diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageSelfCredentials.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageSelfCredentials.java
index 7b41a807bfd..419d1b64fae 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageSelfCredentials.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageSelfCredentials.java
@@ -1,9 +1,6 @@
 package com.evolveum.midpoint.web.page.self;
 
-import com.evolveum.midpoint.prism.PrismObject;
-import com.evolveum.midpoint.prism.PrismObjectDefinition;
-import com.evolveum.midpoint.prism.PrismReference;
-import com.evolveum.midpoint.prism.PrismReferenceValue;
+import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.delta.PropertyDelta;
 import com.evolveum.midpoint.prism.path.ItemPath;
@@ -14,19 +11,25 @@
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.logging.LoggingUtils;
 import com.evolveum.midpoint.web.application.AuthorizationAction;
 import com.evolveum.midpoint.web.application.PageDescriptor;
 import com.evolveum.midpoint.web.component.AjaxSubmitButton;
 import com.evolveum.midpoint.web.component.TabbedPanel;
 import com.evolveum.midpoint.web.component.data.TablePanel;
+import com.evolveum.midpoint.web.component.prism.ContainerStatus;
+import com.evolveum.midpoint.web.component.prism.ObjectWrapper;
 import com.evolveum.midpoint.web.component.util.LoadableModel;
+import com.evolveum.midpoint.web.component.util.ObjectWrapperUtil;
 import com.evolveum.midpoint.web.page.admin.home.PageDashboard;
 import com.evolveum.midpoint.web.page.admin.home.dto.MyPasswordsDto;
 import com.evolveum.midpoint.web.page.admin.home.dto.PasswordAccountDto;
+import com.evolveum.midpoint.web.page.admin.users.dto.FocusShadowDto;
 import com.evolveum.midpoint.web.page.self.component.ChangePasswordPanel;
 import com.evolveum.midpoint.web.security.SecurityUtils;
 import com.evolveum.midpoint.web.util.WebMiscUtil;
+import com.evolveum.midpoint.web.util.WebModelUtils;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 import org.apache.wicket.Component;
@@ -35,7 +38,9 @@
 import org.apache.wicket.extensions.markup.html.tabs.AbstractTab;
 import org.apache.wicket.extensions.markup.html.tabs.ITab;
 import org.apache.wicket.markup.html.WebMarkupContainer;
+import org.apache.wicket.markup.html.form.CheckBox;
 import org.apache.wicket.markup.html.form.Form;
+import org.apache.wicket.model.IModel;
 
 import java.util.ArrayList;
 import java.util.Collection;
@@ -63,8 +68,11 @@ public class PageSelfCredentials extends PageSelf {
     private static final String OPERATION_LOAD_USER = DOT_CLASS + "loadUser";
     private static final String OPERATION_LOAD_ACCOUNT = DOT_CLASS + "loadAccount";
     private static final String OPERATION_SAVE_PASSWORD = DOT_CLASS + "savePassword";
+    private static final String OPERATION_LOAD_SHADOW = DOT_CLASS + "loadShadow";
+
 
     private LoadableModel<MyPasswordsDto> model;
+    private PrismObject<UserType> user;
 
     public PageSelfCredentials() {
         model = new LoadableModel<MyPasswordsDto>(false) {
@@ -92,14 +100,13 @@ protected MyPasswordsDto load() {
 
     private MyPasswordsDto loadPageModel() {
 //        LOGGER.debug("Loading user and accounts.");
-
         MyPasswordsDto dto = new MyPasswordsDto();
         OperationResult result = new OperationResult(OPERATION_LOAD_USER_WITH_ACCOUNTS);
         try {
             String userOid = SecurityUtils.getPrincipalUser().getOid();
             Task task = createSimpleTask(OPERATION_LOAD_USER);
             OperationResult subResult = result.createSubresult(OPERATION_LOAD_USER);
-            PrismObject<UserType> user = getModelService().getObject(UserType.class, userOid, null, task, subResult);
+            user = getModelService().getObject(UserType.class, userOid, null, task, subResult);
             subResult.recordSuccessIfUnknown();
 
