If you have a system on that you want to control some provisioning operation (create, update, delete), the provisioning break is the right tool. With provisioning break you can monitor how many times the specific operation is done. It is also possible to set warning or disable limit for each operation. After the limit is exceeded (either warning or disable), a notification will be sent to all recipients for specific provisioning break configuration. After the disable limit is exceeded for the operation, that operation won't be executed anymore, until administrators manually check the current situation.
It's also possible to create a global provisioning break configuration. This configuration will be applied to all systems. The global configuration is specific for provisioning operation (create, update, delete).
From programmers intuitions we decided that name for provisioning brake will be provisioning break. Break is more a programmer's steady expression than brake.
Usage of the provisioning break from the administrator's point of view is explained in the Admin guide.
All provisioning break logic is in the processor ProvisioningBreakProcessor, this processor controls if the system isn't blocked and etc. (see below). This processor can't be disabled!
After exceeeding the disable limit, the actual operation is put into provisioning queue with the BLOCKED status. Next operations for the system will be directly added into queue with the BLOCKED status.
The operation counter is obtained from a special cache used only for provisioning operations, this cache isn't used for any other logic. This cache is in memory, so after restarting CzechIdM backend, the cache is cleared.
Older records are removed before checking the actual count and limits. New timestamp is added to this cache after every successful provisioning operation. The cache is divided for every system and their provisioning operations.
When the disable limit of the provisioning break configuration is exceeded, the system is marked by one of these boolean flags: createOperation, updateOperation, deleteOperation as true. When the boolean flag is checked, the corresponding operation (create, update or delete) is blocked. These attributes for system are added by the class SysBlockedOperation
, this class is embeddable part of system.