The 'Technical Asset' extends CzechIdM's technical account module capabilities by introducing a new entity type that groups and manages technical accounts. This module enables organizations to associate technical accounts with specific assets, assign guarantors and holders through both direct assignment and role-based mechanisms, and implement comprehensive audit trails for all operations.
┌──────────────────┐ ┌────────────────┐
│ TechnicalAccount │◄─ ─ ─│ TechnicalAsset │
└──────────────────┘ └────────────────┘
│
│ ┌─────────────────────────┐
├─────►│ TechnicalAssetGuarantor │◄────────┐
│ └─────────────────────────┘ │ ┌─────────────┐
│ ├─────│ IdmIdentity │
│ ┌──────────────────────┐ │ └─────────────┘
├─────►│ TechnicalAssetHolder │◄───────────┘
│ └──────────────────────┘
│
│ ┌─────────────────────────────┐
├─────►│ TechnicalAssetGuarantorRole │◄────┐
│ └─────────────────────────────┘ │ ┌─────────┐
│ ├─────│ IdmRole │
│ ┌──────────────────────────┐ │ └─────────┘
└─────►│ TechnicalAssetHolderRole │◄───────┘
└──────────────────────────┘
The technical account has been extended with an optional attribute specifying which technical asset it belongs to. If a technical asset becomes disabled, the technical accounts belonging to it will become disabled as well. Note that this doesn't work in reverse - if a technical asset becomes enabled again, its technical accounts will stay disabled until set to enabled manually.
| Attribute | Type | Description |
| technicalAsset | UUID | optional attribute specifying which technical asset the technical account belongs to |
| Evaluator | Type | Description | Attributes |
| TechnicalAccountByTechnicalAssetGuarantorEvaluator | Regular | Returns technical accounts where the logged user is a guarantor of the parent technical asset - either directly by identity or indirectly by role. Technical accounts without an assigned technical asset are never matched by this evaluator. | No attributes |
| TechnicalAccountByTechnicalAssetHolderEvaluator | Regular | Returns technical accounts where the logged user is a holder of the parent technical asset - either directly by identity or indirectly by role. Technical accounts without an assigned technical asset are never matched by this evaluator. | No attributes |
| TechnicalAccountByTechnicalAssetTransitiveEvaluator | Transitive | Returns technical accounts where the logged user has access to the parent technical asset. Permissions are transitively derived from the technical asset the technical account belongs to. Technical accounts without an assigned technical asset are never matched by this evaluator. | Transfer permissions - a list of permissions to be transferred from a technical asset to its technical accounts; if the list is empty, all permissions held by the user for the given technical asset will be transferred to its technical accounts |
The overview of technical accounts can be accessed via the "Systems" and "Accounts" agendas in the main menu. The technical accounts in this agenda can be filtered by the technical asset they belong to, as well as by the rest of their properties.
The primary entity representing a technical asset that can contain multiple technical accounts.
| Attribute | Type | Description |
| id | UUID | primary identifier |
| name | String | asset name |
| description | String | asset description |
| disabled | Boolean | flag indicating whether the asset is disabled |
| externalId | String | identifier assigned by an external system for integration purposes |
| externalCode | String | code from an external system |
| validFrom | LocalDate | validity start date |
| validTill | LocalDate | validity end date |
| Permission | Description |
| ADMIN | all permissions |
| COUNT | permission to retrieve the count of entities |
| AUTOCOMPLETE | permission to display the entity in autocomplete suggestions |
| READ | permission to read the entity |
| CREATE | permission to create the entity |
| UPDATE | permission to edit entity attributes |
| DELETE | permission to delete the entity |
| SETTOTECHNICALACCOUNT | permission to assign a technical account to the given Technical Asset |
| TAMANUALLYENABLE | permission to activate a manually deactivated Technical Asset |
| TAMANUALLYDISABLE | permission to manually deactivate a Technical Asset |
| Evaluator | Type | Description | Attributes |
| TechnicalAssetByGuarantorEvaluator | Regular | Returns technical assets where the logged user is a guarantor - either directly by identity or indirectly by role. | No attributes |
| TechnicalAssetByHolderEvaluator | Regular | Returns technical assets where the logged user is a holder - either directly by identity or indirectly by role. | No attributes |
Represents direct assignment of an identity as guarantor for a technical asset.