             dto.getAccounts().add(createDefaultPasswordAccountDto(user));
@@ -130,6 +137,10 @@ private MyPasswordsDto loadPageModel() {
                     subResult.recordFatalError("Couldn't load account.", ex);
                 }
             }
+
+            List<ShadowType> shadowTypeList = loadShadowTypeList();
+
+
             result.recordSuccessIfUnknown();
         } catch (Exception ex) {
 //            LoggingUtils.logException(LOGGER, "Couldn't load accounts", ex);
@@ -232,7 +243,7 @@ private PasswordAccountDto createPasswordAccountDto(PrismObject<ShadowType> acco
         PrismReference resourceRef = account.findReference(ShadowType.F_RESOURCE_REF);
         String resourceName;
         if (resourceRef == null || resourceRef.getValue() == null || resourceRef.getValue().getObject() == null) {
-            resourceName = getString("PageMyPasswords.couldntResolve");
+            resourceName = getString("PageSelfCredentials.couldntResolve");
         } else {
             resourceName = WebMiscUtil.getName(resourceRef.getValue().getObject());
         }
@@ -268,6 +279,8 @@ private void onSavePerformed(AjaxRequestTarget target) {
                         registry.findObjectDefinitionByCompileTimeClass(UserType.class) :
                         registry.findObjectDefinitionByCompileTimeClass(ShadowType.class);
 
+//                UserType.F_LINK_REF
+//                        ShadowType.REF
                 PropertyDelta delta = PropertyDelta.createModificationReplaceProperty(valuePath, objDef, password,password);
 
                 Class<? extends ObjectType> type = accDto.isMidpoint() ? UserType.class : ShadowType.class;
@@ -298,4 +311,29 @@ private void onCancelPerformed(AjaxRequestTarget target) {
         setResponsePage(PageDashboard.class);
     }
 
+    private List<ShadowType> loadShadowTypeList(){
+        List<ObjectReferenceType> references = user.asObjectable().getLinkRef();
+        Task task = createSimpleTask(OPERATION_LOAD_SHADOW);
+        List<ShadowType> shadowTypeList = new ArrayList<>();
+
+        for (ObjectReferenceType reference : references) {
+            OperationResult subResult = new OperationResult(OPERATION_LOAD_SHADOW);
+            try {
+                Collection<SelectorOptions<GetOperationOptions>> options = SelectorOptions.createCollection(ShadowType.F_RESOURCE,
+                        GetOperationOptions.createResolve());
+
+                if (reference.getOid() == null) {
+                    continue;
+                }
+                PrismObject<ShadowType> shadow = WebModelUtils.loadObject(ShadowType.class, reference.getOid(), options, this, task, subResult);
+                shadowTypeList.add(shadow.asObjectable());
+            } catch (Exception ex) {
+                subResult.recordFatalError("Couldn't load account." + ex.getMessage(), ex);
+            } finally {
+                subResult.computeStatus();
+            }
+        }
+        return shadowTypeList;
+
+    }
 }
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.html b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.html
index 065267d466e..e1d5699b51a 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.html
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.html
@@ -25,14 +25,6 @@
             <div wicket:id="passwordPanel"/>
         </div>
     </div>
-    <div class="row">
-        <div class="checkbox col-md-3">
-            <label wicket:message="title:PageMyPasswords.importantNote">
-                <input type="checkbox" wicket:id="changeAllPasswords">
-                <wicket:message key="ChangePasswordPanel.label.changeAllPasswords"/>
-            </label>
-        </div>
-    </div>
     <div class="row">
         <div class="col-md-7">
             <div class="box box-default collapsed-box">
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java
index 5d28cb51a74..bd56644b189 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/component/ChangePasswordPanel.java
@@ -1,46 +1,40 @@
 package com.evolveum.midpoint.web.page.self.component;
 
