Installation of CzechIdM - Final steps

We presume that CzechIdM is already installed as described in Installation of CzechIdM - Linux - CentOS8 or Installation of CzechIdM - Windows.

This tutorial contains some recommended steps to review and finalize the configuration for the production-ready version of CzechIdM.

First of all, activate the module acc in Settings → Modules by clicking on the button Activate.

If you want to try CzechIdM account management without directly connecting some system, you could start with the Virtual systems. To use this, activate the module vs at Settings → Modules by clicking on the button Activate.

Sending of e-mails is turned off by default; the e-mails are only logged in the Notifications → E-mails history. However, when you start to use CzechIdM, some processes should be able to notify the users. Configure the following:

• Emailer - add the configuration properties for SMTP server and e-mail sending mode in the Settings → Configuration
• Review and adjust the standard notifications sent by CzechIdM according to your needs. This is important so IdM behaves as you expect!

Go to Settings → Password policies and set the password policy according to your security standards.

It's recommended to set temporary blocking login after unsuccessful login attempts.

If you want to use Maximum password age, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks PasswordExpirationWarningTaskExecutor (notify users before the password expiration) and PasswordExpiredTaskExecutor (notify users when their password expired).

For 10.5+, userRole is created by default - Init application and data. Change this section accordingly.

In the fresh installation, users without any assigned role can do nothing after logging into CzechIdM.

Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called userRole. Create the role and add Permissions to it. Recommended settings is written in the example permissions for userRole.

Users may authenticate by their local CzechIdM password, or you may configure authentication against some of the connected systems - typically AD or LDAP (Authentication against end system). Or you may configure SSO.

Manual role assignment is always done by role requests. In the fresh installation, the requests will be automatically approved, because no approvers are set yet.

If you want to enable users to request a role change, you should also set some approval processes for their requests. The configuration options are described here.

Managers and guarantees of the contracts can be included in the approval process or they could manage their subordinates (if you set it in the userRole). If you use these features, make sure that CzechIdM uses a correct algorithm for evaluating managers and subordinates relationship.

The default algorithm evaluates the managers/subordinates by their position in the organizational structure and also includes directly set guarantees. This is set by DefaultManagersFilter and DefaultSubordinatesFilter.

Example:

## identity filters
## subordinates by standard tree structure (manager will be found by contract on parent node)
idm.sec.core.filter.IdmIdentity.managersFor.impl=defaultManagersFilter
idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=defaultSubordinatesFilter

If you don't want to use organizational structure for evaluating the managers - typically if it's the structure of departments and the managers and subordinates are at the same level in the structure - use rather GuaranteeManagersFilter and GuaranteeSubordinatesFilter.

Example:

## identity filters
idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter
idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=guaranteeSubordinatesFilter

Sometimes, we provision some details about the manager to the identity accounts. E.g. the attribute "manager" in Active Directory is the link to the user's manager. To make this link up-to-date, IdM does provisioning for new and original subordinates of the manager every time, when the manager's contract changes.

If you don't need this functionality, which can be time consuming, switch it off like this:

idm.sec.acc.processor.identity-contract-provisioning-processor.includeSubordinates=false
idm.sec.acc.processor.identity-contract-before-save-processor.includeSubordinates=false

Please try check you project if you want reset password to all connected systems including CzechIdM after user's state will be evaluated from disable state to enabled state. This change is processed by processor IdentitySetPasswordProcessor (acc-identity-set-password-processor). You can disable it by configuration property or GUI agenda of processors (it is equivalent).

Review the scheduled tasks in Settings → Task scheduler.

There are multiple tasks that are connected to personal processes. Default settings work fine, if there is no regular source (HR) system synchronization. However, typical IdM solution requires regular source system synchronization and you typically want to use validity of the contracts and standard HR processes. The best practise to schedule HR synchronization and other tasks is the following "train":