| Attribute | Type | Description |
| id | UUID | primary identifier |
| externalId | String | identifier assigned by an external system for integration purposes |
| technicalAsset | UUID | id of the technical asset to be guaranted |
| guarantor | UUID | id of the user to be guarantor |
| Permission | Description |
| ADMIN | all permissions |
| COUNT | permission to retrieve the count of entities |
| AUTOCOMPLETE | permission to display the entity in autocomplete suggestions |
| READ | permission to read the entity |
| CREATE | permission to create the entity |
| UPDATE | permission to edit entity attributes |
| DELETE | permission to delete the entity |
| Evaluator | Type | Description | Attributes |
| TechnicalAssetGuarantorByTechnicalAssetGuarantorEvaluator | Regular | Returns technical asset guarantors where the logged user is a guarantor of that technical asset - either directly by identity or indirectly by role. | No attributes |
| TechnicalAssetGuarantorByTechnicalAssetHolderEvaluator | Regular | Returns technical asset guarantors where the logged user is a holder of that technical asset - either directly by identity or indirectly by role. | No attributes |
| TechnicalAssetGuarantorByTechnicalAssetTransitiveEvaluator | Transitive | Returns technical asset guarantors where the logged user has access to the parent technical asset. Permissions are transitively derived from the technical asset the technical asset guarantor belongs to. | Transfer permissions - a list of permissions to be transferred from a technical asset to its guarantors; if the list is empty, all permissions held by the user for the given technical asset will be transferred to its guarantors |
Represents the assignment of a role to a technical asset, where granting this role to a user designates them as a guarantor of that asset
| Attribute | Type | Description |
| id | UUID | primary identifier |
| externalId | String | identifier assigned by an external system for integration purposes |
| technicalAsset | UUID | id of the technical asset to be guaranted |
| role | UUID | id of the role which, when assigned to a user, makes them a guarantor |
| Permission | Description |
| ADMIN | all permissions |
| COUNT | permission to retrieve the count of entities |
| AUTOCOMPLETE | permission to display the entity in autocomplete suggestions |
| READ | permission to read the entity |
| CREATE | permission to create the entity |
| UPDATE | permission to edit entity attributes |
| DELETE | permission to delete the entity |
| Evaluator | Type | Description | Attributes |
| TechnicalAssetGuarantorRoleByTechnicalAssetGuarantorEvaluator | Regular | Returns technical asset guarantor roles where the logged user is a guarantor of that technical asset - either directly by identity or indirectly by role. | No attributes |
| TechnicalAssetGuarantorRoleByTechnicalAssetHolderEvaluator | Regular | Returns technical asset guarantor roles where the logged user is a holder of that technical asset - either directly by identity or indirectly by role. | No attributes |
| TechnicalAssetGuarantorRoleByTechnicalAssetTransitiveEvaluator | Transitive | Returns technical asset guarantor roles where the logged user has access to the parent technical asset. Permissions are transitively derived from the technical asset the technical asset guarantor role belongs to. | Transfer permissions - a list of permissions to be transferred from a technical asset to its guarantor roles; if the list is empty, all permissions held by the user for the given technical asset will be transferred to its guarantor roles |
Represents direct assignment of an identity as holder for a technical asset.
| Attribute | Type | Description |
| id | UUID | primary identifier |
| externalId | String | identifier assigned by an external system for integration purposes |
| technicalAsset | UUID | id of the technical asset to be managed |
| holder | UUID | id of the user to be holder |
| Permission | Description |
| ADMIN | all permissions |
| COUNT | permission to retrieve the count of entities |
| AUTOCOMPLETE | permission to display the entity in autocomplete suggestions |
| READ | permission to read the entity |
| CREATE | permission to create the entity |
| UPDATE | permission to edit entity attributes |
| DELETE | permission to delete the entity |
| Evaluator | Type | Description | Attributes |
| TechnicalAssetHolderByTechnicalAssetGuarantorEvaluator | Regular | Returns technical asset holders where the logged user is a guarantor of that technical asset - either directly by identity or indirectly by role. | No attributes |
| TechnicalAssetHolderByTechnicalAssetHolderEvaluator | Regular | Returns technical asset holders where the logged user is a holder of that technical asset - either directly by identity or indirectly by role. | No attributes |
| TechnicalAssetHolderByTechnicalAssetTransitiveEvaluator | Transitive | Returns technical asset holders where the logged user has access to the parent technical asset. Permissions are transitively derived from the technical asset the technical asset holder belongs to. | Transfer permissions - a list of permissions to be transferred from a technical asset to its holders; if the list is empty, all permissions held by the user for the given technical asset will be transferred to its holders |
Represents the assignment of a role to a technical asset, where granting this role to a user designates them as a holder of that asset
| Attribute | Type | Description |
| id | UUID | primary identifier |
| externalId | String | identifier assigned by an external system for integration purposes |
| technicalAsset | UUID | id of the technical asset to be guaranted |
| role | UUID | id of the role which, when assigned to a user, makes them a holder |
| Permission | Description |
| ADMIN | all permissions |
| COUNT | permission to retrieve the count of entities |
| AUTOCOMPLETE | permission to display the entity in autocomplete suggestions |
| READ | permission to read the entity |
| CREATE | permission to create the entity |
| UPDATE | permission to edit entity attributes |
| DELETE | permission to delete the entity |
| Evaluator | Type | Description | Attributes |
| TechnicalAssetHolderRoleByTechnicalAssetGuarantorEvaluator | Regular | Returns technical asset holder roles where the logged user is a guarantor of that technical asset - either directly by identity or indirectly by role. | No attributes |
| TechnicalAssetHolderRoleByTechnicalAssetHolderEvaluator | Regular | Returns technical asset holder roles where the logged user is a holder of that technical asset - either directly by identity or indirectly by role. | No attributes |
| TechnicalAssetHolderRoleByTechnicalAssetTransitiveEvaluator | Transitive | Returns technical asset holder roles where the logged user has access to the parent technical asset. Permissions are transitively derived from the technical asset the technical asset holder role belongs to. | Transfer permissions - a list of permissions to be transferred from a technical asset to its holder roles; if the list is empty, all permissions held by the user for the given technical asset will be transferred to its holder roles |
The overview of technical assets can be accessed via the "Technical assets" agenda in the main menu.
