Versions Compared

Old Version 3

changes.mady.by.user Silvan Grüter

Saved on

compared with

New Version Current

changes.mady.by.user Silvan Grüter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Known Issue(s)

  • Resource assignments stay in the state Delete Pending when another role assigns the same resource but with a different context or a different role is assigned to the Core Identity that contains a deny for this resource.

CoreOne Authentication Services

Features

...

Bugfixes

  • The feedback message for was missing when a black listed password was not indicative enough, the message has been improved.password is on the black list

CoreOne Application Services

Features

  • New API endpoint: Get-user-rights-log. This new endpoint can help in diagnosing problems with user permission as it retrieves all the rights of a user and groups them by roles. Documentation can be found here: User rights API-Endpoint

  • New security role: CoreOne Suite Personal Data. This role gives you access to view and edit your own core identity. Together with the CoreOne Suite Basic Access role, you can use this to give a user access to the Self-Service Portal to edit his own personal data.

Bug fixes

  • Potential breaking change: A bug was fixed which allowed you to edit your core identity even if you didn’t explicitly had those rights. Please check on existing systems if this fix restricts the ability to edit your own core identity on the Self-Service Portal. In this case you need to add the CoreOne Suite Personal Data role (see Features above)

  • Some legacy oData API methods like Users/GetByDisplayName and /SimpleUsers/GetUsersByRoleClaimNames(roleClaimNames=['82af670e5d254a4b891e0ecda552d3b3']) did no longer work properly.

  • The UserDeleteAccountRequested event did not trigger the mail notification correctly.

  • Nested role assignments where not persisted correctly if the same role was inherited over multiple paths. This only occurred in complex role nesting. This will lead to the creation of missing nested role assignments after the update. Note: The resulting roles and resources where were always correct, only some of the alternative nested roles assignments where were missing.

CoreOne System Connectors

...

  • The superior field in the WIKO connector was not handled correctly, this has been fixed.

  • Fixed a potential NullReferenceException regarding the refUser in the WIKO connector

CoreOne Workflow Engine

Bug fixes

  • Potential breaking change: The workflow activity “ConvertObjectToXml” now returns datetimes in the ISO 8601 format. Could break something if this date was parsed previously based on the old format.

Database

  • Breaking change: SQL-Statement, das nach Update ausgeführt werden muss:

Expand
titleSQL-Statement
Code Block
languagesql
delimiter $$
CREATE PROCEDURE AddPersonalSecurityRole()
BEGIN

  IF NOT(SELECT EXISTS(SELECT 1 FROM security_role WHERE id = '73204777-4330-4BD1-8BC7-58F39B18D423')) THEN

    INSERT INTO security_role (id,name,tenant_id)
    	VALUES ('73204777-4330-4BD1-8BC7-58F39B18D423','CoreOne Suite Personal Data',1);

    INSERT INTO servicecorelogin_role_claim (name,application_id) VALUES
    	 ('1:73204777-4330-4BD1-8BC7-58F39B18D423',1);
    SET @roleClaimId = LAST_INSERT_ID();

    INSERT INTO servicedmcore_resource (readonly_display_name,description,resource_type_id,resource_group_id,resource_identifier,owner_group_id,delete_pending,assign_workflow,deallocate_workflow,is_provisioned,foreign_id,owner_id,deprovisioned_date) VALUES
    	 ('CoreOne Suite Personal Data','CoreOne Suite Personal Data',1,NULL,@roleClaimId,0,0,NULL,NULL,1,NULL,NULL,NULL);
    SET @resourceId = LAST_INSERT_ID();

    INSERT INTO servicedmcore_resource_attribute_value (resource_id,attribute_id,serialized_value,explizit_serialized_value,has_changed,to_delete,display_name,readonly_used_value) VALUES
    	 (@resourceId,177,'<string xmlns="http://schemas.microsoft.com/2003/10/Serialization/">CoreOne Suite Personal Data</string>',NULL,1,0,NULL,'CoreOne Suite Personal Data');

    SELECT `id` INTO @entityTypeId FROM security_entity_type x
    WHERE assembly_qualified_name = 'iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.ICoreIdentity, iTsense.Moving.Backend.Services.DmcoreService';

    INSERT INTO security_right (entity_type_id,role_id,filter_definition,security_mode) VALUES
    	 (@entityTypeId,'73204777-4330-4BD1-8BC7-58F39B18D423','{
            "$type": "iTsense.Moving.Backend.DataHandling.Security.Filter.GenericMyCoreIdentityFilter`1[[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.ICoreIdentity, iTsense.Moving.Backend.Services.DmcoreService]], iTsense.Moving.Backend.DataHandling",
            "PropertyChain": {
              "$type": "System.String[], mscorlib",
              "$values": [
                "Id"
              ]
            }
    	}',1),
    	(@entityTypeId,'73204777-4330-4BD1-8BC7-58F39B18D423','{
            "$type": "iTsense.Moving.Backend.DataHandling.Security.Filter.GenericMyCoreIdentityFilter`1[[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.ICoreIdentity, iTsense.Moving.Backend.Services.DmcoreService]], iTsense.Moving.Backend.DataHandling",
            "PropertyChain": {
              "$type": "System.String[], mscorlib",
              "$values": [
                "Id"
              ]
            }
    	}',3);
    	