• Synchronization of organization structure from HR
  • Add a new scheduled task Run synchronization (SynchronizationSchedulableTaskExecutor), select the source system for HR organization structure. Fill in the description, e.g. "COMP0100-01 Synchronization HR organization structure"
  • Save the event and click Add under Scheduled starts. To run the event periodically, set Repeated start or a CRON trigger.
  • Schedule it after midnight, e.g. at 01:00. Also take into account, when the data is populated to the source system.
• Synchronization of identities from HR
  • Add a new scheduled task Run synchronization, select the source system for HR identities. Fill in the description, e.g. "COMP0100-02 Synchronization HR identities"
  • Save the event and click Add under Scheduled starts. Choose Other task and select the previous task for synchronization of HR organization.
• Synchronization of contracts from HR
  • Add a new scheduled task Run synchronization, select the source system for HR contracts. Fill in the description, e.g. "COMP0100-03 Synchronization HR contracts"
  • Save the event and click Add under Scheduled starts. Choose Other task and select the previous task for synchronization of HR identities.
• HR process - enable contract (HrEnableContractProcess)
  • Find the scheduled task with this name. Update its description, e.g. "COMP0100-04 HR: Start of contracts validity"
  • Remove the default scheduled start (only the scheduled start, don't remove the whole task!). Instead, Add a new Scheduled start of the type Other task, select the previous task for synchronization of HR contracts
• HR process - end of contract (HrEndContractProcess)
  • Find the task and update its description, e.g. "COMP0100-05 HR: End of contracts validity"
  • Remove the default scheduled start, add a new of the type Other task, select the previous task for HR enable contract.
• HR process - contract exclusion (HrContractExclusionProcess)
  • Find the task and update its description, e.g. "COMP0100-06 HR: Exclude contract"
  • Remove the default scheduled start, add a new of the type Other task, select the previous task for HR end contract
• Recalculate all automatic roles by attribute (ProcessAllAutomaticRoleByAttributeTaskExecutor)
  • Add this as a new scheduled task (be careful when selecting the exact name). Set description, e.g. "COMP0100-07 Recalculate all automatic roles by attribute"
  • Add a new scheduled start of the type Other task, select the previous task for HR contract exclusion
• Recalculate skipped automatic role by tree structure for contracts and other positions (ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor)
  • Add this as a new scheduled task (be careful when selecting the exact name). Set description, e.g. "COMP0100-08 Recalculate skipped automatic role by tree structure for contracts"
  • Add a new scheduled start of the type Other task, select the previous task for all automatic roles recalculation
• Contracts expiration (IdentityContractExpirationTaskExecutor)
  • Find the task and update its description, e.g. "COMP0100-09 Remove roles by expired identity contracts"
  • Remove the default scheduled start, add a new of the type Other task, select the previous task for recalculation of skipped automatic roles
• Assigned roles - start of validity (IdentityRoleValidRequestTaskExecutor)
  • Find the task and update its description, e.g. "COMP0100-10 Start of assigned role validity"
  • Remove the default scheduled start, add a new of the type Other task, select the previous task for contracts expiration
• Assigned roles - expiration (IdentityRoleExpirationTaskExecutor)
  • Find the task and update its description, e.g. "COMP0100-11 Remove expired roles"
  • Remove the default scheduled start, add a new of the type Other task, select the previous task for start of role validity

In this setup, make sure to correctly configure synchronization of identities and contract - the tab Specific settings. Uncheck the options "After end, start the HR processes" and "After end, start the automatic role recalculation". Those two options start some of the tasks mentioned above. Those tasks should run just once to avoid data collisions and we prefer to schedule the tasks separately (easier problem solving). However, if you decide to use those options instead of the "train of tasks", make sure to start the 3 Hr…Process tasks at least once manually, otherwise they won't be started after end of synchronization.

Other:

You can unschedule the task Recalculate currently used contract time slices (SelectCurrentContractSliceTaskExecutor) if you don't use Time slices of contractual relationships. On the other hand, if you want to use time slices, schedule this task to the train of processes and also make sure to schedule Process contract slices marked as invalid (dirty flag) (ClearDirtyStateForContractSliceTaskExecutor).

You can change the scheduled start of the task Retry provisioning periodically (RetryProvisioningTaskExecutor) so this task runs less often. In some environments, it is enough to retry the failed provisioning operations e.g. once an hour instead of every 5 minutes.

If you want to use the Account protection system for some connected system, tha task AccountProtectionExpirationTaskExecutor must start once every day.

If you want to use Maximum password age, schedule the tasks mentioned in Password policy section to run once every day.

If you don't want to automatically delete old records in the provisioning archive, remove scheduled run from the DeleteProvisioningArchiveTaskExecutor.

The IdStory product allows you to configure a Service Desk link in the application footer for a specific project.

The configuration is done using the following configuration option:

idm.pub.app.show.footer.serviceDesk.link=

Please provide the full URL of your Service Desk in this configuration property, for example: https://redmine.bcvsolutions.eu/// Since IdStory versions 14.16.2 and 15.7.1, the default value of this property is empty, and therefore the Service Desk link is not displayed in the application footer by default.