Table Columns
| Column | Description |
| Name | Name of the technical asset, unique across all technical assets |
| Description | Description of the technical asset |
| Guarantors | Guarantors of the technical asset, including those listed directly and those who are guarantors via an assigned guarantor role. To prevent overcrowding, the list is truncated to 5 identities. |
| Holders | Holders of the technical asset, including those listed directly and those who are holders via an assigned holder role. To prevent overcrowding, the list is truncated to 5 identities. |
| Valid from | Start date of the technical asset's validity |
| Valid till | End date of the technical asset's validity |
| Inactive | Flag indicating that the technical asset is inactive |
| Filter | Description |
| Name or description | Enables full-text search within the name and description of the technical asset |
| Valid from | Enables searching for technical assets with a specific validity start date |
| Valid till | Enables searching for technical assets with a specific validity end date |
| Guarantor | Enables searching for technical assets by guarantor (either direct or via a role) |
| Holder | Enables searching for technical assets by holder (either direct or via a role) |
| Inactive | Enables searching only for active or only for inactive technical assets |
| Bulk action | Description | Required permission |
| Report | Basic export of technical assets | always available |
| Delete technical asset | Allows deletion of technical assets, including subordinate entities (direct guarantors/holders and those via role). If the technical asset is assigned to technical accounts, this association is deleted. | Delete |
If you want to delete technical accounts assigned to a specific Technical Asset, you need to do it manually. Deleting is a destructive operation, that also results in deleting the accounts on end systems, so IdM is not doing it automatically.
After clicking on the magnifying glass icon or the name of a technical asset in the technical asset table, the detail view of the given technical asset is displayed, with "Basic information" as the default sub-agenda. If the user has the Update permission for a technical asset, they can edit the fields.
To deactivate/activate a technical asset, the user needs the TAMANUALLYDISABLE and TAMANUALLYENABLE permissions. Otherwise the respective button won't be displayed.
| Field | Description |
| Name | Name of the technical asset, unique across all technical assets |
| Description | Description of the technical asset |
| Valid from | Start date of the technical asset's validity |
| Valid till | End date of the technical asset's validity |
| Inactive | Flag indicating that the technical asset is inactive |
The "Technical accounts" sub-agenda contains an overview of all technical accounts under the given technical asset.
Table Columns
| Column | Description |
| Account identifier | Account identifier on the system |
| System name | Name of the system to which the technical account provides access |
| Account guarantors | Guarantors of the technical account, including those listed directly and those who are guarantors via an assigned guarantor role |
| Valid from | Start date of the technical account's validity |
| Valid till | End date of the technical account's validity |
| Is protected from delete | Flag indicating that the technical account is protected from deletion (it is in quarantine) |
| Protected untill | Date until which the technical account is protected from deletion (when the quarantine expires and the account will be deleted) |
| Filter | Description |
| Account identifier | Enables searching by technical account name; an exact match is required |
| System | Enables searching by the name of the system to which the technical account provides access. |
| Technical account type | Enables searching by system mapping |
| Account guarantor | Enables searching for technical accounts by guarantor (either direct or via a role) |
| Valid from | Enables searching for technical accounts with a specific validity start date |
| Valid till | Enables searching for technical accounts with a specific validity end date |
| Protected from deletion | Enables searching only for technical accounts that are in quarantine, or only for those that are not |
| Bulk action | Description | Required permissions |
| Report | Basic export of technical accounts | always available |
This sub-agenda allows you to manage the direct guarantors of the technical asset, as well as guarantor roles, the assignment of which makes a user a guarantor.
This sub-agenda allows you to manage the direct holders of the technical asset, as well as holder roles, the assignment of which makes a user a holder.
This sub-agenda displays the audit log for the technical asset and its related entities.
Table columns
| Column | Description |
| Entity type | Type of entity upon which the action was performed |
| Entity (IdM) | Entity upon which the action was performed |
| Sub owner code | Code of the secondary related entity |
| Action | Type of performed action |
| Executed by | Username of the user who performed the action |
| Date of revision | Date and time when the action was performed |
| Changed attributes | List of attributes changed during the action |
| Filter | Descriptin |
| Date | Enables searching for actions performed within a specific period |
| Entity type | Enables searching by the type of entity upon which the action was performed. |
| Executed by | Enables searching by the username of the user who performed the action; an exact match is required |
| Own group search by changed attributes | Enables searching for actions during which the given list of attributes was changed |
The audit table has no bulk actions.
