9.7:documentation:modules_rec

Modules - Recertification [rec]

Role recertification module approves assigned user roles again.

When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed).

  • Recertification action - recertification action (bulk action) creates recertification requests. Action can be executed from user or role table.
  • Recertification request - recertification request is created for single user contract or role (by recertification type) an contains item.
  • Recertification item - single assigned role, which schould be apporoved in recertification request. Item = assigned user role can be approved (~recertificated) or removed.

Recertification type defines, who can approve role recertification request and define its content:

  • Approve by user contract manager - recertification request is created for each user contract included in recerrrtification action. Managers defined by user contract can approve this request.
  • Approve by role guarantee - recertification request is created for each role included in recerrrtification action. Role guarantees defined by user or by role can approve this request.
When no approver is found for given request, then recertification is blocked after creation - apporovers have to be configured properly by the recertification type and then recertification action can be executed again.

Module configuration properties

In the application profile (application.properties) and overloadable via ConfigurationService.

# Recertification due date - default will be now() + 30 days. 
# default: 30 [days]
idm.sec.rec.configuration.dueDateDays=30
# Recertification interval - default will be 0 days. Set to zero, when recertification will be created for already certified items.
# default: 0 [days]
idm.sec.rec.configuration.recertificationInterval=0
# If more than given recipients by given role is found, then limit is applied (prevent to spam all identities). 
# default: 50 
idm.sec.rec.configuration.notification.recipientLimit=50
  • approver
  • warning
  • warning

Implemented evaluators:

  1. transient
  2. by approver

Person - security

  • recertification action create

Person - approver

  • recertification request by approver

New filter were registred to core:

  1. find identity, which can approve given recertification request
  2. find assigned role, which have to be recertified

Two new agendas were created

On recertification request detail is tabs:

  • with items - contains basic information about request and items to approve.
  • with approvers - shows current available approvers by recertification type (contract managers or role guarantee defined by user or role).
  • with role requests - when assigned role representing by recertification item is removed, when assigned role is removed by role request. You can se state of this request.

TODO: action screen

Tab with recertified assigned roles was adde to role and identity detail.

todo: screen.

Bulk action for start recertification action is available on identity and role table.

todo: screen.

Dashboard with recertification request was created - shows unresolved requests, which can be approved by logged user. Table of recertification request is the as as above - filter is only presed by logged user.

  • move tab from identity detail to roles tab - todo ticket