Automatic Deactivation of Users

[janhalen]

User Story:

As a: System Administrator

I want: users automatically be deactivated in the applications when they are deactivated in FKAS

So that: we can ensure that only current employees have access to the system, enhancing security within the municipality.

Acceptance Criteria:

• Users deactivated in the FKAS are automatically deactivated in the applications via the IDP.
• The system logs the deactivation event for auditing purposes.

FKAS: https://digitaliseringskataloget.dk/kom-godt-i-gang-med-faelleskommunal-adgangsstyring-brugere

[miphilin]

User Story from Kitos Perspective

As a: System Administrator

I want: Users to be automatically deactivated in the applications when they are deactivated in FK Adgangsstyring

So that: We can ensure that only current employees have access to the system, enhancing security within the municipality through better user management and access control.

Background
Users are automatically created in Kitos (with no writing rights) the first time they log in with SSO by being given the job function role (Jobfunktionsrolle) with viewing access “Kitos-Kigge-adgang” in FK ADM, if:

1. The municipality has an SSO service agreement approved in FK Administration.
2. The user exists in FK ORG.
3. The user has been given “Kitos-Kigge-adgang” in FK Adgangsstyring.

The user is created with first name, last name, and email address.
However, there is no automatic deactivation when users leave the municipality and are removed from FK Organisation.

Proposed Solution 1
Known Kitos users should be deactivated in Kitos via FK Adgangsstyring if they are removed from FK Organisation.
A list is pulled from FK ORG, and any discrepancies resulting in the deletion of Kitos users, who have been deactivated in FK Organisation.

Notifications
When a user is automatically deactivated in KITOS via FK ORG, a notification should be sent to Kitos Local Admin with the following warnings:

“This user X has been deactivated. Do you want to; yes/no:

• Delete the user’s roles

• Transfer the user’s roles

• Transfer the user´s organizational location

• Transfer the user’s advis/notifications on system, contract, and/or on data processor agreements.

• If yes to any above, to whom? - Choose by role or email adress.

• When done, remove deactivated user completely from user overview in Kitos, yes/no.

In Kitos organisation --> Users --> automatically deleted users should be marked so Kitos local admin can transfer roles/advis, if deactivated user is not removed from user overview.

Issue to be Solved

Kitos users can also be manually created. Will these users be deleted automatically via FK Adgangsstyring, when user is deleted from FK Organisation?

Acceptance Criteria

• Users deactivated in the FKAS are automatically deactivated in the applications via the IDP.

• The system logs the deactivation event for auditing purposes and transferring of deleted users’ roles and/or advis.

FKAS: https://digitaliseringskataloget.dk/kom-godt-i-gang-med-faelleskommunal-adgangsstyring-brugere

Jira link: https://os2web.atlassian.net/browse/KITOSUDV-5066