User type

User type (projection) was added in CzechIdM version 10.2.0. Projection defines frontend form to read, create and edit user. We can create and edit user by different form. For example externe and internal employee can be created and edited differently (different attributes has to be filled). Used projection for user creation is set as user type.

Provided projection can be configured by administrator. New projection type and localization can be provided by developer.

Configurable form (projection) with configurable features is provided in product:

  • Show user personal data - show selected or all user personal data (e.g. login, first name, surname).
  • Show contract - prime contract is shown by default. If currenly logged user has permission to read prime contract. First other contract is shown otherwise. Contract are sorted by priority the same way, as prime contract is evaluated. Contracts can be shown n two modes:
    • Show prime contract - show (and update) prime user contract only.
    • Show all user contracts - show (and update) all user contracts. Code list contract-position s required for newly created user together with contracts - available contract types are controlled by organization types.
  • Show other contract position - first contract other position can be shown.
  • Show extended identity attributes - show selected extended attributes from selected form definitions.
  • Show extended contract attributes - show selected extended attributes from selected form definitions. Contract are sorted by priority. Prime contract extended attributes can be edited, if logged user can read and edit prime contract. If logged user cannot read prime contract, next contract which identity can read is shown.
  • Set or change user password - user can be created with or without password. Link to password change is shown for edited user.
  • Request to change roles - roles can be requested for newly added user. Assigned roles are shown with button to change assigned roles by role request for edited user.
Authorization policies has to be configured to see all projection features. For example, if currently logged user cannot read contracts, then contract will be hidden.
Code list contract-position (e.g. with items Default, Organization One, Organization Two) has to be defined, when more contracts should be created thogether with newly created user. Authorization policies has to be configured to codelist items too.

How to configure and use product form projection is described in tutorial.

How to register new form projection type is described in devel guide.

Available configuration properties

In the application profile (application.properties) and overloadable via ConfigurationService.

# show default form for newly created user 
# default form can be disabled => at least one configured form projection is needed
idm.pub.app.show.identity.formProjection.default=true
#
# default password change type for custom users, one of values: 
# DISABLED - password change is disable
# ALL_ONLY - users can change passwords only for all accounts
# CUSTOM - users can choose for which accounts change password
# Needed on FE (=> public) 
idm.pub.core.identity.passwordChange=CUSTOM

Authorization policies

Administrator

Aministrator for create, edit and delete configured form projection.

  • Permission to autocomplete and read form definitions: Forms - definitions (IdmFormDefiniton) | View in select box (autocomplete), Read | BasePermissionEvaluator
  • Permission to autocomplete and read form attributes: Forms - attributes (IdmFormAttribute) | - | FormAttributteByDefinitionEvaluator
  • Permission to admin form projections: Forms - projections (IdmFormProjection) | Administration (all) | BasePermissionEvaluator

Manager

Manager for create and edit user with form projection usage with all features enabled.

User detail with form projection usage can be saved (save button is shown), when logged user can update selected user.
  • Permission to work with identities: Users (IdmIdentity) | View in select box (autocomplete), Create, Read, Update, Change roles, Change user type (projection), Password change | BasePermissionEvaluator
  • Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator
  • Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
  • Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
  • Permission to request roles (which can be requested): Role (IdmRole) | Can be requested | RoleCanBeRequestedEvaluator
  • Permission to read role requests according to identity: Requests for assigned roles (IdmRoleRequest) | - | RoleRequestByIdentityEvaluator
  • Permission to autocomplete form projections: Forms - projections(IdmFormProjection) | View in select box (autocomplete) | BasePermissionEvaluator
  • Permission to autocomplete form definitions: Forms - projections(IdmFormProjection) | View in select box (autocomplete) | BasePermissionEvaluator
  • Permission to read and update all identity attributes in main definition: Forms - values (IdmIdentityFormValue) | View in select box (autocomplete) | IdentityFormValueEvaluator
  • Permission to read and update all contract attributes in main definition: Forms - values (IdmIdentityContractFormValue) | View in select box (autocomplete) | IdentityContractFormValueEvaluator
  • Permission to read codelist contract-position items: Code lists - items (IdmCodeListItem)| Read | CodeListItemByCodeEvaluator
  • Enabling the autocomplete for entities:
    • Role (IdmRole) | Displaying in autocomplete, selections | BasePermissionEvaluator
    • Structure types (IdmTreeType) | View in select box (autocomplete) | BasePermissionEvaluator
    • Tree nodes (IdmTreeNode) | View in select box (autocomplete) | BasePermissionEvaluator
    • Accounts (AccAccount) | - | ReadAccountByIdentityEvaluator (← use this only when using acc module)
    • Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator (← use this only when using acc module)
    • Code lists (IdmCodeList) | Displaying in autocomplete, selections | BasePermissionEvaluator
    • Code lists - items (IdmCodeListItem) | Displaying in autocomplete, selections | BasePermissionEvaluator

Manager - create and edit identity only

Manager for create and edit user with form projection usage only (simplest setting).

  • Permission to work with identities: Users (IdmIdentity) | Create, Read, Update | BasePermissionEvaluator
  • Permission to autocomplete form projections: Forms - projections(IdmFormDefiniton) | View in select box (autocomplete) | BasePermissionEvaluator

Normal user

Other user doesn't need any additional autorization policy configuration. Form projection is saved together with user and when user detail is shown, then this projection is used.

Localization

Two projections are localized by default in product. If projection with code identity-externe or identity-internal will be configured, then localization will be used.

Localization can be added or changed by developer, read more in devel guide

Tips

Skip user dashboard

If we want to show user detail immediatelly (skip user dasboard or skip info card), we can hold ctrl key when clicking on user link (or info card).