Differences

This shows you the differences between two versions of the page.

--- devel:documentation:application_configuration:dev:backend [2023/02/24 12:05] – [Security] add proxy recaptcha kopro
+++ devel:documentation:application_configuration:dev:backend [2025/12/11 14:56] (current) – cem
@@ Line 94: / Line 94: @@
 # - disabled
 # - description
-idm.pub.app.show.role.table.columns=name, baseCode, environment, disabled, description
+idm.pub.app.show.role.table.columns=name, baseCode, zone, tier, environment, disabled, description
+# List of bulk actions that will not be available in the table in role detail - users with role
+# Actions listed here will disappear completely from the table (they won't just be greyed out)
+idm.pub.app.show.role.identity.prohibited=identity-enable-bulk-action,identity-disable-bulk-action,identity-remove-role-bulk-action,identity-add-role-bulk-action,identity-change-contract-tree-node-and-validity-bulk-action
+# If set to false, the link to profile detail (looking glass icon) will not appear in
+idm.pub.app.show.role.identity.detail=false
 # Show role catalogue item code in role catalogue tree
 idm.pub.app.show.roleCatalogue.tree.code=false
@@ Line 129: / Line 134: @@
 # - passwordexpiration - information about identity password epiration
 # - description
+# - pam - Flag indicating whether this identity is managed under Privileged Access Management (PAM) (since 15.6.0)
 # Note: Table in identity agenda can be configured with this property (common identity table with columns is not specified on FE).
 # If you want to configure rendered columns for all tables generalized from identity table (e.g. on role or tree node detail),
 # you can use FE configuration https://wiki.czechidm.com/devel/documentation/application_configuration/dev/frontend
 idm.pub.app.show.identity.table.columns=username, lastName, firstName, externalCode, email, state, description
-idm.pub.app.show.identityRole.table.columns=role, roleAttributes, environment, identityContract, contractPosition, validFrom, validTill, directRole, automaticRole, incompatibleRoles, description, priority
+# Rendered columns in user roles agenda (Directly assigned roles). Comma is used as separator. Order of rendered columns is preserved as configured.
+idm.pub.app.show.identityRole.table.columns=role, roleAttributes, environment, owner, contractPosition, validFrom, validTill, directRole, automaticRole, incompatibleRoles, description, priority
+# Rendered columns in role requests in the table for assigned roles. Comma is used as separator. Order of rendered columns is preserved as configured.
+idm.pub.app.show.role.request.table.columns=name, description, roleAttributes, contractPosition, validFrom, validTill, directRole, automaticRole, action, priority
+# if is true, only direct roles are displayed in role request table (@since 13.0.21, 14.0.4)
+idm.pub.app.show.role.request.table.directOnly=false
 # If is true, then role-request description will be show on the detail.
 # Description will hidden if this property will be false and role request
@@ Line 155: / Line 166: @@
 # Footer service desk link url.
 # @since 12.0.0
-idm.pub.app.show.footer.serviceDesk.link=https://redmine.czechidm.com/projects/czechidmng
+# @since 14.16.2 and 15.7.1 is value set as empty by default and ServiceDesk is hidden.
+idm.pub.app.show.footer.serviceDesk.link=
 #
 # Private properties - used on backend only.
@@ Line 166: / Line 178: @@
 # Set property to false to disable init data creation and updates.
 idm.sec.core.init.data.enabled=true
+# Rendered columns in account agenda
+idm.pub.app.show.account.table.columns=accountType, entityType, uid, system, zone, tier, inProtection, endOfProtection, systemEntity, targetEntity
+# Default implementer if not sett admin will be chosen (value is UUID of identity)
+idm.sec.core.roleRequest.systemUser=
 </code>
@@ Line 184: / Line 203: @@
   * ''SCHEDULER_UPDATE''  - scheduled tasks and created (~ not processed) asynchronous long running tasks will be changed.
   * ''ENTITYEVENT_UPDATE''  - created (~ not processed) asynchronous events will be changed.
+=== Filters and columns to users table and subordinates table ===
+@since 14.1.0
+A new variable has been added that makes the contract end date column visible and provides a filter to select by "Valid till" date. If a user has multiple contracts, all end dates will be visible. Filtering by contract end date includes the boundary for the entered day. If you want to filter, for example, all subordinates for a specific day, fill both date boxes with that day. If one of these dates is not set, the boundary will be ignored.
+You can add the configuration variable ''idm.pub.app.show.identity.table.columns''  with the value ''contractenddates''  it will make contract column visible and add two filter boxes above table.
+The configuration variable ''idm.pub.app.show.identity-subordinates.table.columns''  is not set by default. If you add the ''contractenddates''  variable, it will show only the username and contract end date. To display additional columns like name, last name, etc., include them in the frontend configuration for the identity table. For example: ''idm.pub.app.show.identity-subordinates.table.columns=username, lastName, firstName, externalCode, email, state, description, contractenddates''. After setting these configuration values in red boxes, the new values for version 14.1.0 will be:
+{{.:subordinates-contract-end-date-filter.png?600}}
+=== Update contract end date pre-fill date ===
+@since 14.1.0
+If you add the following configuration variable, it will pre-fill the **Valid till**  date for contracts. The pre-filled date will be today's date + x days based on the configuration value.
+For example: ''idm.sec.core.bulk.action.identity-change-contract-tree-node-and-validity.extension-period-days=365''
+Date will be pre-filed with today date + 365 days.
