= Technical Asset Module - Technical Documentation =
The 'Technical Asset (ITA)' module extends CzechIdM's identity management capabilities by introducing a new entity type that groups and manages technical accounts. This module enables organizations to associate technical accounts with specific assets, assign guarantors and managers through both direct assignment and role-based mechanisms, and implement comprehensive audit trails for all operations.
+ Centralize management of technical accounts under logical asset groupings + Enable role-based access control for asset-related operations + Provide audit capabilities for compliance requirements + Support notification workflows via NOTIFY integration
The primary entity representing a technical asset that can contain multiple technical accounts.
'Key Attributes:'
+
id
- Primary identifier +
name
- Asset name +
description
- Optional description +
disabled
- Flag indicating if the asset is disabled +
externalId
- Identifier assigned by an external system for integration purposes +
externalCode
- Code from an external system +
validFrom
- Validity start date +
validTill
- Validity end date
'Special Permissions:'
| Permission | Description |
| ———— | ————- |
SETTOTECHNICALACCOUNT | Allows user to assign this TechnicalAsset to a TechnicalAccount during creation or modification |
Represents direct assignment of an identity as guarantor for a technical asset.
'Relationships:'
+ One-to-one with Identity (guaranteed person)
+ Many-to-one with TechnicalAsset
Enables role-based guarantor assignment - users assigned this role become automatic guarantors of the associated asset.
'Relationships:'
+ Many-to-one with Role
+ Many-to-one with TechnicalAsset
Represents direct assignment of an identity as manager (disponent) for a technical asset.
'Relationships:'
+ One-to-one with Identity (managing person)
+ Many-to-one with TechnicalAsset
Enables role-based manager assignment - users assigned this role become automatic managers of the associated asset.
'Relationships:'
+ Many-to-one with Role
+ Many-to-one with TechnicalAsset
┌─────────────────────┐ ┌─────────────────────┐
│ TechnicalAccount │◄───┐ │ TechnicalAsset │
└─────────────────────┘ │ └─────────────────────┘
│ │ │
│ │ ├──► TechnicalAssetGuarantor
│ │ │ (direct)
│ │ │
│ │ ├──► TechnicalAssetManager
│ │ (direct)
│ │
│ ├──► TechnicalAssetGuarantorRole
│ │ (role-based)
│ │
│ └──► TechnicalAssetManagerRole
│ (role-based)
│
└─────────────┐
│
[technicalAsset]
'File:'
V15''02''001__tech-asset.sql
Creates the following tables:
| Table | Description |
| ——- | ————- |
idm''technical''asset | Core asset entity with audit columns |
idm''technical''asset_audit | Audit history for assets |
idm''technical''asset_guarantor | Direct guarantor assignments |
idm''technical''asset''guarantor''audit | Audit history for guarantors |
idm''technical''asset''guarantor''role | Role-based guarantor assignments |
idm''technical''asset''guarantor''role_audit | Audit history for guarantor roles |
idm''technical''asset_manager | Direct manager assignments |
idm''technical''asset''manager''audit | Audit history for managers |
idm''technical''asset''manager''role | Role-based manager assignments |
idm''technical''asset''manager''role_audit | Audit history for manager roles |
'Base Path:'
/api/technical-assets
| Method | Endpoint | Description | Required Permission |
| ——– | ———- | ————- | ——————— |
| GET | / | List all assets with filtering | READ |
| POST | / | Create new asset | CREATE |
| GET | /{id}
| Get single asset by ID | READ |
| PUT | /{id}
| Update existing asset | UPDATE |
| DELETE | /{id}
| Delete asset | DELETE |
| GET | /count | Count assets matching filter | COUNT |
| GET | /autocomplete | Autocomplete suggestions | AUTOCOMPLETE |
'Base Path:'
/api/technical-assets/guarantors
Standard CRUD operations for direct guarantor assignments.
'Base Path:'
/api/technical-assets/guarantor-roles
Standard CRUD operations for role-based guarantor assignments.
'Base Path:'
/api/technical-assets/managers
Standard CRUD operations for direct manager assignments.
'Base Path:'
/api/technical-assets/manager-roles
Standard CRUD operations for role-based manager assignments.
IdmBasePermission.ADMIN, IdmBasePermission.COUNT, IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ, IdmBasePermission.CREATE, IdmBasePermission.UPDATE, IdmBasePermission.DELETE
'Defined in:'
TechnicalAssetBasePermission.java
This permission is required when: + Creating a TechnicalAccount with an associated TechnicalAsset + Modifying a TechnicalAccount to add/change its TechnicalAsset association
'Use Case Example:'
// User must have SETTOTECHNICALACCOUNT on the target TechnicalAsset technicalAccount.setTechnicalAsset(asset); // Requires permission check
Guarantors and Managers require 'UPDATE' permission on TechnicalAsset to create related entities (guarantor/manager assignments) for that asset.
All entities implement the
Eventable
interface, triggering event processors on save/delete operations.
