Menu
▾
▴
Re: [Unity-idm-discuss] Bug in Policy handling
|
From: Roman K. <ro...@un...> - 2024-08-20 09:52:00
|
Hello Sander, After discussion w/ the team, we believe there might be still misunderstanding of how Policy Documents works. Before going into explanations I would like to understand first your thinking in this regard. [Roman] > > As mentioned, if a user had an enquiry already completed, revision [Roman] > > update will not force the user to re-do the enquiry. [Sander] > Ok but the behaviour is not that what I would expect when I have policy [Sander] > management. Could you please add this to the manual. It sounds a bit [Sander] > strange to me that you have an automated update rotine for the first [Sander] > policy revision but not for the later ones. Can you elaborate on what is the expected behavior? And to what automation routine you are referring to? Thank you, Roman wt., 6 sie 2024 o 11:47 Sander Apweiler <sa....@fz...> napisał(a): > Good morning Roman, > so far we use the policies only in registration forms, not on the IdP > level. Since we startet to use groups which have their own policies and > updated the top level, we are using them in enquiries too. > > So far I do not see any reason for not using the IdP level. Are the > information (date/time and Policy version) stored in attributes too? > And in ehich file I need to configure the policies? > > Some other comments to your previous mail are inline. > > > On Tue, 2024-08-06 at 11:18 +0200, Roman Krysiński wrote: > > Good morning Sander, > > > > Last but not least for "the third side effect" you've pointed out - > > would it work for you to configure this policy on IdP level? In such > > a case it wouldn't be even needed to create enquiries each time > > policy revision changes to force users to accept it. > > > > Best regards, > > Roman > > > > wt., 6 sie 2024 o 11:09 Roman Krysiński <ro...@un...> > > napisał(a): > > > Good morning Sander, > > > > > > Let me summarize features around "Policy documents" and I hope that > > > will clarify cases you've pointed out in previous email. > > > > > > Policy documents, that can be defined in "Settings > Policy > > > documents" console view, itself do not bring > > > enforcement capabilities. > > > They can be used in conjunction with registration and enquiry forms > > > as well as on IdP level. > > > * Used on registration form is useful to enforce a specific policy > > > during user creation, and then record this fact in the system (as > > > you pointed out in sys:policy-agreement-state attribute) > > > * When a policy is used at the IdP level (Vaadin-based IdPs contain > > > a “Policy Agreements” tab where this can be configured), the user > > > will be required to see and accept the policy after logging into > > > such an IdP if the current system policy revision does not match > > > the one recorded in the user’s sys:policy-agreement-state > > > attribute. > > > * Policy document can also be used in enquiry, it will be shown > > > there only when current system policy revision does not match the > > > one recorded in the user’s sys:policy-agreement-state attribute. In > > > other words if the user has already accepted the current policy, > > > enquiry will not show it. The fact that the user has completed > > > specific enquiry is recorded in sys:FilledEnquires attribute. > > > > > > Note that changing the policy document revision does not influence > > > on the sys:FilledEnquires, so if e.g. user has completed an enquiry > > > of "User is requested, mandatory" type, which is configured with a > > > policy, that revision has changed, then this enquiry will not be > > > enforced once more. This can be done with new enquiry OR by > > > configuring this in IdP level. > > > > > > > We encountered on Monday the situation where we changed the > > > > revision of a policy from > > > > version 2 to version 3 (no content changes) and the user did not > > > > get > > > > the update enquiry because they had it already at the update to > > > > version 2. > > > As mentioned, if a user had an enquiry already completed, revision > > > update will not force the user to re-do the enquiry. > Ok but the behaviour is not that what I would expect when I have policy > management. Could you please add this to the manual. It sounds a bit > strange to me that you have an automated update rotine for the first > policy revision but not for the later ones. > > > > > > > We also saw that the update enquiry did not set or update the > > > > value > > > > of the sys:policy-agreement-state attribute > > > Can you confirm that the enquiry request in question was accepted? > > > If so, could you please provide more details on how to reproduce > > > the problem? > Yes. I added a screen shot. I also have some accounts, which has only > the sys:FilledEnquieries attribute from the Update