https://wiki.czechidm.com/ 2026-04-26T00:00:43+00:00 https://wiki.czechidm.com/ https://wiki.czechidm.com/_media/wiki/logo.png text/html 2019-08-14T14:24:12+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/authorization_policy?rev=1565792652&do=diff Authorization policies overview An authorization policy determines what permissions a CzechIdM user has. A policy is assigned to a role, and everyone with this role thus gains the permissions defined by the policy. Assigning permissions in CzechIdM via ordinary roles enables managing permissions for CzechIdM using a standard mechanism text/html 2025-08-21T20:48:53+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/authorization?rev=1755809333&do=diff Permission Role permission defines rights for administrator actions in CzechIdM. A permission for CzechIdM is not necessarily defined for every role. A permission is, for example, READ on USERS. A user having a role with this specific permission can see the read-only detail of all identities in CzechIdM. text/html 2020-06-04T16:54:43+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/automatic_roles?rev=1591289683&do=diff Automatic roles Users get these roles automatically based on their attributes or placing them into organizational structure. Defining or updating an automatic role is a subject of the approval process. Types of automatic roles Automatic roles assigned by organizational structure text/html 2019-03-20T12:30:54+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/business_roles?rev=1553085054&do=diff Business roles Business roles (composition) can be defined on role detail. Business role could contain sub roles - all sub roles are assigned automatically, when business role is assigned to identity. Sub roles has the same validity as business role. When assigned business role is removed from identity, then all sub roles are removed automatically too. Sub roles are processed on the background asynchronously (by text/html 2019-03-19T06:21:14+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/copying-assigned-roles?rev=1552976474&do=diff Copying assigned roles Copying roles from a user is a useful feature for copying/sharing permissions between users. The main purpose is to make it easier to add manually assigned roles to another user. How the feature works The feature is available on the role request detail as a new button. text/html 2019-08-14T14:21:14+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/duplicate-roles?rev=1565792474&do=diff Duplicate (copy) roles Role can be duplicated by prepared bulk action. The result of the bulk action is a new role with some attributes copied from the source role. Bulk action is available in the roles agenda in GUI. Duplicate operation options: text/html 2020-02-25T13:20:44+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/duplicit_roles?rev=1582636844&do=diff Roles assignment deduplication deduplication duplicity duplici role identityrole identity remove assigment admin Yes, CzechIdM allows assigning two identical roles to the same contract. Why? * Assigned manually directly and from a business role - simply the process of defining business roles is in progress. * Assigned manually directly and from an automatic role - for example, an administrator has previously added a new role to a contract and then defined a new automatic role with a defi… text/html 2019-03-19T07:28:51+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/icons?rev=1552980531&do=diff Icons and description of roles * - directly assigned application role, * - role assigned by automatic role configuration (by tree structure or attribute), * - directly assigned business role. Defined subroles are to be assigned together with this role, text/html 2019-08-15T10:40:29+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/incompatible_roles?rev=1565865629&do=diff Incompatible roles Segregation of Duties (SoD) can be ensured by the feature incompatible roles. Their setup resembles that of business roles. The old generation of CzechIdM used to have a feature called Role's incompatibility. By incompatibility we mean that you can set restrictions on roles A and B that will stop any user or process from assigning these two roles to the same user at once. In the new generation CzechIdM, we now have a similar feature. The difference is, however, that our ex… text/html 2025-11-24T07:32:51+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/role_assignment?rev=1763969571&do=diff Changing user permissions Role request agenda role rolerequest request This agenda contains all requests (wishes) for requested changes of authorized identities. The main idea is that all changes in identities' permission must go through this agenda. Therefore, it is not intended only for end users' requests but for automatic operations (synchronization, automatic roles, etc.) as well. text/html 2019-03-20T15:04:03+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/roles/adm/role_environment?rev=1553094243&do=diff Roles and multiple environments of connected system Provided you connect a system to CzechIdM that is available in multiple environments - testing, production, preproduction etc. - you can distinct roles in two ways * by prefixing/suffixing its name by the environment shortcut (e.g. prod_mailingListABC) and place them into separate containers in role catalog or