10.2:documentation:identities

Identities (users)

In identity management, identity is a set of information that describes a real person. Some of the information like First Name, Last Name, Login or Password is crucial for many IT systems, since they process them, or e.g. use them for authentication or authorization. Identity management systems process the data about identity, transform them and use them to manage accounts on connected systems.

 Identity in identity management

The representation of a user in the CzechIdM system is an entity called identity. Put simply, an identity can be described as a user registered in CzechIdM with all his or her attributes e.g. first name, surname, phone number, etc. Identity representation is a rather complex discipline. To be able to handle automatic identity lifecycle processes, CzechIdM uses other entities with attributes that have a relation to identity. Those are Contracts, Roles and Tree nodes forming Tree strucures.

 Entities relations

In CzechIdM, the user password is stored in the Bcrypt hash function. User can change password only when he or she has permission IDENTITY_PASSWORDCHANGE for the given identity. The password contains also other metadata like "valid till", "valid from", "unsuccessful attempts", "block login date", "last successful login" etc. It is also possible to set flag Password never expires. This flag disables filling 'valid till'. 'Password never expires' and other attributes related to a password like 'valid till' can be set via agenda information about a password that is accessible through identity detail or password agenda. To update these attributes you will need permission PASSWORD_UPDATE and PASSWORD_READ.

Read more