Automatic roles by attribute

Automatic role by attribute is similar to automatic role by organization structure, both entities and dto's has same parent IdmAutomaticRole for entities and AbstractIdmAutomaticRoleDto for dto's. Both parent defined role and name attribute. Name attribute is only for better readability.

For automatic role by attribute exists two entities (and also dto's) IdmAutomaticRoleAttributeDto and IdmAutomaticRoleAttributeRuleDto these entities are in one-to-many (1:M) relation (automatic role by attribute has more definition of rules).

Automatic role by attribute (dto IdmAutomaticRoleAttributeDto) has defined all attributes from his parent (AbstractIdmAutomaticRoleDto) and plus attribute concept see Inconsistent state. For automatic role by attribute isn't possible update role and name attribute.

• name - name of the automatic role by attribute (required),
• role - role that will be assigned after pass rules (required),
• concept - flag that sign that automatic role by attribute is not recalculate for users.

Individual rules for automatic roles by attribute, now is possible connect rules only with AND operator.

• automaticRoleAttribute - for what automatic role by attribute is this rule defined,
• formAttribute - for what EAV attribute is rule defined, only if rule is for EAV attributes,
• attributeName - for what entity attribute is rule defined, only if rule is for entity attributes,
• type - enumeration AutomaticRoleAttributeRuleType defined for with type is this rule (e.q. identity, contract, identity eav and contract eav),
• value - value for comparison entity value,
• comparison - enum AutomaticRoleAttributeRuleComparison with comparison, now only equals.

After add, delete or update rule for automatic role by attribute is this automatic role in inconsistent state. Inconsistent state mean that is possible that some user has or hasn't assigned this automatic role event if it should be assigned or removed.

Inconsistent state we can repair by recalculate roles for this automatic role. Recalculation is done by long running task ProcessAutomaticRoleByAttributeTaskExecutor, this task need only id of automatic role by attribute. LRT assign role for all new users that pass rules and remove role for all users that already didn't passed.

Recalculation is process that recalculate automatic role for all users. In two db query is get all new users that pass the automatic role by attribute and all users that already din't pass. For these two set is create requests.

For automatic role by attribute was created two new processor IdentityAutomaticRoleProcessor and IdentityContractAutomaticRoleProcessor both these processors catch event for UPDATE, CREATE and EAV_SAVE. After catch event is done recalculate all automatic roles only for identity that is save.

After update, delete or add rule for automatic role by attribute is this automatic role in inconsistent state (see Inconsistent state). User that update, delete or add rule is ask for immediate recalculation by modal window.

Long running task ProcessAutomaticRoleByAttributeTaskExecutor process automatic role (given in attribute), this task process all users.