-import com.evolveum.midpoint.prism.PrismObject;
-import com.evolveum.midpoint.prism.PrismReference;
-import com.evolveum.midpoint.prism.PrismReferenceValue;
-import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
-import com.evolveum.midpoint.schema.GetOperationOptions;
-import com.evolveum.midpoint.schema.SelectorOptions;
-import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.task.api.Task;
-import com.evolveum.midpoint.util.logging.LoggingUtils;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.web.component.data.TablePanel;
 import com.evolveum.midpoint.web.component.data.column.CheckBoxColumn;
 import com.evolveum.midpoint.web.component.data.column.CheckBoxHeaderColumn;
+import com.evolveum.midpoint.web.component.data.column.IconColumn;
+import com.evolveum.midpoint.web.component.data.column.LinkColumn;
 import com.evolveum.midpoint.web.component.input.PasswordPanel;
 import com.evolveum.midpoint.web.component.util.ListDataProvider;
 import com.evolveum.midpoint.web.component.util.LoadableModel;
 import com.evolveum.midpoint.web.component.util.SimplePanel;
-import com.evolveum.midpoint.web.page.PageBase;
+import com.evolveum.midpoint.web.page.admin.certification.PageCertCampaign;
+import com.evolveum.midpoint.web.page.admin.certification.dto.CertDecisionDto;
+import com.evolveum.midpoint.web.page.admin.home.dto.AssignmentItemDto;
 import com.evolveum.midpoint.web.page.admin.home.dto.MyPasswordsDto;
 import com.evolveum.midpoint.web.page.admin.home.dto.PasswordAccountDto;
-import com.evolveum.midpoint.web.page.admin.home.dto.PersonalInfoDto;
-import com.evolveum.midpoint.web.page.admin.users.component.ExecuteChangeOptionsDto;
-import com.evolveum.midpoint.web.page.admin.workflow.dto.ProcessInstanceDto;
-import com.evolveum.midpoint.web.security.SecurityUtils;
-import com.evolveum.midpoint.web.util.WebMiscUtil;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+import com.evolveum.midpoint.web.util.OnePageParameterEncoder;
+import com.evolveum.midpoint.web.util.TooltipBehavior;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationCampaignType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationCaseType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
-import org.apache.wicket.MarkupContainer;
+import org.apache.wicket.AttributeModifier;
+import org.apache.wicket.ajax.AjaxRequestTarget;
 import org.apache.wicket.extensions.markup.html.repeater.data.grid.ICellPopulator;
 import org.apache.wicket.extensions.markup.html.repeater.data.table.AbstractColumn;
 import org.apache.wicket.extensions.markup.html.repeater.data.table.IColumn;
 import org.apache.wicket.extensions.markup.html.repeater.data.table.PropertyColumn;
 import org.apache.wicket.markup.html.basic.Label;
 import org.apache.wicket.markup.html.form.CheckBox;
-import org.apache.wicket.markup.html.link.Link;
 import org.apache.wicket.markup.repeater.Item;
 import org.apache.wicket.model.AbstractReadOnlyModel;
 import org.apache.wicket.model.IModel;
 import org.apache.wicket.model.Model;
 import org.apache.wicket.model.PropertyModel;
+import org.apache.wicket.request.mapper.parameter.PageParameters;
 
 import java.util.*;
 
@@ -60,6 +54,7 @@ public class ChangePasswordPanel extends SimplePanel<MyPasswordsDto> {
     private static final String OPERATION_LOAD_USER = DOT_CLASS + "loadUser";
     private static final String OPERATION_LOAD_ACCOUNT = DOT_CLASS + "loadAccount";
 
+    private PasswordAccountDto midpointAccountDto;
     private LoadableModel<MyPasswordsDto> model;
     MyPasswordsDto myPasswordsDto = new MyPasswordsDto();
     public ChangePasswordPanel(String id) {
@@ -71,22 +66,19 @@ public ChangePasswordPanel(String id, LoadableModel<MyPasswordsDto> model,MyPass
 
     @Override
     protected void initLayout() {
+        model = (LoadableModel) getModel();
+        MyPasswordsDto dto = model.getObject();
+
         Label passwordLabel = new Label(ID_PASSWORD_LABEL, createStringResource("PageSelfCredentials.passwordLabel1"));
         add(passwordLabel);
 
         Label confirmPasswordLabel = new Label(ID_CONFIRM_PASSWORD_LABEL, createStringResource("PageSelfCredentials.passwordLabel2"));
         add(confirmPasswordLabel);
 
-        PasswordPanel passwordPanel = new PasswordPanel(ID_PASSWORD_PANEL, new Model<String>());
+        PasswordPanel passwordPanel = new PasswordPanel(ID_PASSWORD_PANEL, new PropertyModel<String>(model, MyPasswordsDto.F_PASSWORD));
         add(passwordPanel);
 