enquire but not the > sys:policy-agreeement-state. > > Best regards, > Sander > > > > > > > > (...) a new user account, who agreed the latest version during > > > > the > > > > registration, got an empty enquiry (no checkbox and policy, but > > > > on > > > > cancel and submit buttons) at the first login > > > As noted, the policy is not shown on enquiry form, when the user > > > has already accepted it. > > > I see your point however that this is not the best user experience, > > > and there is room for improvement here. > > > We will think about this use case and a better handling. > > > > > > In addition to the problem reported by Piotr with enquiry we've > > > found three more items to address and targeted for the 4.0.1 patch: > > > * Enquiry logout does not work > > > * Enquiries are not enforced when logging to hope ui > > > * Improve the layout of enquiry buttons > > > > > > Please let me know in case of any further questions. > > > > > > Best regards, > > > Roman > > > > > > > > > śr., 31 lip 2024 o 07:36 Sander Apweiler > > > <sa....@fz...> napisał(a): > > > > Good morning, > > > > > > > > the problems we found were based on unity 3.16.1. We encountered > > > > on > > > > Monday the situation where we changed the revision of a policy > > > > from > > > > version 2 to version 3 (no content changes) and the user did not > > > > get > > > > the update enquiry because they had it already at the update to > > > > version > > > > 2. We also saw that the update enquiry did not set or update the > > > > value > > > > of the sys:policy-agreement-state attribute. And the third side > > > > effect > > > > was that a new user account, who agreed the latest version during > > > > the > > > > registration, got an empty enquiry (no checkbox and policy, but > > > > on > > > > cancel and submit buttons) at the first login. Our plan was to > > > > verify > > > > this on unity 4, before we report those issues. > > > > > > > > Best regards, > > > > Sander > > > > > > > > > > > > On Tue, 2024-07-30 at 15:05 +0200, Piotr Piernik wrote: > > > > > Dear Sander > > > > > Generally If the policy has changed with the revision number > > > > > increase, > > > > > it should appear to users automatically. > > > > > Could you please provide more details in which scenario it > > > > > won't > > > > > work? > > > > > > > > > > > > > > > > > > > > Best regards > > > > > Piotr > > > > > > > > > > W dniu 30.07.2024 o 12:36, Sander Apweiler pisze: > > > > > > Dear Piotr, > > > > > > nice to hear you found the reason. Can you answer my second > > > > > > question as > > > > > > well? We found some issues regarding policies in our 3.16.1 > > > > > > instances > > > > > > and we are not sure if the problems based on our > > > > > > misconfiguration > > > > > > or > > > > > > unity. > > > > > > > > > > > > Best regards, > > > > > > Sander > > > > > > > > > > > > > > > > > > On Tue, 2024-07-30 at 12:20 +0200, Piotr Piernik wrote: > > > > > > > > > > > > > > Dear Sander > > > > > > > We have problem in policy document editor - saves > > > > > > > optional > > > > > > > policy > > > > > > > documents as mandatory and vice versa. > > > > > > > We will fix it in 4.0.1 patch. > > > > > > > > > > > > > > Best regards > > > > > > > Piotr > > > > > > > > > > > > > > > > > > > > > > > > > > > > W dniu 30.07.2024 o 07:13, Sander Apweiler pisze: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Good morning Krzysztof, > > > > > > > > good morning Roman, > > > > > > > > > > > > > > > > we found another bug in unity 4. We created a mandatory > > > > > > > > policy > > > > > > > > (see > > > > > > > > 1st > > > > > > > > screenshot) and added it to the registration form (see > > > > > > > > 2nd > > > > > > > > screenshot). > > > > > > > > This policy should be mandatory but I can register > > > > > > > > without > > > > > > > > confirmation > > > > > > > > of the policy. > > > > > > > > > > > > > > > > Another question regarding policies because I do not > > > > > > > > remember > > > > > > > > and > > > > > > > > the > > > > > > > > manual is not that clear in this point. When I create a > > > > > > > > new > > > > > > > > version > > > > > > > > of > > > > > > > > a policy, is the confirmation of the new version shown to > > > > > > > > all > > > > > > > > users > > > > > > > > or > > > > > > > > do I need to create enquieries manually? > > > > > > > > > > > > > > > > Best regards, > > > > > > > > Sander > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > Unity-idm-discuss mailing list > > > > > > > > Uni...@li... > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > > > > > > > > > > > > > > > > > > > > > -- > Large-Scale Data Science > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Jülich GmbH > 52425 Jülich > Sitz der Gesellschaft: Jülich > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
