Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:identities [2019/04/10 07:50]
kopro [Admin guide] 		devel:documentation:identities [2019/06/25 08:48]
tomiskar [Identity state]
Line 33: Line 33:
   * **valid** - identity is enabled. Identity has valid contract.   * **valid** - identity is enabled. Identity has valid contract.
   * **left** - identity is disabled. Identity has invalid contracts only.   * **left** - identity is disabled. Identity has invalid contracts only.
-  * **disabled** - identity is disabled. Identity contracts are excluded (assigned roles are not removed, when identity is excluded). +  * **excluded** (~disabled) - identity is exclued (disabled). Identity contracts are excluded (assigned roles are not removed, when identity is excluded). 
   * **disabled manually** - identity is disabled manually, e.g. by administrator / synchronization. Manually disabled identity can be enabled manually only again (assigned roles are not removed, when identity is disabled manually).    * **disabled manually** - identity is disabled manually, e.g. by administrator / synchronization. Manually disabled identity can be enabled manually only again (assigned roles are not removed, when identity is disabled manually). 
  
 When identity starts to be valid (some of their contract starts to be valid) and identity has account at least on one target system, then new password is [[.architecture:dev:events#identitysetpasswordprocessor|generated]] and changed on all identity's accounts => identity will have the same password in all accounts. Notification (see ''acc:newPasswordAllSystems'' template) is send to identity about new password on which accounts were changed. When identity starts to be valid (some of their contract starts to be valid) and identity has account at least on one target system, then new password is [[.architecture:dev:events#identitysetpasswordprocessor|generated]] and changed on all identity's accounts => identity will have the same password in all accounts. Notification (see ''acc:newPasswordAllSystems'' template) is send to identity about new password on which accounts were changed.
 +
 +===== Password =====
 +
 +In CzechIdM is user password stored in Bcrypt hash function. User can change password only when own permission ''IDENTITY\_PASSWORDCHANGE'' for the given identity. Password contains also another metadata like valid till, valid from, unsuccessful attempts, block login date, last successful login and etc. For password is also possible set flag **Password never expires**. This flag disable filling valid till. Password never expires and another attributes for password like valid till, is possible set via agenda information about password that is accessible via identity detail and password agenda. For update these attributes you will need permission ''PASSWORD\_UPDATE'' and ''PASSWORD\_READ''
 +
  
 ====== Time slices of contracts ====== ====== Time slices of contracts ======
  • by tomiskar