-        CheckBox changeAllPasswords = new CheckBox(ID_CHANGE_ALL_PASSWORDS,
-                new PropertyModel<Boolean>(model, ExecuteChangeOptionsDto.F_EXECUTE_AFTER_ALL_APPROVALS));
-        add(changeAllPasswords);
-
-
         List<IColumn<PasswordAccountDto, String>> columns = initColumns();
-        model = (LoadableModel) getModel();
         ListDataProvider<PasswordAccountDto> provider = new ListDataProvider<PasswordAccountDto>(this,
                 new PropertyModel<List<PasswordAccountDto>>(model, MyPasswordsDto.F_ACCOUNTS));
         TablePanel accounts = new TablePanel(ID_ACCOUNTS_TABLE, provider, columns);
@@ -97,7 +89,33 @@ protected void initLayout() {
     private List<IColumn<PasswordAccountDto, String>> initColumns() {
         List<IColumn<PasswordAccountDto, String>> columns = new ArrayList<IColumn<PasswordAccountDto, String>>();
 
-        IColumn column = new CheckBoxHeaderColumn<UserType>();
+        IColumn column = new CheckBoxHeaderColumn<PasswordAccountDto>();
+        column = new IconColumn<PasswordAccountDto>(createStringResource("PageCertDecisions.table.campaignName")) {
+            @Override
+            protected IModel<String> createIconModel(final IModel<PasswordAccountDto> rowModel) {
+                return new AbstractReadOnlyModel<String>() {
+
+                    @Override
+                    public String getObject() {
+                        PasswordAccountDto item = rowModel.getObject();
+//                        if (item.getType() == null) {
+                            return "silk-error";
+//                        }
+
+//                        switch (item.getType()) {
+//                            case ACCOUNT_CONSTRUCTION:
+//                                return "silk-drive";
+//                            case ORG_UNIT:
+//                                return "silk-building";
+//                            case ROLE:
+//                                return "silk-user_suit";
+//                            default:
+//                                return "silk-error";
+//                        }
+                    }
+                };
+            }
+        };
         columns.add(column);
 
         columns.add(new AbstractColumn<PasswordAccountDto, String>(createStringResource("PageMyPasswords.name")) {
@@ -130,23 +148,4 @@ public Object getObject() {
 
         return columns;
     }
-
-    private PasswordAccountDto createDefaultPasswordAccountDto(PrismObject<UserType> user) {
-        return new PasswordAccountDto(user.getOid(), getString("PageMyPasswords.accountMidpoint"),
-                getString("PageMyPasswords.resourceMidpoint"), WebMiscUtil.isActivationEnabled(user), true);
-    }
-
-    private PasswordAccountDto createPasswordAccountDto(PrismObject<ShadowType> account) {
-        PrismReference resourceRef = account.findReference(ShadowType.F_RESOURCE_REF);
-        String resourceName;
-        if (resourceRef == null || resourceRef.getValue() == null || resourceRef.getValue().getObject() == null) {
-            resourceName = getString("PageMyPasswords.couldntResolve");
-        } else {
-            resourceName = WebMiscUtil.getName(resourceRef.getValue().getObject());
-        }
-
-        return new PasswordAccountDto(account.getOid(), WebMiscUtil.getName(account),
-                resourceName, WebMiscUtil.isActivationEnabled(account));
-    }
-
 }
diff --git a/gui/admin-gui/src/main/resources/localization/Midpoint.properties b/gui/admin-gui/src/main/resources/localization/Midpoint.properties
index 5c93df6abee..e61b170a0bd 100644
--- a/gui/admin-gui/src/main/resources/localization/Midpoint.properties
+++ b/gui/admin-gui/src/main/resources/localization/Midpoint.properties
@@ -1556,7 +1556,7 @@ PageMyPasswords.button.back=Back
 PageMyPasswords.button.save=Save
 PageMyPasswords.couldntResolve=Couldn't resolve resource.
 PageMyPasswords.enabled=Enabled
-PageMyPasswords.importantNote=Important note. When "MidPoint" account is checked, user password is changed. Besides that, all account credentials are updated based on policies defined in resources definitions.
+PageMyPasswords.importantNote=If selected, user password and all accounts' credentials will be updated based on policies defined in resources definitions.
 PageMyPasswords.name=Name
 PageMyPasswords.noAccountSelected=Password not changed. No account was selected.
 PageMyPasswords.password=Password
@@ -2753,5 +2753,6 @@ PageSelfCredentials.tabs.password=Password
 PageSelfCredentials.title=Credentials
 PageSelfCredentials.passwordLabel1=Password
 PageSelfCredentials.passwordLabel2=Confirm password
-ChangePasswordPanel.accountsTable.header=Accounts
+ChangePasswordPanel.accountsTable.header=Password propagation
 ChangePasswordPanel.label.changeAllPasswords=Keep all passwords the same
+PageSelfCredentials.couldntResolve=Couldn't resolve resource.