 ==== Jpa ====
@@ Line 220: / Line 261: @@
 # Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes.
 spring.datasource.maximumPoolSize=50
 </code>
@@ Line 233: / Line 275: @@
 There are by default two datasources configured
-      * datasource - default datasource, which is being used for almost all database communication (Flyway, JPA repositories)
+  * datasource - default datasource, which is being used for almost all database communication (Flyway, JPA repositories)
-      * loggingDatasource - This datasource is used by our database logging appender to write logging messages, when databes appender is enabled. The reason why this is done by separate datasource is to prevent database logging to hog database connections and hinder the application performance
+  * loggingDatasource - This datasource is used by our database logging appender to write logging messages, when databes appender is enabled. The reason why this is done by separate datasource is to prevent database logging to hog database connections and hinder the application performance
   *
 Configuration properties, that have changed with introduction of additional datasources:
-      * //''spring.datasource.''url →// //''spring.datasource.jdbcUrl'' //
+  * //''spring.datasource.''url →// //''spring.datasource.jdbcUrl'' //
-      * spring.datasource.hikari.* → spring.datasource.*
+  * spring.datasource.hikari.* → spring.datasource.*
   *
 Both datasources are required for the app to start.
-      * By default, both datasources are configured for H2 in-memory database
+  * By default, both datasources are configured for H2 in-memory database
-      * If you specify property spring.datasource.jdbcUrl, IdM will no longer use in memory database for main datasource and instead it will configure connection using spring.datasource.* properties
+  * If you specify property spring.datasource.jdbcUrl, IdM will no longer use in memory database for main datasource and instead it will configure connection using spring.datasource.* properties
-      * The same goes for loggingDatasource, which is configured using spring.logging-datasource.* properties
+  * The same goes for loggingDatasource, which is configured using spring.logging-datasource.* properties
 ===== Datasource configuration properties
@@ Line 254: / Line 296: @@
 ===== Developer =====
-      * If you are using ''EntityManager''  in your code, you will run into the issue with autowiring. In order to fix it, you need to explicitly specify, which ''EntityManager''  bean you want spring to autowire. You can use
-        * @CoreEntityManager` annotation, if you want to autowire main application datasource (in most cases you want to use this
+  * If you are using ''EntityManager''  in your code, you will run into the issue with autowiring. In order to fix it, you need to explicitly specify, which ''EntityManager''  bean you want spring to autowire. You can use
-        * @Qualifier("coreEntityManager") annotation, if you want to autowire main application datasource and do not want to explicitly define dependency on core-api module
+      * @CoreEntityManager` annotation, if you want to autowire main application datasource (in most cases you want to use this
+      * @Qualifier("coreEntityManager") annotation, if you want to autowire main application datasource and do not want to explicitly define dependency on core-api module
 === JNDI datasource ===
@@ Line 275: / Line 318: @@
             maxIdle="4"/>
 </Context>
 </code>
@@ Line 283: / Line 327: @@
 # JNDI location of the datasource. Class, url, username & password are ignored when set.
 spring.datasource.jndi-name=PostgresDS
 </code>
@@ Line 299: / Line 344: @@
 </appender>
 ...
 </code>
@@ Line 327: / Line 373: @@
 # add ssl usage flag, see https://jdbc.postgresql.org/documentation/head/connect.html
 spring.datasource.url=jdbc:postgresql://localhost:5432/bcv_idm_storage?ssl=true
 </code>
@@ Line 347: / Line 394: @@
 # Size in MB
 idm.sec.cache.terracota.resource.pool.size=32
 </code>
@@ Line 384: / Line 432: @@
 # Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends).
 idm.sec.core.attachment.tempTtl=1209600000
 </code>
@@ Line 405: / Line 454: @@
 # definitions name pattern - subfolders can be used
 spring.activiti.processDefinitionLocationSuffixes=**/**.bpmn20.xml
+# Configuration option that enables or disables the legacy approval mechanism based on Activity.
+# When set to false, only the new approval process will be used
+# @since 15.0.0
+idm.pub.core.workflows.legacy.enabled=true
+</code>
+==== New workflow engine ====
+<code properties>
+# Configuration option that enables or disables the new approval mechanism based on our workflow engine.
+# When set to false, only the old approval process will be used
+# @since 15.0.0
+idm.pub.core.workflows.wfengine.enabled=true
 </code>
@@ Line 428: / Line 494: @@
 # - test secret key: https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do
 idm.sec.security.recaptcha.secretKey=xxx
-# Proxy configuration for reCAPTCHA
+# Proxy configuration for reCAPTCHA (since version 12.2.5)
 idm.sec.security.recaptcha.proxy=12.34.56.78:1234
 </code>
@@ Line 443: / Line 510: @@
 # @see https://proj.bcvsolutions.eu/ngidm/doku.php?id=navrh:databazove_scripty
 flyway.enabled=false
 </code>
@@ Line 467: / Line 535: @@
 # IdmFlywayMigrationStrategy resolves used jdbc database dynamically - ${dbName} in location could be used.
 flyway.core.locations=classpath:eu/bcvsolutions/idm/core/sql/${dbName}
 </code>
@@ Line 490: / Line 559: @@
 module.<module>.build.name=@project.name@
 module.<module>.build.description=@project.description@
 </code>
@@ Line 508: / Line 578: @@
 springfox.documentation.swagger.outputDir=@swagger.output.dir@
 springfox.documentation.swagger.outputFilename=@swagger.output.filename@
 </code>
@@ Line 526: / Line 597: @@
 # The FROM email address.
 idm.sec.core.emailer.from=idm@bcvsolutions.eu
 </code>
@@ Line 540: / Line 612: @@
 idm.sec.core.notification.template.folder=classpath*:/eu/bcvsolutions/idm/template/
 idm.sec.core.notification.template.fileSuffix=**/**.xml # template suffix
 </code>
@@ Line 554: / Line 627: @@
 idm.sec.core.script.folder=classpath*:/eu/bcvsolutions/idm/scripts/
 idm.sec.core.script.fileSuffix=**/**.xml
 </code>
@@ Line 599: / Line 673: @@
 # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5).
 scheduler.event.executor.threadPriority=6
 </code>
@@ Line 627: / Line 702: @@
 # Needed on FE (=> public)
 idm.pub.core.identity.passwordChange.public.idm.enabled=true
+#
+# Configure initial state of account selection for password change (since version 13.0.16 and pwdreset 3.0.8)
+# true - whether all of the accounts will be selected initially
+# false - non of the accounts will be selected initially
+idm.pub.core.identity.passwordChange.preselectSystems=true
 #
 # Skip identity dashboard content - show full detail directly (link from table or from info component)
@@ Line 637: / Line 717: @@
 # Creates default identity's contract with configured position name.
 idm.sec.core.identity.create.defaultContract.position=Default
+# This conf. property will pre-filled to the position name in the projection form when creating a new user. If the configuration value is not provided, the position name defaults to "Default".
