CzechIdM Features

What would be the CzechIdM without automation? Synchronization i.e. data flow from source systems to the identity manager is essential for every identity manager. In CzechIdM you can synchronize following types of entities:

  • identities (users) - we fully support identity synchronization with their contracts
  • roles (privileges) - automatic synchronization of roles is a must have if the role set vary in time - e.g. AD/LDAP groups
  • organizations (org. trees) - we support tree structure synchronization to be able to represent organizational divisions and place users in their working positions.

Synchronization is fully audited and supports multiple synchronizations for every entity. Synchronization can be started on demand or as planned scheduled task.

The other essential data flow in almost all IdM deployments is provisioning. I.E data flow from IdM to managed systems. All entities that support synchronization can also be pushed to end systems via provisioning. Our robust provisioning implementation brings following benefits:

  • Fully audited provisioning queue - Every push operation and its result is audited and audit is available to admins via GUI.
  • Retry mechanism - Queue pushes the data into managed systems. If the system encounters any problem or is just offline, the data stay in queue and tries the operation again in a while until the system is available.
  • Read-only systems - If the system is in read-only mode, all operation are stored in provisioning queue. An administrator can see changes, but nothing is sent. This is very useful for new managed system link-up and cutover or e.g. debugging.

CzechIdM provides complete audit history of all entities in CzechIdM. Major audit features are:

  • entity audit - all entities (identities,roles, treenodes etc…) changes are audited. CzechIdM of course audit their relation changes - identity x role, identity x contracted position etc…
  • separate audit for identities - CzechIdM GUI has special agenda that filter all changes on identities and their relation so that the administrator can work with it with more convenient way e.g. filter by the user's login
  • provisioning audit - every operation with data sent to managed system is audited in provisioning queue audit
  • synchronization audit - every synchronization run has its own audit history. Administrator can find the overall status of the synchronization as well as detail information about avery synchronized entity.
  • workflow audit - workflows (e.g. identity lifecycle process) runs are and its process is kept in workflow history available via GUI
  • scheduled task history - every task run and its process is kept in scheduled task history

CzechIdM represents user's privilege in managed system as a role. From the CzechIdM point of view, there is no difference: the user has specific right in a managed system, is a member of a group of users (AD/LDAP) or has an account with basic access. All of that is represented by one CzechIdM entity - ROLE.

This paradigm is really effective and easy to understand. It allows IdM to apply general rules for roles management and distribution like automatic roles, roles requests approval, synchronization and provisioning.

With CzechIdM you can automate role assignment process. You can link roles to organization structure (tree structure) in:

  • roles agenda
  • organizations agenda

If you link the role with working position, this operation is a subject to approval. When an authorized person approves the operation, from that time all users placed in the working position gets the role without approvement.

It also means they get the role without delay. This is essential if you require a new user (e.g. employee) to get access to managed systems first working day.

Of course, the reverse process works the same way. When a user leaves their working position they lost their roles/access to systems immediately.

CzechIdM provides web interface for convenient work of users and administrators.

User Self-service

Users benefit from using CzechIdM especially in following classes of tasks:

  • Password management - Password change or reset in CzechIdM as well as in managed systems.
  • Role requests - Users can request for new roles (privileges) and access to managed systems. Requests are approved by entrusting users e.g. role owner or user's manager.
  • Subordinates management - Managers can rule their subordinates and request for role change for them too.
  • User Task agenda - entrusted users resolve the user task in CzechIdM GUI. The CzechIdM notification system informs users about new tasks.

Administrator agenda

CzechIdM provides a wide variety of identity management features in its GUI. Most important ones are:

  • Entity management - manage entities like identities, tree structures, scheduled tasks etc… Change their relations e.g. add roles to identities, setup entity synchronization and provisioning.
  • Role management - define roles, manage the role approval workflow (who approves the role assignment), catalogue the roles, prepare the role synchronization and provisioning or set automatic roles to organization structure
  • Account management - manage the users with their accounts in managed systems
  • Systems management - define data sources, managed systems, data synchronization and provisioning, attributes set for each entity
  • Passwords - define multiple passwords policies for managed systems.
  • Modules - enhance CzechIdM functions by enabling additional modules
  • Create your own notifications - manage notification templates for sms,email or websocket
  • Manage scheduled tasks - plan the run of identity lifecycle processes and data synchronization
  • Audit - have all the audit information at one place. CzechIdM uses time machine principle - all changes of its entities are stored as snapshots. GUI provides tool to see the differences of chosen snapshots.

RESTful API is preferred communication API for the CzechIdM. All application services are available via the API. It means that even application frontend uses it for the communication with a backend. This approach has many advantages:

  • REST is quick and flexible
  • It is also widely spread in many current applications
  • one API means possibility of centralized audit of communication
  • automatically documented endpoint documentation is available online
  • build your own application e.g. specific frontend

See more (online CzechIDM RESTful API doc).

CzechIdM contains standardized lifecycle processes management for identities.

Default processes which provide basic automatic management of identities are:

  • Enabled contract - enable identity when its contracted position starts,
  • End of contract - remove roles, disable identity if last contracted position ends,
  • Contract exclusion - disable identity if contract is disabled, e.g. user started maternity leave.

