Send organizational changes in FK ORG to Kitos

[miphilin]

I have splitted this story in two scopes.

Scope 1

Story 1

As a KITOS LOCAL ADMIN I want to receive a notification when a user ( municipality employee) changes location in the FK ORG organization, So that I can decide whether the user’s business role(s) and organizational roles should be maintained or reassigned to another user.

Case 1

When a Kitos municipality is connected to FK ORG and a change occurs in FK ORG, the Local admin should receive a message.

"This user has changed from unit xxx to unit xxx, should the person?" :

1. Keep users business roles (system roles, contract roles, data processor roles )?

2. Transfer users business roles (system roles, contract roles, data processor roles ) to another user in the municipality?

3. Maintain users organizational role

4. Transfer users organizational role to anoterher user in the municipality

Scope 2

Story 2

As a KITOS LOCAL ADMIN I want to receive a notification when a current Kitos user with Kitos businessrole(s) changes department in FK ORG, so a decision can be made as to whether the responsible organizational unit on a system must be changed.

Case 2

A user changes department from Digital Solutions. The department he switches to, for example, Strategy and Management, must then take over responsibility for the number of systems that the unit he switched from has registered in Kitos. (Systems → Organization → Responsible org. unit + relevant org. units)

Answer options:

• Yes – Responsible organizational units follow Per over to the Strategy and Management department.
• No – Responsible organizational unit will remain in Digital Solutions, and a new system owner must be found. -- Transfer, copy, or delete Per’s business roles to user X.

Jira link: https://os2web.atlassian.net/browse/KITOSUDV-5326

[miphilin]

relates to https://github.com/OS2sandbox/sandbox-myndighedsidentitet-issues/issues/70 @janhalen

[janhalen]

Currently there is no built in service in Authentik/OS2ID that contacts the seperate organization service fk.org. and pulls down organizational metadata.

It could maybe be possible via SCIM https://docs.goauthentik.io/docs/providers/scim/ , but no research have been put into the fk.org endpoint, so a seperate PoC should be made before it is decided whether all the usecases can be covered in a secure way.

That being said, if the user is made inactive or removed from fk.adg login rights are also revoked in OS2ID.