigned manually, and role AUTO had been added automatically. Both roles are going to be valid in the future. No role will be removed. 

 	         MAN
     <--------------------------->
           |-----| AUTO
___________|_____|_____________
       |
      now

In this case role MAN had been manually added, and role AUTO had been automatically added. Role MAN has infinite validity, and the process removes MAN role, since AUTO role has the same validity as the contract. 

 		         MAN
     <--------------------------->
           |-----| AUTO
___________|_____|_____________
              |
             now
  • by kotisovam