+idm.pub.core.identity.create.defaultContract.position=Contract name
 # Creates default identity's contract with configured state. Valid contract will be crated by default, other possible values:
 # EXCLUDED - Excluded from evidence - remains valid, but roles assigned for this contract are not added for logged identity.
@@ Line 647: / Line 729: @@
 # Profile image max file size in readable string format (e.g. 200KB).
 idm.sec.core.identity.profile.image.max-file-size=512KB
+#
+# Validation all password to banned strings. Banned string are comparison for similarity to first name last name, usernames, account name, ...
+# Configuration is global for all users, accounts and all policies
+idm.sec.core.identity.passwordChange.validateBannedStrings=false
@@ Line 661: / Line 747: @@
 # termination of the contract from the currently valid slice.
 idm.sec.core.contract-slice.protection-interval=0
 </code>
@@ Line 705: / Line 792: @@
 # Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script).
 idm.sec.core.role.codeEnvironmentSeperator=|
 </code>
@@ Line 719: / Line 807: @@
 # Default tree node (uuid) - is used, when default contract is created. More in Contractual relationship doc.
 idm.sec.core.tree.defaultNode=
 </code>
@@ Line 729: / Line 818: @@
 # rebuild index in progress (true). When tree type index rebuild is in progress, then tree node cannot be created / updated / deleted.
 idm.sec.core.treeType.<tree-code>.rebuild=false
 </code>
@@ Line 749: / Line 839: @@
 # If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher 'scheduler.event.queue.process' property).
 idm.sec.core.event.asynchronous.batchSize=15
 </code>
@@ Line 761: / Line 852: @@
 # override event types for given processor
 idm.sec.<module>.processor.<name>.eventTypes=CREATE,UPDATE
 </code>
@@ Line 782: / Line 874: @@
 # disable / enable bulk action
 idm.sec.<module>.bulk-action.<name>.enabled=true
 </code>
@@ Line 826: / Line 919: @@
 # Default main WF for approve all roles.
 idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions
 </code>
@@ Line 838: / Line 932: @@
 # If returns null, then all guarantees will be used for approving (no limitations).
 idm.sec.core.request.idm-role.approval.guarantee-type=
 </code>
@@ Line 850: / Line 945: @@
 ## Enable sending notification of changing roles to user, who made request
 idm.sec.core.wf.notification.implementer.enabled=true
 </code>
@@ Line 864: / Line 960: @@
 # or secretKey defined in the external file - secret.keyPath
 # cipher.crypt.secret.keyPath=/path/to/key
 </code>
@@ Line 879: / Line 976: @@
 # Throws exception, when size is exceeded. Set to {@code -1} to disable this check.
 idm.sec.core.filter.check.size.maximum=500
 </code>
@@ Line 889: / Line 987: @@
 # filter implementation
 idm.sec.<module>.filter.<entity>.<name>.impl=<beanName>
 </code>
@@ Line 911: / Line 1010: @@
 # sender implementation
 idm.sec.<module>.notification-sender.<notificationType>.impl=<beanName>
 </code>
@@ Line 930: / Line 1030: @@
 # ID system against which to authenticate
 idm.sec.security.auth.system=
 </code>
@@ Line 938: / Line 1039: @@
 idm.sec.acc.security.auth.order1.system=
 idm.sec.acc.security.auth.order2.system=
 </code>
@@ Line 945: / Line 1047: @@
 <code properties>
 idm.sec.acc.security.auth.maximumSystemCount=50
 </code>
@@ Line 957: / Line 1060: @@
 # enable/ disable filter - enabled by default or by filter implementation.
 idm.sec.<module>.authentication-filter.<name>.enabled=true
 </code>
@@ Line 980: / Line 1084: @@
 # The uids that can't be authenticated by SSO
 idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids=
 </code>
@@ Line 994: / Line 1099: @@
 # The uids that can't be authenticated by SSO
 idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids=
 </code>
@@ Line 1038: / Line 1144: @@
 # Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https://hostname-of-CzechIdM/URI/?ticket=. Not configured by default.
 idm.sec.core.cas.header-prefix=
+</code>
+=== OIDC authentication ===
+@since 13.1.0 [[this>wiki.czechidm.com/wiki.czechidm.com/wiki.czechidm.com/wiki.czechidm.com/wiki.czechidm.com/devel/documentation/security/dev/security#oidc_authentication|OIDC authentication]] can be configured with following properties:
+<code properties>
+# Enable authentication via OIDC when false IDM will return 503 SERVICE_UNAVAILABLE on enpoints used for OICD auth, and ignore any Bearer token. Default: false
+idm.pub.core.oidc.enabled=false
+# REQIRED configuration
+# client-id confugured in CAS Service
+idm.sec.core.oidc.client-id=
+# client-secret confugured in CAS Service
+idm.sec.core.oidc.client-secret=
+# Base URL where OICD provider is accessible. Syntax of this field is https://hostname-of-OICD/URI.
