Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-17092

Conditional grants processing differently for grantor vs. grantee operations

    XMLWordPrintable

Details

    • 2021.Fall

    Description

      Currently when a vertex is created/updated, grantor operations will create two distinct edges for a direct grant which also meets a condition of a grantee. One with _refProperties for the direct grant, and one with _refProperties that include "_grantType" : "conditional" for the conditional grant.

      If you perform similar operations from the grantee vertex, only 1 edge will be created for the direct relationship. If instead meeting the condition sometime later, the direct grant remains and the conditional grant is not created.

      Example scenarios:

      Expected Behavior with grantor operation: Direct assigned role. When condition is changed on the role vertex to match user, then 2 edges exists.
      1. Given:
        • A user
        • A role with a condition that does not meet the user
      2. Do:
        • Direct assign the role to the user
        • Change the condition on the role to match the user
      3. Observe 2 "roles" <-> "members" edges
      Misaligned behavior with grantee operation: Direct assigned role. When user is changed on the user vertex to match the condition, then only 1 edge exists
      1. Given:
        • A user
        • A role with a condition that does not meet the user
      2. Do:
        • Direct assign the role to the user
        • Change a value on the user to match the condition
      3. Observe only 1 "roles" <-> "members" edge for the direct grant
      Expected Behavior with grantor operation: When creating a new role with a condition where "members" are directly assigned in the content with a member that also meets the condition of the new role, then 2 edges exists.
      1. Given:
        • A user
      2. Do:
        • Create a new role with a condition that matches the user and with "members" : ["\_ref" : "managed/user/<userId>]"] in the request content.
      3. Observe 2 "roles" <-> "members" edges
      Misaligned behavior with grantee operation: When creating a new user with a value that matches a role condition where "roles" are directly assigned in the content with a role that has a condition which matches the user, then only 1 edge exists.
      1. Given:
        • A role with a condition
      2. Do:
        • Create a new user with a value that matches the role condition and with "roles" : ["\_ref" : "managed/role/<roleId>]"] in the request content.
      3. Observe only 1 "roles" <-> "members" edge for the direct grant

      Acceptance Criteria:

        • Code changes made to correct the misaligned behavior for the grantee processing
        • Current functional tests pass
        • Pyforge tests written to test the grantee relationships results are aligned with grantor relationship results

      Attachments

        Activity

          People

            katie.gonzalez Katie Gonzalez
            katie.gonzalez Katie Gonzalez
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: