9.7:documentation:roles:adm:duplicit_roles

Roles assignment deduplication

Yes, CzechIdM allows assigning two identical roles to the same contract. Why?

  • Manually directly and from a business role - simply the process of defining business roles is in progress.
  • Manually directly and from an automatic role - for example, an administrator has previously added a new role to a contract and then defined a new automatic role with a definition that the identity meets.
  • Manually directly and manually directly - usually users get it during data migration or by users mistakes during role requests process.

Deduplication (bulk action)

Deduplication is a bulk action that is available on User agenda.

Deduplication removes only manually added roles. Roles that were assigned by automatic roles or by business roles will never be removed.

Bulk action deduplication has several options that change the manner of checking whether two roles are duplicates. All options that are available:

  • Approve - remove roles will process through workflow process,
  • check role attributes - the equals process will check role attributes and their values.

Evaluate algorithm

2 roles assignments are duplicated if pass all these rules: * the same role (role code attribute), * on the same identity contract, * automatically and manually directly, or manually directly and manually directly, or manually directly and by business role (automatically or manually)
* must have same role parameters expect same values. * Are valid "at the same time" - this is a bit tricky, see the Examples below

The evaluation algorithm or whole deduplication process can be implemented for custom needs in your project.

Examples

We resolve duplicity of two assigned roles by their validity or validity on contract. For a better overview there are some examples with a commentary:

In this case, both roles are assigned manually and role A has infinity validity. The process will remove B role. 

            B
   A   |---------|
  <----|---------------->
 ______|_________|____________
             |
            now

In this case, both roles are assigned manually and both roles have infinite validity. In this case algorithm remove the role that has bee assigned earlier. 

            B
   A   <--------->
  <-------------------->
 ___________________________
             |
            now

In this case, both roles are assigned manually and the role B is in validity range of role A. Role B will be removed. 

		   B
         A  |-------------|
       |-------------------------|
 ______|____|_____________|______|_____
                   |
                  now

In this case, both roles are assigned manually and both have the same validity. In this case algorithm remove the role that has bee assigned earlier. 

		B
          |-------------|
        A |-------------|
 _________|_____________|_______
                 |
                now

In this case is both roles assigned manually and contract has infinite validity. For this case will not be removed any role. 

 			      B
            A             |------|
       |----------|       |      |
 ______|__________|_______|______|_____
            |
           now

In this case is both roles assigned manually and contract has same valid till as valid till for role A. The process will remove B role. 

 			   B
            A         |------|
       |----------|   |      |
 ______|__________|___|______|_____
    |	          |
   now		contract
   		valid till

In this case is role MAN manually added and role AUTO is automatically added. The process will remove MAN role. 

 		MAN
    AUTO  |--------------|
    <----------------------------->
__________|______________|____
                |
               now

In this case is role MAN manually added and role AUTO is automatically added. The process will remove MAN role, because automatic role has same validity as contract and manually added role is now invalid. 

 		      MAN
          AUTO      |-----|
      |--------|    |     |
______|________|____|_____|__
            |
           now

In this case is role MAN manually added and role AUTO is automatically added. Both roles has filled validity and valid till for role MAN is little bit shorter than role AUTO. The process will remove MAN role. 

 		MAN
         |--------------|
    AUTO |-------------------|
_________|______________|____|___
                  |
                 now

In this case is role MAN manually added and role AUTO is automatically added. Both roles has filled validity and valid from for role MAN is little bit longer than role AUTO. The process will remove MAN role. 

 			 MAN
      |-----------------------|
      |        |--------------| AUTO
______|________|______________|_______
                       |
                      now

In this case is role MAN manually added and role AUTO is automatically added. Both roles will be valid in future. No role will be removed. 

 	         MAN
     <--------------------------->
           |-----| AUTO
___________|_____|_____________
       |
      now

In this case is role MAN manually added and role AUTO is automatically added. Role MAN has infinity validity and the process will remove MAN role, because AUTO role has same validity as contract. 

 		         MAN
     <--------------------------->
           |-----| AUTO
___________|_____|_____________
              |
             now