+idm.sec.core.oidc.url=
+# OPTIONAL configuration
+idm.sec.core.oidc.login-path=/authorize
+idm.sec.core.oidc.logout-path=/logout
+idm.sec.core.oidc.token-path=/token
+# Configuration for spring.security most is gotten from auto-discover endpoint (${idm.sec.core.oidc.url}/.well-known/openid-configuration) but can be overwritten here
+spring.security.oauth2.client.registration.cas.client-id=${idm.sec.core.oidc.client-id}
+spring.security.oauth2.client.registration.cas.client-secret=${idm.sec.core.oidc.client-secret}
+spring.security.oauth2.client.registration.cas.scope=openid
+spring.security.oauth2.client.registration.cas.redirect-uri={baseUrl}/api/v1/authentication/oidc-login-response/{registrationId}
+#spring.security.oauth2.client.registration.cas.authorization-grant-type=authorization_code
+#spring.security.oauth2.resource.jwk.key-set-uri=${idm.sec.core.oidc.url}/jwks
+spring.security.oauth2.client.provider.cas.issuer-uri=${idm.sec.core.oidc.url}
+#spring.security.oauth2.client.provider.cas.token-uri=${idm.sec.core.oidc.token-path}
+#spring.security.oauth2.client.provider.cas.authorization-uri=${idm.sec.core.oidc.login-path}
 </code>
@@ Line 1049: / Line 1191: @@
 # Configured attachment storage patrh ( see 'idm.sec.core.attachment.storagePath') is used as default.
 idm.sec.core.backups.default.folder.path=/tmp/backup
 </code>
@@ Line 1054: / Line 1197: @@
 ==== Http proxy ====
-For outgoing http communication, you can set a proxy (currently used only by ReCaptcha).
+For outgoing http communication, you can set a proxy.
 **Server restart**  is needed to apply this configuration change.
@@ Line 1061: / Line 1204: @@
 # Proxy for HTTP requests
 idm.sec.core.http.proxy=12.34.56.78:1234
+# For reCAPTCHA is used since version 12.2.5 new configuration. Backward compatibility with original configuration still exists.
+# Proxy configuration for reCAPTCHA
+idm.sec.security.recaptcha.proxy=12.34.56.78:1234
 </code>
@@ Line 1071: / Line 1219: @@
 # use cglib for proxies by default
 spring.aop.proxy-target-class=true
 </code>
@@ Line 1081: / Line 1230: @@
 # If you do not define default role, then will be used **superAdminRole** as default!
 idm.sec.vs.role.default=<some-code-of-role>
 </code>
@@ Line 1089: / Line 1239: @@
 # Long polling
 idm.pub.app.long-polling.enabled=true
+</code>
+You can disable long polling for all types of entites with use value `false`.
+==== Identity contract slice ====
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
+<code properties>
+# The protected interval can be set using the property idm.sec.core.contract-slice.protection-interval, where the value is the number of days.
+# If the number of days between the termination of the contract and its renewal in the following time slice is less than or equal to the number
+# of days set in the protection interval, then the date of the contract validity from the following slice will be used instead of the date of
+# termination of the contract from the currently valid slice.
+idm.sec.core.contract-slice.protection-interval=0
+</code>
+==== Role ====
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
+<code properties>
+#
+# Default user role will be added automatically, after an identity is logged in
+# could contains default authorities and authority policies configuration
+# for adding autocomplete or all record read permission etc.
+# Role full code should be given (should contain environment, if it is used).
+# Role authorities are updated automatically, when new IdM version is installed.
+idm.sec.core.role.default=userRole
+#
+# Admin user role
+# Role full code should be given (should contain environment, if it is used).
+# Role authorities are updated automatically, when new IdM version is installed.
+idm.sec.core.role.admin=superAdminRole
+#
+# Helpdesk user role
+# Role full code should be given (should contain environment, if it is used).
+# Role authorities are updated automatically, when new IdM version is installed.
+idm.sec.core.role.helpdesk=helpdeskRole
+#
+# User manager role
+# Role full code should be given (should contain environment, if it is used).
+# Role authorities are updated automatically, when new IdM version is installed.
+idm.sec.core.role.userManager=userManagerRole
+#
+# Role manager role - role guarantee
+# Role full code should be given (should contain environment, if it is used).
+# Role authorities are updated automatically, when new IdM version is installed.
+idm.sec.core.role.roleManager=roleManagerRole
+#
+# Virtual system implementer  role - product provided role for implementers (approve vs request etc.).
+# Role full code should be given (should contain environment, if it is used).
+# Role authorities are updated automatically, when new IdM version is installed.
+idm.sec.vs.role.implementer=virtualSystemImplementerRole
+#
+# Separator for the suffix with environment used in role code.
+# Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script).
+idm.sec.core.role.codeEnvironmentSeperator=|
+</code>
+==== Tree ====
+Tree structures configuration properties.
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
+<code properties>
+# Default tree type (uuid or code). More in Default organizational structure doc.
+idm.sec.core.tree.defaultType=
+# Default tree node (uuid) - is used, when default contract is created. More in Contractual relationship doc.
+idm.sec.core.tree.defaultNode=
+</code>
+Internal properties used for tree indexing (forest index) - holds index state:
+<code properties>
+# forest index is valid. Is set to false, when index exception occurs and tree index has to be rebuild
+idm.sec.core.treeType.<tree-code>.valid=true
+# rebuild index in progress (true). When tree type index rebuild is in progress, then tree node cannot be created / updated / deleted.
+idm.sec.core.treeType.<tree-code>.rebuild=false
+</code>
+==== Entity events ====
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
+<code properties>
+# disable / enable asynchronous event processing. Events will be executed synchronously, if it's disabled. Enabled by default.
+idm.sec.core.event.asynchronous.enabled=true
+# Asynchronous event processing is stopped.
+# Event processing is stopped, when instance for processing is switched => prevent to process instances in the meantime.
+# Asynchronous event processing can be disabled for testing or debugging purposes.
+# Events are still created in queue, but they are not processed.
+idm.sec.core.event.asynchronous.stopProcessing=false
+# Asynchronous events will be executed on server instance with id. Default is the same as {@link ConfigurationService#getInstanceId()} (current server instance).
+idm.sec.core.event.asynchronous.instanceId=
+# Asynchronous events will be executed in batch - batch will be split for event with HIGH / NORMAL priority in 70% HIGH / 30% NORMAL.
+# If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher 'scheduler.event.queue.process' property).
