Re: [Unity-idm-discuss] Bug in Policy handling

[Roman K. <ro...@un...>]

Hello Sander,

Thank you for clarifying this, I see your point.

I believe that if Unity were more flexible with policy enforcement at the
IdP level—such as allowing the configuration of specific policy enforcement
for particular groups—the automation you envision might not be necessary.
Is this an accurate assessment?
This is something we recognize as a potential enhancement, though we
currently have no plans for it in our roadmap.

Thank you,
Roman


śr., 25 wrz 2024 o 11:57 Sander Apweiler <sa....@fz...>
napisał(a):

> Hello Roman,
> I'm very sorry for the very long delay.
>
> If unity does automated management of the policy, I would expect that a
> new version, creates an enquiry, which is attached to all users, who
> filled up the policy so far, e.g. by adding them to a group. I would
> expect this for all versions and not only for the first update. I would
> also expect that the "sys:policy-agreement-state" attribute is updated.
>
> If there is also no automated way for this, which would be also fine,
> this needs to be written clearly in the manual and administrators must
> create the enquiry after policy updates by themselves.
>
> Please et me know if something is unclear.
>
> Best regards,
> Sander
>
>
> On Tue, 2024-08-20 at 11:51 +0200, Roman Krysiński wrote:
> > Hello Sander,
> >
> > After discussion w/ the team, we believe there might be still
> > misunderstanding of how Policy Documents works.
> > Before going into explanations I would like to understand first your
> > thinking in this regard.
> >
> > [Roman] > > As mentioned, if a user had an enquiry already completed,
> > revision
> > [Roman] > > update will not force the user to re-do the enquiry.
> > [Sander] > Ok but the behaviour is not that what I would expect when
> > I have policy
> > [Sander] > management. Could you please add this to the manual. It
> > sounds a bit
> > [Sander] > strange to me that you have an automated update rotine for
> > the first
> > [Sander] > policy revision but not for the later ones.
> >
> > Can you elaborate on what is the expected behavior?
> > And to what automation routine you are referring to?
> >
> > Thank you,
> > Roman
> >
> > wt., 6 sie 2024 o 11:47 Sander Apweiler <sa....@fz...>
> > napisał(a):
> > > Good morning Roman,
> > > so far we use the policies only in registration forms, not on the
> > > IdP
> > > level. Since we startet to use groups which have their own policies
> > > and
> > > updated the top level, we are using them in enquiries too.
> > >
> > > So far I do not see any reason for not using the IdP level. Are the
> > > information (date/time and Policy version) stored in attributes
> > > too?
> > > And in ehich file I need to configure the policies?
> > >
> > > Some other comments to your previous mail are inline.
> > >
> > >
> > > On Tue, 2024-08-06 at 11:18 +0200, Roman Krysiński wrote:
> > > > Good morning Sander,
> > > >
> > > > Last but not least for "the third side effect" you've pointed out
> > > > -
> > > > would it work for you to configure this policy on IdP level? In
> > > > such
> > > > a case it wouldn't be even needed to create enquiries each time
> > > > policy revision changes to force users to accept it.
> > > >
> > > > Best regards,
> > > > Roman
> > > >
> > > > wt., 6 sie 2024 o 11:09 Roman Krysiński <ro...@un...>
> > > > napisał(a):
> > > > > Good morning Sander,
> > > > >
> > > > > Let me summarize features around "Policy documents" and I hope
> > > > > that
> > > > > will clarify cases you've pointed out in previous email.
> > > > >
> > > > > Policy documents, that can be defined in "Settings > Policy
> > > > > documents" console view, itself do not bring
> > > > > enforcement capabilities.
> > > > > They can be used in conjunction with registration and enquiry
> > > > > forms
> > > > > as well as on IdP level.
> > > > > * Used on registration form is useful to enforce a specific
> > > > > policy
> > > > > during user creation, and then record this fact in the system
> > > > > (as
> > > > > you pointed out in sys:policy-agreement-state attribute)
> > > > > * When a policy is used at the IdP level (Vaadin-based IdPs
> > > > > contain
