Menu
▾
▴
Re: [Unity-idm-discuss] Bug in Policy handling
|
From: Roman K. <ro...@un...> - 2024-08-06 09:10:06
|
Good morning Sander, Let me summarize features around "Policy documents" and I hope that will clarify cases you've pointed out in previous email. Policy documents, that can be defined in "Settings > Policy documents" console view, itself do not bring enforcement capabilities. They can be used in conjunction with registration and enquiry forms as well as on IdP level. * Used on registration form is useful to enforce a specific policy during user creation, and then record this fact in the system (as you pointed out in sys:policy-agreement-state attribute) * When a policy is used at the IdP level (Vaadin-based IdPs contain a “Policy Agreements” tab where this can be configured), the user will be required to see and accept the policy after logging into such an IdP if the current system policy revision does not match the one recorded in the user’s sys:policy-agreement-state attribute. * Policy document can also be used in enquiry, it will be shown there only when current system policy revision does not match the one recorded in the user’s sys:policy-agreement-state attribute. In other words if the user has already accepted the current policy, enquiry will not show it. The fact that the user has completed specific enquiry is recorded in sys:FilledEnquires attribute. Note that changing the policy document revision does not influence on the sys:FilledEnquires, so if e.g. user has completed an enquiry of "User is requested, mandatory" type, which is configured with a policy, that revision has changed, then this enquiry will not be enforced once more. This can be done with new enquiry OR by configuring this in IdP level. > We encountered on Monday the situation where we changed the revision of a policy from > version 2 to version 3 (no content changes) and the user did not get > the update enquiry because they had it already at the update to version 2. As mentioned, if a user had an enquiry already completed, revision update will not force the user to re-do the enquiry. > We also saw that the update enquiry did not set or update the value > of the sys:policy-agreement-state attribute Can you confirm that the enquiry request in question was accepted? If so, could you please provide more details on how to reproduce the problem? > (...) a new user account, who agreed the latest version during the > registration, got an empty enquiry (no checkbox and policy, but on > cancel and submit buttons) at the first login As noted, the policy is not shown on enquiry form, when the user has already accepted it. I see your point however that this is not the best user experience, and there is room for improvement here. We will think about this use case and a better handling. In addition to the problem reported by Piotr with enquiry we've found three more items to address and targeted for the 4.0.1 patch: * Enquiry logout does not work * Enquiries are not enforced when logging to hope ui * Improve the layout of enquiry buttons Please let me know in case of any further questions. Best regards, Roman śr., 31 lip 2024 o 07:36 Sander Apweiler <sa....@fz...> napisał(a): > Good morning, > > the problems we found were based on unity 3.16.1. We encountered on > Monday the situation where we changed the revision of a policy from > version 2 to version 3 (no content changes) and the user did not get > the update enquiry because they had it already at the update to version > 2. We also saw that the update enquiry did not set or update the value > of the sys:policy-agreement-state attribute. And the third side effect > was that a new user account, who agreed the latest version during the > registration, got an empty enquiry (no checkbox and policy, but on > cancel and submit buttons) at the first login. Our plan was to verify > this on unity 4, before we report those issues. > > Best regards, > Sander > > > On Tue, 2024-07-30 at 15:05 +0200, Piotr Piernik wrote: > > Dear Sander > > Generally If the policy has changed with the revision number > > increase, > > it should appear to users automatically. > > Could you please provide more details in which scenario it won't > > work? > > > > > > > > Best regards > > Piotr > > > > W dniu 30.07.2024 o 12:36, Sander Apweiler pisze: > > > Dear Piotr, > > > nice to hear you found the reason. Can you answer my second > > > question as > > > well? We found some issues regarding policies in our 3.16.1 > > > instances > > > and we are not sure if the problems based on our misconfiguration > > > or > > > unity. > > > > > > Best regards, > > > Sander > > > > > > > > > On Tue, 2024-07-30 at 12:20 +0200, Piotr Piernik wrote: > > > > > > > > Dear Sander > > > > We have problem in policy document editor - saves optional > > > > policy > > > > documents as mandatory and vice versa. > > > > We will fix it in 4.0.1 patch. > > > > > > > > Best regards > > > > Piotr > > > > > > > > > > > > > > > > W dniu 30.07.2024 o 07:13, Sander Apweiler pisze: > > > > > > > > > > > > > > > > > > Good morning Krzysztof, > > > > > good morning Roman, > > > > > > > > > > we found another bug in unity 4. We created a mandatory policy > > > > > (see > > > > > 1st > > > > > screenshot) and added it to the registration form (see 2nd > > > > > screenshot). > > > > > This policy should be mandatory but I can register without > > > > > confirmation > > > > > of the policy. > > > > > > > > > > Another question regarding policies because I do not remember > > > > > and > > > > > the > > > > > manual is not that clear in this point. When I create a new > > > > > version > > > > > of > > > > > a policy, is the confirmation of the new version shown to all > > > > > users > > > > > or > > > > > do I need to create enquieries manually? > > > > > > > > > > Best regards, > > > > > Sander > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Unity-idm-discuss mailing list > > > > > Uni...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > > > > > > > > > > > -- > Large-Scale Data Science > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Jülich GmbH > 52425 Jülich > Sitz der Gesellschaft: Jülich > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