+idm.sec.core.event.asynchronous.batchSize=15
+</code>
+=== Entity event processors ===
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''. Every processor could have his own configuration properties under prefix:
+<code properties>
+# disable / enable event procesor
+idm.sec.<module>.processor.<name>.enabled=true
+# override event types for given processor
+idm.sec.<module>.processor.<name>.eventTypes=CREATE,UPDATE
+</code>
+Where ''<module>''  is processor's module and ''<name>''  is processor's name (see overridable processor's methods). Filled configuration properties will be shown on [[..:..:architecture:dev:events#implemented_processors|processor's content]].
+Common configuration properties for all processors:
+  * ''enabled''  - on / off
+  * ''eventTypes''  - list of event types (separated by comma) to which given processor reacts
+  * ''order''  - comming soon
+Exists processors configuration: [[..:..:architecture:dev:events#implemented_processors|implemented proccessors]].
+==== Bulk actions ====
+@since 10.6.0
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''. Every bulk action could have his own configuration properties under prefix:
+<code properties>
+# disable / enable bulk action
+idm.sec.<module>.bulk-action.<name>.enabled=true
+</code>
+Where ''<module>''  is bulk action module and ''<name>''  is bulk action name.
+Common configuration properties for all bulk actions:
+  * ''enabled''  - **true**  / false.
+  * ''order''  - bulk action order (for FE only). Action provided default order in implementation.
+  * ''icon''  - Icon on frontend (for FE only). Icon libraries can be used: ''component:'', ''fa:'', ''glyph:''. Icon is loaded from FE locale by default.
+  * ''level''  - bulk action level ~ button and icon color (for FE only). Available options: ''success''  (default value), ''info'', ''warning'', ''error''.
+  * ''deleteAction''  - true / **false**  - Action deletes records (for FE only). Action will be in bottom menu section, is action is included in menu.
+  * ''quickButton''  - true / **false**  - Render action as quick button (for FE only). The first available actions are rendered as buttons, if icon is defined. This configuration enforces rendering action as quick button (order is ignored).
+  * ''quickButtonable''  - **true**  / false - Action can be included in quick buttons on FE. Set to **false**, when button should be not rendered ⇒ action will be rendendered in drop down menu only.
+==== Workflow settings for approval of change user roles ====
+<code properties>
+## WF
+# Approve by manager
+idm.sec.core.wf.approval.manager.enabled=false
+# Approve by security department
+idm.sec.core.wf.approval.security.enabled=false
+idm.sec.core.wf.approval.security.role=Security
+# Approve by helpdesk department
+idm.sec.core.wf.approval.helpdesk.enabled=false
+idm.sec.core.wf.approval.helpdesk.role=Helpdesk
+# Approve by usermanager department
+idm.sec.core.wf.approval.usermanager.enabled=false
+idm.sec.core.wf.approval.usermanager.role=Usermanager
+# Approve a role incompatibilities - If some incompatibilities are found in request, then this approving will be executed.
+idm.sec.core.wf.approval.incompatibility.enabled=true
+idm.sec.core.wf.approval.incompatibility.role=Incompatibility
+# Approval wf by role priority
+idm.sec.core.wf.role.approval.1=approve-role-by-manager
+idm.sec.core.wf.role.approval.2=approve-role-by-guarantee
+idm.sec.core.wf.role.approval.3=approve-role-by-guarantee-security
+# Approval wf for unassign role (one remove WF for whole application)
+idm.sec.core.wf.role.approval.remove=approve-remove-role-by-manager
+# Approve a change on the role - Is uses in the request of changing a role.
+# In the request to create new role is also used.
+idm.sec.core.wf.approval.role-change.role=
+#
+# Default main WF for approve all roles.
+idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions
+</code>
+==== Universal requests ====
+<code properties>
+## Universal requests
+# Role
+idm.pub.core.request.idm-role.enabled=false
+# Defines type of guarantee. Requests will be approving only by guarantee with this type.
+# If returns null, then all guarantees will be used for approving (no limitations).
+idm.sec.core.request.idm-role.approval.guarantee-type=
+</code>
+==== Notification from Workflow ====
+<code properties>
+## Global property that allow disable or enable sending notification from WF
+idm.sec.core.wf.notification.send=false
+## Enable sending notification of changing roles to user, whose account will be modified
+idm.sec.core.wf.notification.applicant.enabled=false
+## Enable sending notification of changing roles to user, who made request
+idm.sec.core.wf.notification.implementer.enabled=true
+</code>
+==== Confidential storage ====
+Properties **is not**  overloadable via ''ConfigurationService''. For more info [[..:..:security:dev:confidential-storage|see]]
+<code properties>
+# Cipher secret key for crypt values in confidential storage
+# for crypt values is used secretKey - secret.key
+# Can be empty => confidential storage will not be crypted, application cannot be used in production (dev, test only).
+cipher.crypt.secret.key=
+# or secretKey defined in the external file - secret.keyPath
+# cipher.crypt.secret.keyPath=/path/to/key
+</code>
+==== Entity filters ====
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
+<code properties>
+# Enable / disable check filter is properly registered, when filter is used (by entity and property name).
+# Throws exception, when unrecognized filter is used.
+idm.sec.core.filter.check.supported.enabled=true
+# Check count of values exceeded given maximum.
+# Related to database count of query parameters (e.g. Oracle = {@code 1000}, MSSql = {@code 2100}).
+# Throws exception, when size is exceeded. Set to {@code -1} to disable this check.
+idm.sec.core.filter.check.size.maximum=500
+</code>
+Every registered filter could have his own configuration properties under prefix:
+<code properties>
+# enable / disable filter - enabled by default. When filter is disabled and property is filled in filter, then ''disjunction'' criteria is added => no data will be returned
+idm.sec.<module>.filter.<entity>.<name>.enabled=true
+# filter implementation
+idm.sec.<module>.filter.<entity>.<name>.impl=<beanName>
+</code>
+Where:
+  * ''<module>''  is filter's module - overriden module has to be used (e.g. default filter is in core module, then ''core''  module identifier has to be used)
+  * ''<entity>''  is entity class simple name - filter will be applied to this domain type (e.g. ''IdmIdentity'')
+  * ''<name>''  the name of the property name during which the filter is actively evaluated, if it is stated in the filtering criteria (⇒ ''get''  parameter)
+  * ''<beanName>''  is filter's bean name - see [[..:..:architecture:dev:filters#implemented_filters|implemented filters]]
+Common configuration properties for all filters:
+  * ''enabled''  - on / off
+  * ''impl''  - contains implementation (Spring bean name) of given filter. When property of given ''<name>''  will be set for filter, then this implementation will be used for filtering. New module could register new filter for defined entity and name - by this configuration one of provided implementation will be selected and used.
