Re: [Unity-idm-discuss] Bug in Policy handling

[Sander A. <sa....@fz...>]

Good morning Roman,
so far we use the policies only in registration forms, not on the IdP
level. Since we startet to use groups which have their own policies and
updated the top level, we are using them in enquiries too.

So far I do not see any reason for not using the IdP level. Are the
information (date/time and Policy version) stored in attributes too?
And in ehich file I need to configure the policies?

Some other comments to your previous mail are inline.


On Tue, 2024-08-06 at 11:18 +0200, Roman Krysiński wrote:
> Good morning Sander,
> 
> Last but not least for "the third side effect" you've pointed out -
> would it work for you to configure this policy on IdP level? In such
> a case it wouldn't be even needed to create enquiries each time
> policy revision changes to force users to accept it.
> 
> Best regards,
> Roman
> 
> wt., 6 sie 2024 o 11:09 Roman Krysiński <ro...@un...>
> napisał(a):
> > Good morning Sander,
> > 
> > Let me summarize features around "Policy documents" and I hope that
> > will clarify cases you've pointed out in previous email.
> > 
> > Policy documents, that can be defined in "Settings > Policy
> > documents" console view, itself do not bring
> > enforcement capabilities.
> > They can be used in conjunction with registration and enquiry forms
> > as well as on IdP level.
> > * Used on registration form is useful to enforce a specific policy
> > during user creation, and then record this fact in the system (as
> > you pointed out in sys:policy-agreement-state attribute)
> > * When a policy is used at the IdP level (Vaadin-based IdPs contain
> > a “Policy Agreements” tab where this can be configured), the user
> > will be required to see and accept the policy after logging into
> > such an IdP if the current system policy revision does not match
> > the one recorded in the user’s sys:policy-agreement-state
> > attribute.
> > * Policy document can also be used in enquiry, it will be shown
> > there only when current system policy revision does not match the
> > one recorded in the user’s sys:policy-agreement-state attribute. In
> > other words if the user has already accepted the current policy,
> > enquiry will not show it. The fact that the user has completed
> > specific enquiry is recorded in sys:FilledEnquires attribute.
> > 
> > Note that changing the policy document revision does not influence
> > on the sys:FilledEnquires, so if e.g. user has completed an enquiry
> > of "User is requested, mandatory" type, which is configured with a
> > policy, that revision has changed, then this enquiry will not be
> > enforced once more. This can be done with new enquiry OR by
> > configuring this in IdP level.
> > 
> > > We encountered on Monday the situation where we changed the
> > > revision of a policy from
> > > version 2 to version 3 (no content changes) and the user did not
> > > get
> > > the update enquiry because they had it already at the update to
> > > version 2. 
> > As mentioned, if a user had an enquiry already completed, revision
> > update will not force the user to re-do the enquiry.
Ok but the behaviour is not that what I would expect when I have policy
management. Could you please add this to the manual. It sounds a bit
strange to me that you have an automated update rotine for the first
policy revision but not for the later ones.
> > 
> > > We also saw that the update enquiry did not set or update the
> > > value
> > > of the sys:policy-agreement-state attribute
> > Can you confirm that the enquiry request in question was accepted?
> > If so, could you please provide more details on how to reproduce
> > the problem?
Yes. I added a screen shot. I also have some accounts, which has only
the sys:FilledEnquieries attribute from the Update enquire but not the
sys:policy-agreeement-state.

