Differences

This shows you the differences between two versions of the page.

--- devel:documentation:identities [2020/03/22 20:48]
poulm identity state moved to separate chapter and links corrected
+++ devel:documentation:identities [2020/03/26 09:50] (current)
tomiskar [Admin guide]
@@ Line 1: / Line 1: @@
-<- .:start | Documentation ^ .:start | Documentation ^ .:roles | Roles ->
+<- .:start | Documentation ^ .:start | Documentation ^ .:contracts | Contracts ->
 ====== Identities (users) ======
 In identity management, identity is a set of information that describes a real person. Some of the information like First Name, Last Name, Login or Password is crucial for many IT systems, since they process them, or e.g. use them for authentication or authorization. Identity management systems process the data about identity, transform them and use them to manage accounts on connected systems.
@@ Line 5: / Line 5: @@
 {{ :devel:documentation:identity.png?400 | Identity in identity management}}
-The representation of a user in the CzechIdM system is an entity called **identity**. Put simply, an identity can be described as a user registered in CzechIdM with all his or her attributes e.g. first name, surname, phone number, etc. Identity representation is a rather complex discipline. To be able to handle automatic identity lifecycle processes, CzechIdM uses other entities with attributes that have a relation to identity. Those are **[[.:identities#contracts|Contracts]], [[.:roles|Roles]]**  and **Tree nodes** forming **[[.:tree_structures| Tree strucures]]**.
+The representation of a user in the CzechIdM system is an entity called **identity**. Put simply, an identity can be described as a user registered in CzechIdM with all his or her attributes e.g. first name, surname, phone number, etc. Identity representation is a rather complex discipline. To be able to handle automatic identity lifecycle processes, CzechIdM uses other entities with attributes that have a relation to identity. Those are **[[.:contracts|Contracts]], [[.:roles|Roles]]**  and **Tree nodes** forming **[[.:tree_structures| Tree strucures]]**.
 {{ :devel:adm:idm_entities.png?800 | Entities relations}}
-===== Contracts =====
-The relation of identities in CzechIdM to a company or organization is represented by an entity called **contract**. A contract can represent for example:
-  * **job contract** for work – employees
-  * **study** – pupils/students
-  * **contract/arrangement** – external co-workers
-  * etc.
-A user can have multiple contracts. A contract is in relation to other objects in CzechIdM:
-  * **Identity** – described above
-  * **Tree structure** – a contract can be added to a tree (organizational) structure, which effectively allows integrating the user into a hierarchical division in an organization.
-  * **Roles** – roles in CzechIdM are assigned to contracts, i.e. a user gets roles through their contracts. Due to this, all manually created identities can have one automatically prepared contract called **Default**. (This can be disabled but is enabled by default.)
-<note important>Every active user should have their contract. Via contracts Roles are assigned to users and users are placed into a Tree structure (working position)</note>
-===== Identity profile =====
-Identity profile can be shown from the top menu - click on identity username, then select user setting.
-Identity profile contains configurable properties:
-  * **Profile image** - user picture.
-  * **Prefered language** - localization will be chosen after the user logs in.
-  * **Default page size** - tables will show a given count of records by default.
-  * **Collapse side menu** - side menu will be collapsed, icons will be shown only.
-  * **Show system information** - show internal entity identifiers, user transactions, logs, and other system information.
-{{ :10.1:documentation:user-setting.png |}}
-All properties are saved right after input is changed.
 ===== Password =====
@@ Line 44: / Line 13: @@
 In CzechIdM, the user password is stored in the Bcrypt hash function. User can change password only when he or she has permission ''IDENTITY\_PASSWORDCHANGE'' for the given identity. The password contains also other metadata like "valid till", "valid from", "unsuccessful attempts", "block login date", "last successful login" etc. It is also possible to set flag **Password never expires**. This flag disables filling 'valid till'. 'Password never expires' and other attributes related to a password like 'valid till' can be set via agenda information about a password that is accessible through identity detail or password agenda. To update these attributes you will need permission ''PASSWORD\_UPDATE'' and ''PASSWORD\_READ''.
-====== Time slices of contracts ======
-{{tag>contract slice}}
-On many projects, we encounter a source of data about users, employees or org. structures that use so-called time slices. Slice is essentially a snapshot of a contract in a given period of time. To simplify working with time slices, an agenda of the contract's time slices was created.
-**The basic idea** is that time slices are stored in a self-contained agenda. This agenda only contains time slices for identity contracts. If a given slice is currently valid, its values will be **copied into the linked identity contract**. **Every day**, a scheduled task is performed, which calculates which slice is valid. Such a slice becomes currently used as a contract (its values are copied into the contract).
-<note important>In one day, only **one slice** can exist for one contract. Every slice must contain all data of the contract. Slice is a **snapshot** of the contract! </note>
-**More information** about contract time slices can be found in the developer guide [[..:documentation:identities:dev:contractual-relationship-slice|here]] .
-==== Protection of the validity of the contract ====
-{{tag>contract slice protection}}
-Sometimes there may be a situation where one of the time slices **ends** the contract, and at the same time, there is a next time slice that **restarts** this contract. If there is no gap between termination and restart, then the contract will not be terminated (no accounts will be deleted). If the dates do not follow, then (by default) the contract will be **terminated** and all connected **accounts will be removed** from the target systems.
-However, in some situations (projects), it is required to use the **protection period** for which the contract will **not be terminated**, provided that there is the next slice in the contract, which restarts the contract. Furthermore, it must be ensured that the gap between the termination and the beginning of the contract is shorter than or equal to the protection interval.
-**More information** about this protection can be found in the developer guide [[..:documentation:identities:dev:contractual-relationship-slice#protection_of_the_contract_validity|here]] .
 ====== Read more ======
@@ Line 69: / Line 18: @@
   * [[tutorial:adm:new_identity|Creating a new identity manually]]
   * [[tutorial:adm:how_to_identity_sync|Synchronizing identities from a source system - example]]
-  * [[tutorial:adm:new_contract|Creating a new contract manually]]
-  * [[tutorial:adm:how_to_contract_sync|Synchronizing contracts from a source system - example]]
 ===== Admin guide =====
   * [[.identities:adm:users|Identity life cycle (ILC)]]
-  * [[.adm:contracts|Time slices of contractual relationships]]
   * [[.identities:adm:password|Password and identity]]
   * [[.identities:adm:identity_states|Identity states]]
+  * [[.identities:adm:user_setting|User setting]]
+  * [[.identities:adm:user-type]]
-===== Devel guide =====
-  * [[.identities:dev:contractual-relationship]]
-  * [[.identities:dev:contractual-relationship-slice]]