> > > > > a “Policy Agreements” tab where this can be configured), the
> > > > > user
> > > > > will be required to see and accept the policy after logging
> > > > > into
> > > > > such an IdP if the current system policy revision does not
> > > > > match
> > > > > the one recorded in the user’s sys:policy-agreement-state
> > > > > attribute.
> > > > > * Policy document can also be used in enquiry, it will be shown
> > > > > there only when current system policy revision does not match
> > > > > the
> > > > > one recorded in the user’s sys:policy-agreement-state
> > > > > attribute. In
> > > > > other words if the user has already accepted the current
> > > > > policy,
> > > > > enquiry will not show it. The fact that the user has completed
> > > > > specific enquiry is recorded in sys:FilledEnquires attribute.
> > > > >
> > > > > Note that changing the policy document revision does not
> > > > > influence
> > > > > on the sys:FilledEnquires, so if e.g. user has completed an
> > > > > enquiry
> > > > > of "User is requested, mandatory" type, which is configured
> > > > > with a
> > > > > policy, that revision has changed, then this enquiry will not
> > > > > be
> > > > > enforced once more. This can be done with new enquiry OR by
> > > > > configuring this in IdP level.
> > > > >
> > > > > > We encountered on Monday the situation where we changed the
> > > > > > revision of a policy from
> > > > > > version 2 to version 3 (no content changes) and the user did
> > > > > > not
> > > > > > get
> > > > > > the update enquiry because they had it already at the update
> > > > > > to
> > > > > > version 2.
> > > > > As mentioned, if a user had an enquiry already completed,
> > > > > revision
> > > > > update will not force the user to re-do the enquiry.
> > > Ok but the behaviour is not that what I would expect when I have
> > > policy
> > > management. Could you please add this to the manual. It sounds a
> > > bit
> > > strange to me that you have an automated update rotine for the
> > > first
> > > policy revision but not for the later ones.
> > > > >
> > > > > > We also saw that the update enquiry did not set or update the
> > > > > > value
> > > > > > of the sys:policy-agreement-state attribute
> > > > > Can you confirm that the enquiry request in question was
> > > > > accepted?
> > > > > If so, could you please provide more details on how to
> > > > > reproduce
> > > > > the problem?
> > > Yes. I added a screen shot. I also have some accounts, which has
> > > only
> > > the sys:FilledEnquieries attribute from the Update enquire but not
> > > the
> > > sys:policy-agreeement-state.
> > >
> > > Best regards,
> > > Sander
> > >
> > > > >
> > > > > > (...) a new user account, who agreed the latest version
> > > > > > during
> > > > > > the
> > > > > > registration, got an empty enquiry (no checkbox and policy,
> > > > > > but
> > > > > > on
> > > > > > cancel and submit buttons) at the first login
> > > > > As noted, the policy is not shown on enquiry form, when the
> > > > > user
> > > > > has already accepted it.
> > > > > I see your point however that this is not the best user
> > > > > experience,
> > > > > and there is room for improvement here.
> > > > > We will think about this use case and a better handling.
> > > > >
> > > > > In addition to the problem reported by Piotr with enquiry we've
> > > > > found three more items to address and targeted for the 4.0.1
> > > > > patch:
> > > > > * Enquiry logout does not work
> > > > > * Enquiries are not enforced when logging to hope ui
> > > > > * Improve the layout of enquiry buttons
> > > > >
> > > > > Please let me know in case of any further questions.
> > > > >
> > > > > Best regards,
> > > > > Roman
> > > > >
> > > > >
> > > > > śr., 31 lip 2024 o 07:36 Sander Apweiler
> > > > > <sa....@fz...> napisał(a):
> > > > > > Good morning,
> > > > > >
> > > > > > the problems we found were based on unity 3.16.1. We
> > > > > > encountered
> > > > > > on
> > > > > > Monday the situation where we changed the revision of a
> > > > > > policy
> > > > > > from
> > > > > > version 2 to version 3 (no content changes) and the user did
> > > > > > not
> > > > > > get
> > > > > > the update enquiry because they had it already at the update