+ Triggers on entity creation/update + Initiates NOTIFY line startup process + Updates related audit records
+ Handles cleanup of associated resources + Notifies dependent systems via NOTIFY integration
+ Publishes change events for external consumers + Supports real-time synchronization requirements
Each related entity has dedicated save/delete processors:
| Processor | Purpose |
| ———– | ——— |
TechnicalAssetGuarantorSaveProcessor | Handles guarantor assignment events |
TechnicalAssetGuarantorDeleteProcessor | Handles guarantor removal events |
TechnicalAssetGuarantorRoleSaveProcessor | Handles role-based guarantor events |
TechnicalAssetGuarantorRoleDeleteProcessor | Handles role-based guarantor removal |
TechnicalAssetManagerSaveProcessor | Handles manager assignment events |
TechnicalAssetManagerDeleteProcessor | Handles manager removal events |
TechnicalAssetManagerRoleSaveProcessor | Handles role-based manager events |
TechnicalAssetManagerRoleDeleteProcessor | Handles role-based manager removal |
Located in:
model/service/api/
public interface TechnicalAssetService {
List<TechnicalAsset> findAll(TechnicalAssetFilter filter);
TechnicalAsset findById(UUID id);
TechnicalAsset create(TechnicalAsset entity);
TechnicalAsset update(TechnicalAsset entity);
void delete(UUID id);
long count(TechnicalAssetFilter filter);
}
Located in:
model/service/
All services follow the pattern:
Default[EntityName]Service.java
'Key Features:'
+ Transaction management via Spring's
@Transactional
+ Permission validation before operations + Event publishing for audit trails + Filter-based querying support
Each service has dedicated test class covering: + CRUD operations (Create, Read, Update, Delete) + Filtering functionality + Permission enforcement + Edge cases and validation
'Test Files:'
DefaultTechnicalAssetServiceTest.java DefaultTechnicalAssetGuarantorServiceTest.java DefaultTechnicalAssetGuarantorRoleServiceTest.java DefaultTechnicalAssetManagerServiceTest.java DefaultTechnicalAssetManagerRoleServiceTest.java
REST endpoint tests covering: + HTTP method validation (GET, POST, PUT, DELETE) + Status code verification + Request/response payload validation + Authentication/authorization checks
'Test Files:'
TechnicalAssetControllerTest.java TechnicalAssetGuarantorControllerTest.java TechnicalAssetGuarantorRoleControllerTest.java TechnicalAssetManagerControllerTest.java TechnicalAssetManagerRoleControllerTest.java
Tests verifying related entity permission requirements:
| Test File | Validates |
| ———– | ———– |
TechAccountTechAssetFixTest.java | SETTOTECHNICALACCOUNT permission for TechnicalAccount-TechnicalAsset association |
TechAssetGuarantorRoleTechAssetFixTest.java | UPDATE permission requirement for guarantor role creation |
TechAssetGuarantorTechAssetFixTest.java | UPDATE permission requirement for direct guarantor creation |
TechAssetManagerRoleTechAssetFixTest.java | UPDATE permission requirement for manager role creation |
TechAssetManagerTechAssetFixTest.java | UPDATE permission requirement for direct manager creation |
'Modified Entity:'
TechnicalAccount.java
Added optional attribute:
@ManyToOne(fetch = FetchType.LAZY) private TechnicalAsset technicalAsset;
This allows each technical account to be optionally associated with a technical asset for organizational purposes.
The
TechnicalAssetSaveProcessor
initiates NOTIFY line startup, enabling real-time notifications when assets are created or modified.
All entities implement comprehensive audit functionality: + Automatic tracking of create/update/delete operations + User attribution for all changes + Timestamp recording for compliance requirements + Separate audit tables for each entity type
'Audit Columns (Standard):'
| Column | Description |
| ——– | ————- |
created_by | Identity who created the record |
created_at | Creation timestamp |
updated_by | Identity who last modified the record |
updated_at | Last modification timestamp |
+
TechnicalAssetBasePermission.java
- Custom permission definitions
+ Save/Delete processors for all 7 entities
+ Entities (6 files) + DTOs (5 files) + Filters (5 files) + Repositories (5 files) + Service APIs (5 files) + Service Implementations (5 files)
+ One controller per entity type
+
V15''02''001__tech-asset.sql
- PostgreSQL migration
+ 5 service tests + 5 controller tests + 1 security test helper modifications
TechGroupPermission.java - Permission updates TechnicalAccountDto.java - Added technicalAsset field TechnicalAccount.java - Added technicalAsset relationship TechnicalAccountFilter.java - Filter support for asset association DefaultTechnicalAccountService.java - Service logic updates DefaultTechTestHelper.java - Test helper modifications DefaultTechnicalAccountServiceTest.java - Updated tests
// Create asset
TechnicalAsset asset = new TechnicalAsset();
asset.setName("Production Database Server");
asset.setDescription("Primary production database");
technicalAssetService.create(asset);
// Assign direct guarantor
TechnicalAssetGuarantor guarantor = new TechnicalAssetGuarantor();
guarantor.setTechnicalAsset(asset);
guarantor.setIdentity(guarantorIdentity);
technicalAssetGuarantorService.create(guarantor);
// Assign role-based manager
TechnicalAssetManagerRole managerRole = new TechnicalAssetManagerRole();
managerRole.setTechnicalAsset(asset);
managerRole.setRole(managerRoleEntity);
technicalAssetManagerRoleService.create(managerRole);
// User must have SETTOTECHNICALACCOUNT permission on the asset
TechnicalAccount account = new TechnicalAccount();
account.setUsername("db-admin");
account.setTechnicalAsset(asset); // Permission check occurs here
technicalAccountService.create(account);
ADMIN (highest)
├── CREATE
├── UPDATE
├── DELETE
├── READ
├── COUNT
└── AUTOCOMPLETE
└── SETTOTECHNICALACCOUNT (special, asset-specific)
+ Creating guarantor/manager assignments requires 'UPDATE' on the parent TechnicalAsset
+ This ensures only authorized users can modify asset relationships
+ Role-based assignments follow the same permission model as direct assignments
= Bulk Operations: Add batch endpoints for mass asset/account associations = = Inheritance Support: Consider allowing assets to inherit permissions from parent organizational units = = Lifecycle Management: Implement state machine for asset lifecycle (draft → active → archived) = = Notification Templates: Extend NOTIFY integration with customizable templates per operation type =