CzechIdM 7.5 Emerald is out

Three weeks after the Diamond was released, here comes a new stable version of CzechIdM called Emerald. It provides many interesting new features as well as some bugfixes. Check out the post to see what brings the latest version of our identity manager.

Provisioning brake

If you have a system connected to CzechIdM, e.g. MS Active Directory, on which you want to control provisioning operations (create, update, delete) the provisioning brake is the right choice. With provisioning brake you have control over how many operations for a specified system is done over a defined period of time. It is also possible to  set a warning or disable limit for each operation. After exceeding the each limit administrators are notified by email.

After the disable limit is exceeded, no other operation of the same type is sent to the system. Thus the brake prevents unintended bulk operations which can for example come from HR system corrupted data or are caused by some administrator mistake.

It is also possible to create a global provisioning brake configuration. This configuration will be applied to all systems. More about provisioning brake you can find here.

Synchronization of contracts

CzechIdM offers synchronization from source system for those entities:

  • identity
  • tree node
  • role

In Emerald it is newly possible to synchronize identity contracts. Modern HR systems supports user’s contracts, so it was a matter of time, when the contracts synchronization comes to CzechIdM. Contracts can define the link between the identity and the organization structure. In CzechIdM almost everything is managed through contracts. Typically employees can have multiple contracts and each one places them to a position in organization structure. Roles are assigned via contracts too. More about contracts you can find here.

Sending additional attributes during password change

Now it’s possible to send extended attributes of CzechIdM entities like identity to provisioning, when password is changed (e.g. password expiration date attribute). New configuration option sendOnPasswordChange was added to system attributes mapping – attributes with this flag checked will be send together with changed password to provisioning.

This is really a benefit if you want to tell e.g AD that the user changed his password and at the same time send the information that the user should be unlocked, new password expiry date or last password change time should be set.

Two ways of provisioning extended attributes are implemented:

  • Send additional attributes together with new password in one provisioning operation.
  • Send additional attributes after password has changed in another provisioning operation.

More about additional attributes you can find here.

Contract states added

State of a contract can be:

  • Enabled – a valid contract.
  • Disabled – a contract is invalid (time validity from – to). When contractual relationship validity ends, then all roles assigned to given contractual relationship are removed. It’s not possible to assign roles to invalid contracts.
  • Excluded – a contract is excluded but remains valid. Roles assigned for this contract are not removed, identity is blocked.

More about contracts you can find here.

Dependent scheduled tasks

Trigger a task arfer other dependent task successfully ended.
More about scheduled task you can find here.

Read more

More details about the topics can be found in Administrator’s guide. If you have any questions or comment, feel free to comment on redmine, github or email me on Also join our google group to keep in touch with CzechIdM news.

About Marcel Poul

Vedoucí realizace IdM projektů, BCV solutions. Problematice správy identit se věnuje více než 8 let. Dodává projekty IdM pro zákazníky ve státní správě, soukromé firmy i velké nadnárodní korporace. V BCV solutions se také věnuje analýze potřeb zákazníků a rozvoji SW produktu CzechIdM.

Leave a Reply