https://wiki.czechidm.com/ 2026-04-25T16:00:06+00:00 https://wiki.czechidm.com/ https://wiki.czechidm.com/_media/wiki/logo.png text/html 2020-08-31T13:43:13+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/authentication?rev=1598881393&do=diff Authentication security authentication authenticator Basic view From the simple viewpoint, authentication mechanism in CzechIdM can be divided into three areas: * First access: Unauthenticated users come to CzechIdM for the first time. They fill in their login and password and log in. text/html 2025-08-21T20:41:19+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/authorization?rev=1755808879&do=diff Authorization policies security authorization role policy default user role permissions An authorization policy determines which permissions a user in CzechIdM has. A policy is assigned to a role and everyone with this role gains the permissions determined by the policy as well. * assigning permissions in CzechIdM via ordinary roles enables managing permissions for CzechIdM by a standard mechanism text/html 2019-05-07T08:29:12+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/change-user-permissions?rev=1557217752&do=diff Changing user permissions identity permission role request security workflow read here Basic life cycle of the request for change a permissions Role request agenda This agenda contains all requests (wishes) for requested changes of authorized identities. The main idea is that all changes in identities' permission must go through this agenda. Therefore, it is not intended only for end users' requests but for automatic operations (synchronization, automatic roles, etc.) as well. text/html 2021-02-22T20:21:45+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/confidential-storage?rev=1614025305&do=diff Confidential storage confidential security configuration To save sensitive data, the interface ConfidentialStorage has been created in the application. To read the data from the storage, it is necessary to know its owner (entity), and the key. The storage is currently used for: * saving the sensitive data in text/html 2018-03-22T14:29:07+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/design?rev=1521728947&do=diff Authentication design / Authorization in IdM User authentication with log-in and password Basic implementation * simple "if" deciding between LDAP or local log-in * marking the log-in the in the end system The user will always log in with the log-in from CzechIdm The use of log-in from the administered system is not possible since more identities can have access to the account on the administered system. text/html 2026-02-04T09:21:28+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/password-policies?rev=1770196888&do=diff Password policies password security configuration The types of policies - validation and generation - are determined by enumeration PasswordPolicyTypeEnum. The policies marked as the GENERATE type can also become the type determined by enumeration PasswordPolicyGenerateTypeEnum, this is a generation type (random, passphrase). Standard policies text/html 2023-12-01T16:19:11+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/security?rev=1701447551&do=diff Security Dictionary terms * Base permission - basic permission, e.g. READ, CREATE, UPDATE, DELETE * Group permission - group permission could contain base permissions. Group is related to some domain object, e.g. IDENTITY, ROLE * Authority - Group + base permission, e.g.