All processes are implemented as long running tasks and operated by workflows. Thus:

  • its start can be easily scheduled in LRT agenda,
  • its progress and status can be overseen,
  • its history is audited in workflow history agenda,
  • new processes can be implemented and deployed easily.

Except for these processes, it is good to mention that

  • assignment
  • change
  • removal

of identity to work position (organization structure) is also supported in CzechIdM. It is managed by automatic roles feature.

Implementation of standard processes can be enhanced as well as new processes can be added to CzechIdM. More details about HR processes in CzechIdM are in Identity lifecycle processes of Administrator's guide.

An identity manager is usually the central system in the company's systems hierarchy. So it should be easy to deploy the IdM system into existing IT environment with minimal changes to the current environment.

When communicating with other systems, CzechIdM uses their native API. This approach has massive benefit in that there is usually no need to alter the systems. All you need to do is to choose the right connector from many supported connectors. If there is no connector available for your system yet, we can develop a new one.

CzechIdM manages various systems like LDAP, MS AD, databases, Unix-like systems, file servers, HR systems, Helpdesk, Windows servers, MS Exchange, postfix and many others.

CzechIdM is robust identity manager and deal with difficult organizational structures.

Imagine a situation that a company or organization e.g. hospital consist of five smaller regional hospitals or other detached workplace with some elements of autonomy. Then there are in fact 5 organizations that have to be managed by CzechIdM, but it is desired that users from one regional hospital are managed by their dedicated administrator in CzechIdM, which of course cannot manage users from other hospitals.

CzechIdM comes with the REALM paradigm. It can synchronize organizational structure from HR system(s) and keep it separate in e.g. 5 trees. Each tree represents organizational structure of one hospital. Then the mechanism of roles permissions can be used to grant access for administrators to only specified tree and the users placed in there.

CzechIdM offers several means of users' authentication. Users can authenticate locally or against some remote system. CzechIdM in its basic modules supports authentication against:

  • LDAP
  • MS Active Directory

The architecture of CzechIdM is prepared for adding other authentication methods just be implementing their protocol.

CzechIdM can support SSO by various authentication methods. Applications that implement OAuth2 protocol (Facebook, Google, …) could be used as external authorities to verify users' access. If your company wants to make use of such well-known social services for users' authentication, implementing that particular type of provider is all that needs to be done on the CzechIdM side.

Out of the box, CzechIdM supports HTTP basic authentication as an authentication method for SSO.

CzechIdM Modules

CzechIdM is strongly modular. It means that the whole application - frontend and backend - is divided into modules. Some are really essential like CORE, ACC and IC and in fact forms the application itself.

Modularity brings many pluses:

  • easy to deploy and use - one can install CzechIdM with essential modules really quickly. Then add only those modules you really need.
  • quick update/upgrade - you can update only specified modules
  • clear configuration - every module has its own configuration properties
  • project specific changes in a separate module - every project specific implementation can be done in one projspec module. Thus you keep differences with the product at one place and once again you can easily upgrade CzechIdM and keep your changes untouched.

CzechIdM offers also optional modules which are e.g: REG, OPENAM, PWD-RESET, CA.

CzechIdM is a powerful system for identity management. There are many ways of how to create the identity there e.g. Synchronization or via REST API. However those are more or less automatic ways of identities import.

Sometimes it is desirable to let the users register for themselves e.g. if you use the CzechIdM for external contractors account management or company customers accounts management. The user registration module enables the self-registration of the user with optional validation steps - email validation, entrusting user approval. The module consists of GUI module - registration form and backend module - logic and notifications.

How to setup and use the module you can read in administrator's guide.

Users can authenticate themselves in CzechIdM with their login and password. The password is, of course, a secret information. It happens sometimes that user does not remember the password and cannot log in to CzechIdM. The pwd-reset module provides GUI form that is available via a link from CzechIdM login page and users can use it to initialize the lost password reset process. The module handles the complete lost password process:

  • Process user data from reset password form
  • Generate email notification - with a unique link to new password set form.
  • Set new password to managed systems - sets the password to all managed systems that support it (including CzechIdM itself).

Read more about the module setup and usage.

OpenAM authentication and SSO module offer the integration with OpenAM - centralized access manager. The integration serves for:

  • CzechIdM to OpenAM authentication
  • SSO
  • user data exchange via REST API

Read more about the module setup and usage.

The module provides a set of tools to work with certificates:

  • certificate request management
  • certificate revocation
  • certificate validity check
  • key management
  • multiple CA servers support
  • REST API endpoint
  • GUI module to CzechIdM
  • CA Drivers - ensures the communication with specific CA

The module is dependent on particular CA implementation (try out CAW). It uses a set of drivers to communicate with CA.

Certificates modul documentation.

The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in applications and services easier. SCIM - the open API based on REST for managing identities, by defining a schema for representing users and groups for all the necessary CRUD operations.

CzechIDM Scim module exposes interface by the SCIM 2.0 specification. Read more about SCIM model, operations and endpoints.

Read more about the module.