Modules - Recertification [rec]
Role recertification module approves assigned user roles again.
When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed).
Terminology
- Recertification action - recertification action (bulk action) creates recertification requests. Action can be executed from user or role table.
- Recertification request - recertification request is created for single user contract or role (by recertification type) an contains item.
- Recertification item - single assigned role, which schould be apporoved in recertification request. Item = assigned user role can be approved (~recertificated) or removed.
Recertification types
Recertification type defines, who can approve role recertification request and define its content:
- Approve by user contract manager - recertification request is created for each user contract included in recerrrtification action. Managers defined by user contract can approve this request.
- Approve by role guarantee - recertification request is created for each role included in recerrrtification action. Role guarantees defined by user or by role can approve this request.
Configuration
Module configuration properties
In the application profile (application.properties) and overloadable via ConfigurationService.
# Recertification due date - default will be now() + 30 days. # default: 30 [days] idm.sec.rec.configuration.dueDateDays=30 # Recertification interval - default will be 0 days. Set to zero, when recertification will be created for already certified items. # default: 0 [days] idm.sec.rec.configuration.recertificationInterval=0 # If more than given recipients by given role is found, then limit is applied (prevent to spam all identities). # default: 50 idm.sec.rec.configuration.notification.recipientLimit=50
Notification
- approver
- warning
Long running task
- warning
Security
Implemented evaluators:
- transient
- by approver
Example of security setting
Person - security
- recertification action create
Person - approver
- recertification request by approver
Filters
New filter were registred to core:
- find identity, which can approve given recertification request
- find assigned role, which have to be recertified
Frontend
Two new agendas were created
On recertification request detail is tabs:
- with items - contains basic information about request and items to approve.
- with approvers - shows current available approvers by recertification type (contract managers or role guarantee defined by user or role).
- with role requests - when assigned role representing by recertification item is removed, when assigned role is removed by role request. You can se state of this request.
TODO: action screen
Tab with recertified assigned roles was adde to role and identity detail.
todo: screen.
Bulk action for start recertification action is available on identity and role table.
todo: screen.
Dashboard with recertification request was created - shows unresolved requests, which can be approved by logged user. Table of recertification request is the as as above - filter is only presed by logged user.
Future improvements
- move tab from identity detail to roles tab - todo ticket