Roles assignment deduplication
Yes, CzechIdM allows assigning two identical roles to the same contract. Why?
- Manually directly and from a business role - simply the process of defining business roles is in progress.
- Manually directly and from an automatic role - for example, an administrator has previously added a new role to a contract and then defined a new automatic role with a definition that the identity meets.
- Manually directly and manually directly - usually users get it during data migration or by users mistakes during role requests process.
Deduplication (bulk action)
Deduplication is a bulk action that is available on User agenda.
Bulk action deduplication has several options that change the manner of checking whether two roles are duplicates. All options that are available:
- Approve - remove roles will process through workflow process,
- check role attributes - the equals process will check role attributes and their values.
Evaluate algorithm
2 roles assignments are duplicated if pass all these rules:
* the same role (role code attribute),
* on the same identity contract,
* automatically and manually directly, or manually directly and manually directly, or manually directly and by business role (automatically or manually)
* must have same role parameters expect same values.
* Are valid "at the same time" - this is a bit tricky, see the Examples below
The evaluation algorithm or whole deduplication process can be implemented for custom needs in your project.
Examples
We resolve duplicity of two assigned roles by their validity or validity on contract. For a better overview there are some examples with a commentary:
In this case, both roles are assigned manually and role A
has infinity validity. The process will remove B role
.
B A |---------| <----|----------------> ______|_________|____________ | now
In this case, both roles are assigned manually and both roles have infinite validity. In this case algorithm remove the role that has bee assigned earlier.
B A <---------> <--------------------> ___________________________ | now
In this case, both roles are assigned manually and the role B
is in validity range of role A
. Role B
will be removed.
B A |-------------| |-------------------------| ______|____|_____________|______|_____ | now
In this case, both roles are assigned manually and both have the same validity. In this case algorithm remove the role that has bee assigned earlier.
B |-------------| A |-------------| _________|_____________|_______ | now
In this case is both roles assigned manually and contract has infinite validity. For this case will not be removed any role.
B A |------| |----------| | | ______|__________|_______|______|_____ | now
In this case is both roles assigned manually and contract has same valid till as valid till for role A
. The process will remove B role
.
B A |------| |----------| | | ______|__________|___|______|_____ | | now contract valid till
In this case is role MAN
manually added and role AUTO
is automatically added. The process will remove MAN role
.
MAN AUTO |--------------| <-----------------------------> __________|______________|____ | now
In this case is role MAN
manually added and role AUTO
is automatically added. The process will remove MAN role
, because automatic role has same validity as contract and manually added role is now invalid.
MAN AUTO |-----| |--------| | | ______|________|____|_____|__ | now
In this case is role MAN
manually added and role AUTO
is automatically added. Both roles has filled validity and valid till for role MAN
is little bit shorter than role AUTO
. The process will remove MAN role
.
MAN |--------------| AUTO |-------------------| _________|______________|____|___ | now
In this case is role MAN
manually added and role AUTO
is automatically added. Both roles has filled validity and valid from for role MAN
is little bit longer than role AUTO
. The process will remove MAN role
.
MAN |-----------------------| | |--------------| AUTO ______|________|______________|_______ | now
In this case is role MAN
manually added and role AUTO
is automatically added. Both roles will be valid in future. No role will be removed.
MAN <---------------------------> |-----| AUTO ___________|_____|_____________ | now
In this case is role MAN
manually added and role AUTO
is automatically added. Role MAN
has infinity validity and the process will remove MAN role
, because AUTO role
has same validity as contract.
MAN <---------------------------> |-----| AUTO ___________|_____|_____________ | now