> > > > > > to
> > > > > > version
> > > > > > 2. We also saw that the update enquiry did not set or update
> > > > > > the
> > > > > > value
> > > > > > of the sys:policy-agreement-state attribute. And the third
> > > > > > side
> > > > > > effect
> > > > > > was that a new user account, who agreed the latest version
> > > > > > during
> > > > > > the
> > > > > > registration, got an empty enquiry (no checkbox and policy,
> > > > > > but
> > > > > > on
> > > > > > cancel and submit buttons) at the first login. Our plan was
> > > > > > to
> > > > > > verify
> > > > > > this on unity 4, before we report those issues.
> > > > > >
> > > > > > Best regards,
> > > > > > Sander
> > > > > >
> > > > > >
> > > > > > On Tue, 2024-07-30 at 15:05 +0200, Piotr Piernik wrote:
> > > > > > > Dear Sander
> > > > > > > Generally If the policy has changed with the revision
> > > > > > > number
> > > > > > > increase,
> > > > > > > it should appear to users automatically.
> > > > > > > Could you please provide more details in which scenario it
> > > > > > > won't
> > > > > > > work?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Best regards
> > > > > > > Piotr
> > > > > > >
> > > > > > > W dniu 30.07.2024 o 12:36, Sander Apweiler pisze:
> > > > > > > > Dear Piotr,
> > > > > > > > nice to hear you found the reason. Can you answer my
> > > > > > > > second
> > > > > > > > question as
> > > > > > > > well? We found some issues regarding policies in our
> > > > > > > > 3.16.1
> > > > > > > > instances
> > > > > > > > and we are not sure if the problems based on our
> > > > > > > > misconfiguration
> > > > > > > > or
> > > > > > > > unity.
> > > > > > > >
> > > > > > > > Best regards,
> > > > > > > > Sander
> > > > > > > >
> > > > > > > >
> > > > > > > > On Tue, 2024-07-30 at 12:20 +0200, Piotr Piernik wrote:
> > > > > > > > >
> > > > > > > > > Dear Sander
> > > > > > > > >   We have problem in policy document editor - saves
> > > > > > > > > optional
> > > > > > > > > policy
> > > > > > > > > documents as mandatory and vice versa.
> > > > > > > > >   We will fix it in 4.0.1 patch.
> > > > > > > > >
> > > > > > > > >   Best regards
> > > > > > > > >   Piotr
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > W dniu 30.07.2024 o 07:13, Sander Apweiler pisze:
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Good morning Krzysztof,
> > > > > > > > > > good morning Roman,
> > > > > > > > > >
> > > > > > > > > > we found another bug in unity 4. We created a
> > > > > > > > > > mandatory
> > > > > > > > > > policy
> > > > > > > > > > (see
> > > > > > > > > > 1st
> > > > > > > > > > screenshot) and added it to the registration form
> > > > > > > > > > (see
> > > > > > > > > > 2nd
> > > > > > > > > > screenshot).
> > > > > > > > > > This policy should be mandatory but I can register
> > > > > > > > > > without
> > > > > > > > > > confirmation
> > > > > > > > > > of the policy.
> > > > > > > > > >
> > > > > > > > > > Another question regarding policies because I do not
> > > > > > > > > > remember
> > > > > > > > > > and
> > > > > > > > > > the
> > > > > > > > > > manual is not that clear in this point. When I create
> > > > > > > > > > a
> > > > > > > > > > new
> > > > > > > > > > version
> > > > > > > > > > of
> > > > > > > > > > a policy, is the confirmation of the new version
> > > > > > > > > > shown to
> > > > > > > > > > all
> > > > > > > > > > users
> > > > > > > > > > or
> > > > > > > > > > do I need to create enquieries manually?
> > > > > > > > > >
> > > > > > > > > > Best regards,
> > > > > > > > > > Sander
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Unity-idm-discuss mailing list
> > > > > > > > > > Uni...@li...
> > > > > > > > > >
> https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss
> > > > > > > > > >
> > > > > > > > >
> > > > > >
> > >
>
> --
> Large-Scale Data Science
> Juelich Supercomputing Centre
>
> phone: +49 2461 61 8847
> fax: +49 2461 61 6656
> email: sa....@fz...
>
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> Forschungszentrum Jülich GmbH
> 52425 Jülich
> Sitz der Gesellschaft: Jülich
> Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
> Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
>
>
>