+Exists filters configuration: [[..:..:architecture:dev:filters#implemented_filters|implemented filters]].
+==== Notification senders ====
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''. Senders could have his own configuration properties under prefix:
+<code properties>
+# sender implementation
+idm.sec.<module>.notification-sender.<notificationType>.impl=<beanName>
+</code>
+Where:
+  * ''<module>''  is senders's module - overriden module has to be used (e.g. default sender is in core module, then ''core''  module identifier has to be used)
+  * ''<notificationType>''  is notification type, which has to be supported by configured sender by ''<<beanName>>''
+Common configuration properties for all senders:
+  * ''impl''  - contains implementation (Spring bean name) of given sender. This sender implementation will be used for sending notifications with ''<notificationType>''. New module could register new sender implementation for notification types (even new notification type can be created) - by this configuration one of provided implementation will be selected and used.
+Read more about [[..:..:notifications:dev:notification_manager|notification manager]].
+==== Authentication ====
+UUID of system, against which to user will be authenticated. This authentication is from version 10.4.0 deprecated.
+<code properties>
+# ID system against which to authenticate
+idm.sec.security.auth.system=
+</code>
+Authentication against multiple system wich to user will be authenticated (since 10.4.0) - ID or Code can be used:
+<code properties>
+idm.sec.acc.security.auth.order1.system=
+idm.sec.acc.security.auth.order2.system=
+</code>
+Maximum system for authentication can be set with the property:
+<code properties>
+idm.sec.acc.security.auth.maximumSystemCount=50
+</code>
+More about authenticator can be found [[..:..:security:dev:authentication|there]].
+=== Authentication filters ===
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''. Authentication filter could have his own configuration properties under prefix:
+<code properties>
+# enable/ disable filter - enabled by default or by filter implementation.
+idm.sec.<module>.authentication-filter.<name>.enabled=true
+</code>
+Where:
+  * ''<module>''  is filter's module - overriden module has to be used (e.g. default filter is in core module, then ''core''  module identifier has to be used)
+  * ''<name>''  is filter's name - see overridable filter's ''#getName()''  method. Filter name could be the same as bean name in context.
+Common configuration properties for all filters:
+  * ''enabled''  - on / off
+=== SSO authentication filter ===
+[[..:..:security:dev:security#sso|Single-Sign-On mechanism]] can be configured with following properties:
+<code properties>
+# Allow SSO authentication
+idm.sec.core.authentication-filter.core-sso-authentication-filter.enabled=false
+# The name of the header which contains the login of the authenticated user
+idm.sec.core.authentication-filter.core-sso-authentication-filter.header-name=REMOTE_USER
+# The suffixes to remove from the login - usually domains
+idm.sec.core.authentication-filter.core-sso-authentication-filter.uid-suffixes=
+# The uids that can't be authenticated by SSO
+idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids=
+</code>
+=== Remote user authentication filter ===
+Login into IdM by preset request remote user by servlet container can be configured with following properties:
+<code properties>
+# Allow remote user authentication
+idm.sec.core.authentication-filter.core-remote-user-authentication-filter.enabled=false
+# The suffixes to remove from the login - usually domains
+idm.sec.core.authentication-filter.core-remote-user-authentication-filter.uid-suffixes=
+# The uids that can't be authenticated by SSO
+idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids=
+</code>
+This authentication filter reuses SSO authentication filter behavior above (''uid-suffixes'', ''forbidden-uids''), but application administrator can be logged by this filter (identity with ''APP_ADMIN''  authority).
+=== Two-factor authentication ===
+[[..:..:security:dev:security#two-factor_authentication|Two-factor authentication]] can be configured in the application profile (application.properties) with following properties:
+<code properties>
+# Verification secret length
+totp.secret.length=32
+# Time Period ~ period to generate new authentication code
+totp.time.period=30
+# Time Discrepancy - number of past (but still valid) authentication codes (e.g. when code is sent by notification, then user could need more time to fill it into CzechIdM)
+totp.time.discrepancy=1
+</code>
+=== CAS authentication filter ===
+@since 12.0.0 [[..:..:security:dev:security#cas_authentication|CAS authentication]] can be configured with following properties:
+<code properties>
+# Enable authentication via CAS. If enabled, "idm.sec.core.cas.url" become mandatory and must be set for SSO authentication via CAS to work. Default: false
+idm.pub.core.cas.enabled=false
+# Other properties
+# Base URL where CAS is accessible. Syntax of this field is https://hostname-of-CAS/URI.
+idm.sec.core.cas.url=
+# IdM service name configured as service on CAS server.
+# When service is configured, then login and logout redirect urls, should be defined directly in CAS service configuration.
+# Default: service name for login / logout is created dynamically by BE server url (recommended).
+idm.sec.core.cas.service=
+# Suffix which is, in effect, appended to idm.sec.core.cas.url. Resulting URL is used for login operation in CAS. It must start with slash (eg. /login).
+idm.sec.core.cas.login-path=/login
+# Suffix which is appended to idm.sec.core.cas.url. Resulting URL is used for single sign-out operation. It must start with slash (eg. /logout).
+idm.sec.core.cas.logout-path=/logout
+# Ticket can be given as request parameter (recommended, configured by default).
+idm.sec.core.cas.parameter-name=ticket
+# Header name in which CAS sends the ticket value. Ticket can be given as request header. Not configured by default.
+idm.sec.core.cas.header-name=
+# Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https://hostname-of-CzechIdM/URI/?ticket=. Not configured by default.
