User type
User type (projection) was added in CzechIdM version 10.2.0. Projection defines frontend form to read, create and edit user. We can create and edit user by different form. For example externe and internal employee can be created and edited differently (different attributes has to be filled). Used projection for user creation is set as user type.
Provided projection can be configured by administrator. New projection type and localization can be provided by developer.
Configurable form (projection) with configurable features is provided in product:
Show user personal data - show selected or all user personal data (e.g. login, first name, surname).
Show contract - prime contract is shown by default. If currenly logged user has permission to read prime contract. First other contract is shown otherwise. Contract are sorted by priority the same way, as prime contract is evaluated. Contracts can be shown n two modes:
Show prime contract - show (and update) prime user contract only.
Show all user contracts - show (and update) all user contracts. Code list contract-position s required for newly created user together with contracts - available contract types are controlled by organization types.
Validations for basic user personal data and basic contract attributes can be defined.
Show other contract position - first contract other position can be shown.
Show extended identity attributes - show selected extended attributes from selected form definitions.
Show extended contract attributes - show selected extended attributes from selected form definitions. Contract are sorted by priority. Prime contract extended attributes can be edited, if logged user can read and edit prime contract. If logged user cannot read prime contract, next contract which identity can read is shown.
Set or change user password - user can be created with or without password. Link to password change is shown for edited user.
Request to change roles - roles can be requested for newly added user. Assigned roles are shown with button to change assigned roles by role request for edited user.
Set direct guarantee for new contract - set currently logged user as direct guarantee for newly created contract.
Authorization policies has to be
configured to see all projection features. For example, if currently logged user cannot read contracts, then contract will be hidden.
Code list
contract-position (e.g. with items
Default,
Organization One,
Organization Two) has to be defined, when more contracts should be created thogether with newly created user. Authorization policies has to be
configured to codelist items too.
How to configure and use product form projection is described in tutorial.
How to register new form projection type is described in devel guide.
Configuration
Available configuration properties
In the application profile (application.properties) and overloadable via ConfigurationService.
# show default form for newly created user
# default form can be disabled => at least one configured form projection is needed
idm.pub.app.show.identity.formProjection.default=true
#
# default password change type for custom users, one of values:
# DISABLED - password change is disable
# ALL_ONLY - users can change passwords only for all accounts
# CUSTOM - users can choose for which accounts change password
# Needed on FE (=> public)
idm.pub.core.identity.passwordChange=CUSTOM
Authorization policies
Administrator
Aministrator for create, edit and delete configured form projection.
Permission to autocomplete and read form definitions: Forms - definitions (IdmFormDefiniton) | View in select box (autocomplete), Read | BasePermissionEvaluator
Permission to autocomplete and read form attributes: Forms - attributes (IdmFormAttribute) | - | FormAttributteByDefinitionEvaluator
Permission to admin form projections: Forms - projections (IdmFormProjection) | Administration (all) | BasePermissionEvaluator
Manager
Manager for create and edit user with form projection usage with all features enabled.
User detail with form projection usage can be saved (save button is shown), when logged user can update selected user.
Permission to work with identities: Users (IdmIdentity) | View in select box (autocomplete), Create, Read, Update, Change roles, Change user type (projection), Password change | BasePermissionEvaluator
Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator
Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator
Permission to read role requests according to identity: Requests for assigned roles (IdmRoleRequest) | - | RoleRequestByIdentityEvaluator
Permission to autocomplete form projections: Forms - projections(IdmFormProjection) | View in select box (autocomplete) | BasePermissionEvaluator
Permission to autocomplete form definitions: Forms - projections(IdmFormProjection) | View in select box (autocomplete) | BasePermissionEvaluator
Permission to read and update all identity attributes in main definition: Forms - values (IdmIdentityFormValue) | View in select box (autocomplete) | IdentityFormValueEvaluator
Permission to read and update all contract attributes in main definition: Forms - values (IdmIdentityContractFormValue) | View in select box (autocomplete) | IdentityContractFormValueEvaluator
Permission to read codelist contract-position items: Code lists - items (IdmCodeListItem)| Read | CodeListItemByCodeEvaluator
Enabling the autocomplete for entities:
Role (IdmRole) | Displaying in autocomplete, selections | BasePermissionEvaluator
Structure types (IdmTreeType) | View in select box (autocomplete) | BasePermissionEvaluator
Tree nodes (IdmTreeNode) | View in select box (autocomplete) | BasePermissionEvaluator
Accounts (AccAccount) | - | ReadAccountByIdentityEvaluator (← use this only when using acc module)
Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator (← use this only when using acc module)
Code lists (IdmCodeList) | Displaying in autocomplete, selections | BasePermissionEvaluator
Code lists - items (IdmCodeListItem) | Displaying in autocomplete, selections | BasePermissionEvaluator
Manager - create and edit identity only
Manager for create and edit user with form projection usage only (simplest setting).
Permission to work with identities: Users (IdmIdentity) | Create, Read, Update | BasePermissionEvaluator
Permission to autocomplete form projections: Forms - projections(IdmFormDefiniton) | View in select box (autocomplete) | BasePermissionEvaluator
Normal user
Other user doesn't need any additional autorization policy configuration. Form projection is saved together with user and when user detail is shown, then this projection is used.
Localization
Two projections are localized by default in product. If projection with code identity-externe or identity-internal will be configured, then localization will be used.
Localization can be added or changed by developer, read more in devel guide
Tips
Skip user dashboard
If we want to show user detail immediatelly (skip user dasboard or skip info card), we can hold ctrl key when clicking on user link (or info card).
Validations
Validations for basic user personal data and contracts can be defined. Validations are evaluated in whole application even on standard user and contract details for user in given projection.
Admin tutorials
Devel guide