Best regards,
Sander

> > 
> > > (...) a new user account, who agreed the latest version during
> > > the
> > > registration, got an empty enquiry (no checkbox and policy, but
> > > on
> > > cancel and submit buttons) at the first login
> > As noted, the policy is not shown on enquiry form, when the user
> > has already accepted it.
> > I see your point however that this is not the best user experience,
> > and there is room for improvement here.
> > We will think about this use case and a better handling.
> > 
> > In addition to the problem reported by Piotr with enquiry we've
> > found three more items to address and targeted for the 4.0.1 patch:
> > * Enquiry logout does not work
> > * Enquiries are not enforced when logging to hope ui
> > * Improve the layout of enquiry buttons
> > 
> > Please let me know in case of any further questions.
> > 
> > Best regards,
> > Roman
> > 
> > 
> > śr., 31 lip 2024 o 07:36 Sander Apweiler
> > <sa....@fz...> napisał(a):
> > > Good morning,
> > > 
> > > the problems we found were based on unity 3.16.1. We encountered
> > > on
> > > Monday the situation where we changed the revision of a policy
> > > from
> > > version 2 to version 3 (no content changes) and the user did not
> > > get
> > > the update enquiry because they had it already at the update to
> > > version
> > > 2. We also saw that the update enquiry did not set or update the
> > > value
> > > of the sys:policy-agreement-state attribute. And the third side
> > > effect
> > > was that a new user account, who agreed the latest version during
> > > the
> > > registration, got an empty enquiry (no checkbox and policy, but
> > > on
> > > cancel and submit buttons) at the first login. Our plan was to
> > > verify
> > > this on unity 4, before we report those issues.
> > > 
> > > Best regards,
> > > Sander
> > > 
> > > 
> > > On Tue, 2024-07-30 at 15:05 +0200, Piotr Piernik wrote:
> > > > Dear Sander
> > > > Generally If the policy has changed with the revision number
> > > > increase, 
> > > > it should appear to users automatically.
> > > > Could you please provide more details in which scenario it
> > > > won't
> > > > work?
> > > > 
> > > > 
> > > > 
> > > > Best regards
> > > > Piotr
> > > > 
> > > > W dniu 30.07.2024 o 12:36, Sander Apweiler pisze:
> > > > > Dear Piotr,
> > > > > nice to hear you found the reason. Can you answer my second
> > > > > question as
> > > > > well? We found some issues regarding policies in our 3.16.1
> > > > > instances
> > > > > and we are not sure if the problems based on our
> > > > > misconfiguration
> > > > > or
> > > > > unity.
> > > > > 
> > > > > Best regards,
> > > > > Sander
> > > > > 
> > > > > 
> > > > > On Tue, 2024-07-30 at 12:20 +0200, Piotr Piernik wrote:
> > > > > >   
> > > > > > Dear Sander
> > > > > >   We have problem in policy document editor - saves
> > > > > > optional
> > > > > > policy
> > > > > > documents as mandatory and vice versa.
> > > > > >   We will fix it in 4.0.1 patch.
> > > > > >   
> > > > > >   Best regards
> > > > > >   Piotr
> > > > > >   
> > > > > >   
> > > > > >   
> > > > > > W dniu 30.07.2024 o 07:13, Sander Apweiler pisze:
> > > > > >   
> > > > > >   
> > > > > > >   
> > > > > > > Good morning Krzysztof,
> > > > > > > good morning Roman,
> > > > > > > 
> > > > > > > we found another bug in unity 4. We created a mandatory
> > > > > > > policy
> > > > > > > (see
> > > > > > > 1st
> > > > > > > screenshot) and added it to the registration form (see
> > > > > > > 2nd
> > > > > > > screenshot).
> > > > > > > This policy should be mandatory but I can register
> > > > > > > without
> > > > > > > confirmation
> > > > > > > of the policy.
> > > > > > > 
> > > > > > > Another question regarding policies because I do not
> > > > > > > remember
> > > > > > > and
> > > > > > > the
> > > > > > > manual is not that clear in this point. When I create a
> > > > > > > new
> > > > > > > version
> > > > > > > of
> > > > > > > a policy, is the confirmation of the new version shown to
> > > > > > > all
> > > > > > > users
> > > > > > > or
> > > > > > > do I need to create enquieries manually?
> > > > > > > 
> > > > > > > Best regards,
> > > > > > > Sander
> > > > > > > 
> > > > > > >   
> > > > > > >    
> > > > > > >    
> > > > > > > _______________________________________________
> > > > > > > Unity-idm-discuss mailing list
> > > > > > > Uni...@li...
> > > > > > > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
> > > > > > >   
> > > > > >   
> > > 

-- 
Large-Scale Data Science
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Jülich GmbH
52425 Jülich
Sitz der Gesellschaft: Jülich
Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------