+idm.sec.core.cas.header-prefix=
+</code>
+=== OIDC authentication ===
+@since 13.1.0 [[this>wiki.czechidm.com/wiki.czechidm.com/wiki.czechidm.com/wiki.czechidm.com/wiki.czechidm.com/devel/documentation/security/dev/security#oidc_authentication|OIDC authentication]] can be configured with following properties:
+<code properties>
+# Enable authentication via OIDC when false IDM will return 503 SERVICE_UNAVAILABLE on enpoints used for OICD auth, and ignore any Bearer token. Default: false
+idm.pub.core.oidc.enabled=false
+# REQIRED configuration
+# client-id confugured in CAS Service
+idm.sec.core.oidc.client-id=
+# client-secret confugured in CAS Service
+idm.sec.core.oidc.client-secret=
+# Base URL where OICD provider is accessible. Syntax of this field is https://hostname-of-OICD/URI.
+idm.sec.core.oidc.url=
+# OPTIONAL configuration
+idm.sec.core.oidc.login-path=/authorize
+idm.sec.core.oidc.logout-path=/logout
+idm.sec.core.oidc.token-path=/token
+# Configuration for spring.security most is gotten from auto-discover endpoint (${idm.sec.core.oidc.url}/.well-known/openid-configuration) but can be overwritten here
+spring.security.oauth2.client.registration.cas.client-id=${idm.sec.core.oidc.client-id}
+spring.security.oauth2.client.registration.cas.client-secret=${idm.sec.core.oidc.client-secret}
+spring.security.oauth2.client.registration.cas.scope=openid
+spring.security.oauth2.client.registration.cas.redirect-uri={baseUrl}/api/v1/authentication/oidc-login-response/{registrationId}
+#spring.security.oauth2.client.registration.cas.authorization-grant-type=authorization_code
+#spring.security.oauth2.resource.jwk.key-set-uri=${idm.sec.core.oidc.url}/jwks
+spring.security.oauth2.client.provider.cas.issuer-uri=${idm.sec.core.oidc.url}
+#spring.security.oauth2.client.provider.cas.token-uri=${idm.sec.core.oidc.token-path}
+#spring.security.oauth2.client.provider.cas.authorization-uri=${idm.sec.core.oidc.login-path}
+</code>
+==== Backup ====
+If you want to use redeploy and backup for example in agenda (notification templates, scripts), you must define default backup folder. When redploy is used, then actual templates (or scripsts) are loaded from classpath by configuration (for templates or scripts) and deployed into application. Previous templates (or scripts) are backup too.
+<code properties>
+# Configuration property for backup files.
+# Configured attachment storage patrh ( see 'idm.sec.core.attachment.storagePath') is used as default.
+idm.sec.core.backups.default.folder.path=/tmp/backup
+</code>
+==== Http proxy ====
+For outgoing http communication, you can set a proxy.
+**Server restart**  is needed to apply this configuration change.
+<code properties>
+# Proxy for HTTP requests
+idm.sec.core.http.proxy=12.34.56.78:1234
+# For reCAPTCHA is used since version 12.2.5 new configuration. Backward compatibility with original configuration still exists.
+# Proxy configuration for reCAPTCHA
+idm.sec.security.recaptcha.proxy=12.34.56.78:1234
+</code>
+==== CGLIB ====
+CGLIB for creating proxies has to be enforced. Is possible to use annotations on methods, which is not defined in service interface. Prevent to use some logic in service constructors (will be called twice) and always define annotations in implementation class, [[https://www.credera.com/blog/technology-insights/open-source-technology-insights/aspect-oriented-programming-in-spring-boot-part-2-spring-jdk-proxies-vs-cglib-vs-aspectj/|read more]].
+<code properties>
+# use cglib for proxies by default
+spring.aop.proxy-target-class=true
+</code>
+==== Virtual system ====
+VS configurations allows define implementers via assigned IdM role or directly by selected identities. If you do not define none directly implementers and none role in VS configuration, then will be used implementers from default role. Default role can be defined in configuration:
+<code properties>
+# If you do not define default role, then will be used **superAdminRole** as default!
+idm.sec.vs.role.default=<some-code-of-role>
+</code>
+==== Long polling ====
+<code properties>
+# Long polling
+idm.pub.app.long-polling.enabled=true
 </code>
@@ Line 1114: / Line 1773: @@
 # Timeout has to be configured>= 1000, otherwise default will be returned.
 idm.sec.acc.provisioning.timeout=180000
+# Warning: this is a new configuration option in Beta mode. Use with extreme caution.
+# This configuration option will be removed after the account management for additional personal accounts is updated.
+# The behavior will be replaced by the correct product functionality.
+# If enabled, provisioning for secondary accounts will only use contract roles
+# that are marked as "create account by default".
+# This prevents standard contract-based roles (used for primary employment accounts)
+# from propagating their permissions to secondary/admin accounts, which are supposed
+# to have their own dedicated role assignments.
