User Stories - Access Removal
This document contains user stories related to upgrade of design of certifications. It is prepared for planning of development of midPoint version 4.9. Some user stories described here may be already implemented.
1. Access removal
Access can be revoked from a user directly or through certification. This chapter focuses on user stories for direct access removal.
Only direct assignments can be removed. Additionally, these direct assignments must not be assigned by policy or rule. Midpoint GUI should distinguish if assignment is assigned directly/indirectly and if the assignment is assigned by any rule.
1.1. Standard access removal by business user
This is basic user story for access removal. Trigger may be some business request (e.g. licence fees paid by the access) or something else. This is the most straightforward way how to remove access.
- User Story
-
AS a business user,
I WANT TO remove one of my accesses / of accesses of my subordinates or other people who I can manage,
SO THAT I can fulfill a request to remove the access. - Acceptance Criteria
-
-
midPoint should allow to open the user whose access is to be removed.
-
midPoint should allow the user to log reason why he/she is removing the access.
-
midPoint should record the access removal with the reason
-
The access should be found easily in "all accesses" view
-
the user should easily identify whether the assignment was assigned directly and whether it was not assigned via policy.
-
The assignment can be removed only when it was assigned directly and not assigned by policy/rule.
-
If approval is configured for the role/service assigned, the approval case for removal should be triggered.
-
1.2. Standard access removal by privileged employee
This is basic story of removal a member from a role, service or org.
The user must be able to distinguish whether he can remove the member - whether he was assigned directly and not via rule/policy.
See removal of multiple user from a role below.
1.3. "UNDO" during access removal
As access removal is sometimes irreversible, the business user who directly removes access should have an option to undo the access removal in case of mistake. The undo operation should be limited to some time interval (e.g. 5 minutes). midPoint can postpone the removal for that time-period.
- User Story
-
AS a business user,
I WANT the ability to undo access revocations within a specific time interval
SO THAT I can easily reverse my decision if needed. - Acceptance Criteria
-
-
midPoint should provide an "undo" function within a defined time window after revoking access.
-
When I use the "undo" function, the access that I previously revoked should be reinstated as it was before.
-
The "undo" option should be available only for a specified period after access revocation.
-
The "undo" time interval should be configurable by engineer.
-
If the user does not use the "undo" function within the defined time frame, the access removal should become permanent.
-
The "undo" feature should be user-friendly and intuitive for business users to utilize effectively.
-
The ability to "undo" access removal should not conflict with any certification or approval processes in place.
-
1.4. Removal of multiple users from a role
- User story
-
AS a role owner,
I WANT to remove multiple users from the role on one page. SO THAT I can keep the list of members of the role clean.
The option is available on the role page, but is not intuitive.
- Acceptance criteria
-
-
midPoint should provide interface for business users to remove members of the role easily (maybe the '-' minus sign)
-
midPoint should distinguish between direct and indirect assignments and should provide an option how to remove indirect assignment.
-
1.5. GUI: Do not confuse assign and create
The panel displaying role members allows creation of a new user. This is confusing as "+" sign is often used for adding new members to a group in other systems.
- User Story
-
AS a helpdesk operator or owner of a role, who does not know difference between "+" and "assign" button,
I WANT TO add new member to a role,
SO THAT I don’t make mistake and don’t create a new user instead. - Acceptance criteria
-
-
midPoint should not provide an option to create new users when listing the role members.
-
1.6. GUI: Do not confuse unassign and delete
The panel displaying role members allows provides delete option as in menu for the user, unassign option is listed by icon. The delete option on group membership allows a business user with higher privileges (e.g. helpdesk) to delete user unintentionally instead removing him from an assignment.
- User Story
-
AS a helpdesk operator or owner of a role, who does not know difference between "unassign" and "delete" options of the group membership
I WANT to remove users from a role,
SO THAT I don’t make mistake by selecting wrong option. - Acceptance criteria
-
-
midPoint should not provide an option to delete users when listing the role members.
-