search

TheAlphaSchoolSystemPTYLTD / IdM

Identity Management API
4 stars 5 forks source link

SetKioskUserRoles and AddKioskUserRoles do not set/add roles for/to users if that user does not already have a security role. #20

Open redtrinity opened 8 months ago

redtrinity commented 8 months ago

Hi,

When using the TASS IdM API’s (specifically the SetKioskUserRoles and/or AddKioskUserRoles endpoints) to set or add permissions, we are seeing both endpoints returning a 'user_code(xxxxxxx) not in any group yet' error.

See sample output below:

    Current roles for user '0000xxx'
    {'KioskUserRoles': [],
     '__forms': {'user_code': {'required': True}},
     '__invalid': {'user_code': 'user_code(0000xxx) not in any group'},
     '__locks': {},
     '__status': 'invalid',
     '__tassversion': '01.059.02.201',
     'token': {'timestamp': "{ts '2024-03-06 08:20:49'}", 'user_code': '0000xxx'}}

    attempting to use 'AddKioskUserRoles' for user='0000xxx'
    {'__forms': {'roles': {'required': True}, 'user_code': {'required': True}},
     '__invalid': {'user_code': 'user_code(0000xxx) invalid'},
     '__locks': {},
     '__status': 'invalid',
     '__tassversion': '01.059.02.201',
     'token': {'roles': 'NTS001',
               'timestamp': "{ts '2024-03-06 08:20:49'}",
               'user_code': '0000xxx'}}
    attempting to use 'SetKioskUserRoles' for user='0000xxx'
    {'__forms': {'roles': {'required': True}, 'user_code': {'required': True}},
     '__invalid': {'user_code': 'user_code(0000xxx) not in any group yet'},
     '__locks': {},
     '__status': 'invalid',
     '__tassversion': '01.059.02.201',
     'token': {'roles': 'NTS001',
               'timestamp': "{ts '2024-03-06 08:20:49'}",
               'user_code': '0000xxx'}}

The employee (0000xxx) does not any security roles assigned because we’re relying on using the IdM API to automatically sort out adding relevant security roles for new/current employees as part of a nightly account management sync process.

If we manually add a security role to the relevant employee, both API’s perform their respective action and either add or set the security roles as supplied in the API call.

The expected outcome is that either of these endpoints will perform the respective action on the provided user even if the user does not have existing roles.

References CS-232020.

redtrinity commented 8 months ago

After further digging, it seems that for this specific circumstance, the employee record in question was:

It seems the error message in this specific circumstance is a red herring.

leonseremelis-tass commented 7 months ago

Looking at the logic behind the SetKioskUserRoles and AddKioskUserRoles endpoints, the key to determining whether a user_code is invalid is whether that user_code matches the teacher's "Teacher Code" in TASS (for teaching staff) or their 'Employee Code' for non-teaching staff.

The email address isn't specifically used by the SetKioskUserRoles or AddKioskUserRoles endpoints but perhaps you require it being present in your sync processes as a key between TASS and your other systems?

Let me know if there is anything else I can do to investigate this further for you.

redtrinity commented 7 months ago

Hey Leon, thanks for that info. That's quite odd as when we do the API calls we're very careful to ensure to use the TASS emp_code for non-teaching staff (that is employees with no teacher record) and the tch_code for staff that do have teacher records.

If/when I have further time to do more testing I'll update with the test process and results.

leonseremelis-tass commented 7 months ago

One further note, there are a few combinations of teachers/employees that might affect the logic. So in your testing take note of the user's teacher/employee combinations as we'll be able to analyse what is happening in more detail. i.e. Current Teacher & Current Employee, Current Teacher & Non-Current Employee, Non-Teaching & Current Employee, etc.