Table of Contents

Contractual relationship (CR)

They define the link between the identity and the tree structure. In the application, we advance the logic according to which every identity has at least one CR. This is why there is one CR which is formed automatically to every identity after its creation according to the configuration of the default organizational structure (see above). If in the default organizational structure there is also a selected default element of the structure, then this one is used when creating the default CR ⇒ the identity is "positioned" on the default position of the organizational structure in question. If there is no selected default element of the structure, the identity is "positioned" on the position named as "Default" without being included in the organizational structure.

The CR plays a significant, if not the main role when assigning role to the identity - the role is always assigned to the CR, not directly to the identity. This is a way of ensuring that the authorization evaluation will always pass through one way through the CR where a tree (organizational) structure can figure ⇒ the authorizations can be linked through these structures / positions in the organization.

Another intended functional feature is that when the CR ceases to exist / is invalidated, all the roles ensuing from this CR will cease to exist as well. For the periodic review of invalid CR, a task which can be scheduled has been created IdentityContractExpirationTaskExecutor.

Through CR, users are searched in the elements agenda of the tree structure / organizational structure, who are "positioned" on the selected element. In the agenda, only the users related to a certain type of the structure are displayed ⇒theyhavean CR with a selectedtype.

Prime contract position

CR can be flagged as "main". Can be flagged more than one main CR or non. Prime contract is computed by CR priority:

  1. main
  2. valid (valid by from-till and not disabled)
  3. with working position with default tree type
  4. with working position with any tree type
  5. other with lowest valid from

Search managers by CR

Managers could be found:

Searching managers and subordines could by overriden in custom module by implementing SubordinatesCriteriaBuilder interface.

Invalid CR

When CR validity ends, then all roles assigned to given CR is removed. Its not possible to assign roles to invalid contracts.

Disabled contract by flag has only evidential purpose - no logic depends on it now. Only on frontend cannot be selected invalid contract, when new role is assigned.

Tree structures indexing

To make queries in an efficient manner, a separate library on the tree structure has been created ForestIndex which builds an index next to the tree structure with the following advantages:

The documentation and an an example of getting involved in the project can be found here.

Searching through index is linked to:

To rebuild the index, the task RebuildTreeNodeIndexTaskExecutor where you need to enter the code of the structure which should be re-indexed.

Automatically assigned roles

Roles assigned based on their placement in the organizational structure. Every identity in CzechIdM has an imlicit relation (~CR), which is tied to a component of the organizational structure.

Linking a role to the organizational structure

Everyone with permission to edit a role assign this role to a component of any organizational structure. The assigning/removing is subject to an approval in the same way as if an ordinary user was assigned the given role. The approval of assigning the role will produce some sort of a "pre-approval" for all the users incorporated in the organizational structure. Assigning a role to a user will then not require an approval (it has been approved for the organizational unit in which the user is located).

Displaying information about automatically assigned roles

Displaying of information about the roles linked to the organizational structure will occur at least at the following places:

Heredity of assigned roles

If the role is assigned to an organizational structure component, the following behaviour may occur:

  A
  |
  B
 / \
C   D
   / \
  E   F

Audit

All changes in assigning roles to the organizational structure will be audited. The minimum indicated in the audit log will be:

An update (adding and removing) of automatically assigned roles within an identity occurs at least in the following cases:

Implementation details