    SELECT `id` INTO @attributeEntityTypeId FROM security_entity_type x
    WHERE assembly_qualified_name = 'iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IAttribute, iTsense.Moving.Backend.Services.DmcoreService';

    INSERT INTO security_right (entity_type_id,role_id,filter_definition,security_mode) VALUES
    	 (@attributeEntityTypeId,'73204777-4330-4BD1-8BC7-58F39B18D423','{
      "$type": "iTsense.Moving.Backend.DataHandling.Security.Filter.GenericFullAccessFilter`1[[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IAttribute, iTsense.Moving.Backend.Services.DmcoreService]], iTsense.Moving.Backend.DataHandling",
      "ElementType": "iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IAttribute, iTsense.Moving.Backend.Services.DmcoreService"
    }',1);

    SELECT `id` INTO @attributeMappingEntityTypeId FROM security_entity_type x
    WHERE assembly_qualified_name = 'iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.ICoreIdentityTypeAttributeMapping, iTsense.Moving.Backend.Services.DmcoreService';

    INSERT INTO security_right (entity_type_id,role_id,filter_definition,security_mode) VALUES
    	 (@attributeMappingEntityTypeId,'73204777-4330-4BD1-8BC7-58F39B18D423','{
      "$type": "iTsense.Moving.Backend.DataHandling.Security.Filter.GenericMyCoreIdentityCollectionFilter`2[[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.ICoreIdentityTypeAttributeMapping, iTsense.Moving.Backend.Services.DmcoreService],[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.ICoreIdentity, iTsense.Moving.Backend.Services.DmcoreService]], iTsense.Moving.Backend.DataHandling",
      "NotContains": false,
      "PropertyChain": {
        "$type": "System.String[], mscorlib",
        "$values": [
          "CoreIdentityType",
          "CoreIdentities"
        ]
      },
      "SubPropertyChain": {
        "$type": "System.String[], mscorlib",
        "$values": [
          "Id"
        ]
      }
    }',1);

    # add read results for my core identity to default rights
    UPDATE `security_entity_type`
    	SET `default_security_rights` = '{
      "$type": "iTsense.Moving.Backend.DataHandling.Security.Role.ISecurityRight[], iTsense.Moving.Backend.DataHandling",
      "$values": [
        {
          "$type": "iTsense.Moving.Backend.DataHandling.Security.Role.SecurityRight, iTsense.Moving.Backend.DataHandling",
          "Filter": {
            "$type": "iTsense.Moving.Backend.DataHandling.Security.Filter.GenericNoAccessFilter`1[[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IQualityOfRegistrationCheckResult, iTsense.Moving.Backend.Services.DmcoreService]], iTsense.Moving.Backend.DataHandling",
            "ElementType": "iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IQualityOfRegistrationCheckResult, iTsense.Moving.Backend.Services.DmcoreService"
          },
          "Mode": 15
        },
        {
          "$type": "iTsense.Moving.Backend.DataHandling.Security.Role.SecurityRight, iTsense.Moving.Backend.DataHandling",
          "Filter": {
            "$type": "iTsense.Moving.Backend.DataHandling.Security.Filter.GenericMyCoreIdentityFilter`1[[iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IQualityOfRegistrationCheckResult, iTsense.Moving.Backend.Services.DmcoreService]], iTsense.Moving.Backend.DataHandling",
            "NotContains": false,
            "PropertyChain": {
              "$type": "System.String[], mscorlib",
              "$values": [
                "CoreIdentity",
                "Id"
              ]
            }
          },
          "Mode": 1,
          "ContextBundles": {
            "$type": "iTsense.Moving.Backend.DataHandling.Security.Role.ISecurityContextBundle[], iTsense.Moving.Backend.DataHandling",
            "$values": []
          }
        }
      ]
    }'
    	WHERE `assembly_qualified_name` = 'iTsense.Moving.Backend.Services.DmcoreService.DataInterfaces.Servicedmcore.IQualityOfRegistrationCheckResult, iTsense.Moving.Backend.Services.DmcoreService';


    # access to personal data ui
    INSERT INTO security_role__security_rule_group (security_role_id,security_rule_group_id,security_rule_group_module_guid) VALUES
    	('73204777-4330-4BD1-8BC7-58F39B18D423',9,'12DE95DF-0468-4360-9DBC-1256B0C57E58'),
    	('73204777-4330-4BD1-8BC7-58F39B18D423',19,'12DE95DF-0468-4360-9DBC-1256B0C57E58');



    # access to api for administrator only
    INSERT INTO security_rule_group (id,name_key,module_guid) VALUES
    	 (245,'Security.RuleGroup.Api.User.GetUserRightsLog','2705E0F0-13AD-49DF-8DFF-D3370B3FD211');

  END IF;
END$$

delimiter ;

CALL AddPersonalSecurityRole;
DROP PROCEDURE IF EXISTS AddPersonalSecurityRole;