+idm.sec.acc.provisioning.personalOtherAccounts.onlyRolesCreatingAccount=false
 </code>
@@ Line 1175: / Line 1844: @@
 # Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
 idm.sec.acc.provisioning.break.delete.roleRecipients
 </code>
@@ Line 1187: / Line 1857: @@
 # disable / enable report
 idm.sec.<module>.report-executor.<name>.enabled=true
 </code>
@@ Line 1202: / Line 1873: @@
 # disable / enable renderer
 idm.sec.<module>.report-renderer.<name>.enabled=true
 </code>
@@ Line 1219: / Line 1891: @@
 logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
 logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
 </code>
@@ Line 1228: / Line 1901: @@
 <code properties>
 idm.sec.core.logger.<packageName>=<level>
 </code>
@@ Line 1237: / Line 1911: @@
 <code properties>
 idm.sec.core.logger.eu.bcvsolutions=DEBUG
 </code>
@@ Line 1249: / Line 1924: @@
 # disable / enable monitoring evaluator
 idm.sec.<module>.monitoring-evaluator.<name>.enabled=true
 </code>
@@ Line 1257: / Line 1933: @@
   * ''enabled''  - true / false
+==== Subordinates ====
+=== Left subordinates visibility (from 13.0.19) ===
+By default, manager doesn't see subordinates that left (their contract end date is in past). To allow manager to see left subordinates, set this configuration item:
+<code properties>
+idm.sec.filter.IdmIdentity.managerLeftSubordinateAccess.enabled=true
+</code>
+==== Contract column in tables ====
+=== Left subordinates visibility (from 13.0.19) ===
+By default, manager doesn't see subordinates that left (their contract end date is in past). To allow manager to see left subordinates, set this configuration item:
+<code properties>
+idm.sec.filter.IdmIdentity.managerLeftSubordinateAccess.enabled=true
+</code>
+==== Provisioning global break ====
+<note tip>For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be activated.</note>
+<code properties>
+# Global break for update disabled/enabled (values: true/false)
+idm.sec.acc.provisioning.break.update.disabled
+# Global break for update checked period (integer values)
+idm.sec.acc.provisioning.break.update.period
+# Global break for update disable limit (integer values)
+idm.sec.acc.provisioning.break.update.disableLimit
+# Global break for update disabled template (ID of template, if will by null default template will be used)
+idm.sec.acc.provisioning.break.update.templateDisable
+# Global break for update warning limit (integer values)
+idm.sec.acc.provisioning.break.update.warningLimit
+# Global break for update warning template (ID of template, if will by null default template will be used)
+idm.sec.acc.provisioning.break.update.templateWarning
+# Global break for update. Existing identity recipients (identity username or id, split by ',')
+idm.sec.acc.provisioning.break.update.identityRecipients
+# Global break for update. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
+idm.sec.acc.provisioning.break.update.roleRecipients
+#
+#
+# Global break for create disabled/enabled (values: true/false)
+idm.sec.acc.provisioning.break.create.disabled
+# Global break for create checked period (integer values)
+idm.sec.acc.provisioning.break.create.period
+# Global break for create disable limit (integer values)
+idm.sec.acc.provisioning.break.create.disableLimit
+# Global break for create disabled template (ID of template, if will by null default template will be used)
+idm.sec.acc.provisioning.break.create.templateDisable
+# Global break for create warning limit (integer values)
+idm.sec.acc.provisioning.break.create.warningLimit
+# Global break for create warning template (ID of template, if will by null default template will be used)
+idm.sec.acc.provisioning.break.create.templateWarning
+# Global break for create. Existing identity recipients (identity username or id, split by ',')
+idm.sec.acc.provisioning.break.create.identityRecipients
+# Global break for create. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
+idm.sec.acc.provisioning.break.create.roleRecipients
+#
+#
+#
+# Global break for delete disabled/enabled (values: true/false)
+idm.sec.acc.provisioning.break.delete.disabled
+# Global break for delete checked period (integer values)
+idm.sec.acc.provisioning.break.delete.period
+# Global break for delete disable limit (integer values)
+idm.sec.acc.provisioning.break.delete.disableLimit
+# Global break for delete disabled template (ID of template, if will by null default template will be used)
+idm.sec.acc.provisioning.break.delete.templateDisable
+# Global break for delete warning limit (integer values)
+idm.sec.acc.provisioning.break.delete.warningLimit
+# Global break for delete warning template (ID of template, if will by null default template will be used)
+idm.sec.acc.provisioning.break.delete.templateWarning
+# Global break for delete. Existing identity recipients (identity username or id, split by ',')
+idm.sec.acc.provisioning.break.delete.identityRecipients
+# Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
+idm.sec.acc.provisioning.break.delete.roleRecipients
+</code>
+==== Reports ====
+=== Report executor ===
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''. Every report executor (~report) could have his own configuration properties under prefix:
+<code properties>
+# disable / enable report
+idm.sec.<module>.report-executor.<name>.enabled=true
+</code>
+Where ''<module>''  is report's module a ''<name>''  is report's name.
+Common configuration properties for all reports:
+  * ''enabled''  - on / off
+=== Report renderer ===
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''. Every report renderer could have his own configuration properties under prefix:
+<code properties>
+# disable / enable renderer
+idm.sec.<module>.report-renderer.<name>.enabled=true
+</code>
+Where ''<module>''  is renderer's module a ''<name>''  is renderer's name.
+Common configuration properties for all renderers:
+  * ''enabled''  - on / off
+==== Logger ====
+In the application profile (''application.properties''):
+<code properties>
+# Show thread name configured by thread pools (task, event) in logs (generated name is shown otherwise)
+# Two appenders 'console' and 'file' are provided by product. Same configuration is needed for your custom appenders (added in logback.xml).
+logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
+logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
+</code>
+Logger levels can be configured programmatically (override ''logback.xml''  file with default logger levels configuration).
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService'':
+<code properties>
+idm.sec.core.logger.<packageName>=<level>
+</code>
+Where ''<packageName>''  is package name to set logger ''<level>''.
+Example:
+<code properties>
+idm.sec.core.logger.eu.bcvsolutions=DEBUG
+</code>
+==== Monitoring ====
+=== Monitoring evaluator ===
+In the application profile (''application.properties'') - overloadable via ''ConfigurationService''.
+<code properties>
+# disable / enable monitoring evaluator
+idm.sec.<module>.monitoring-evaluator.<name>.enabled=true
+</code>
+Where ''<module>''  is monitoring's module a ''<name>''  is monitoring's name.
+Common configuration properties for all monitorings:
+  * ''enabled''  - true / false
+==== Subordinates ====
+=== Left subordinates visibility (from 13.0.19) ===
+By default, manager doesn't see subordinates that left (their contract end date is in past). To allow manager to see left subordinates, set this configuration item:
+<code properties>
+idm.sec.filter.IdmIdentity.managerLeftSubordinateAccess.enabled=true
+</code>
+==== Contract column in tables ====
+=== Left subordinates visibility (from 13.0.19) ===
+By default, manager doesn't see subordinates that left (their contract end date is in past). To allow manager to see left subordinates, set this configuration item:
+<code properties>
+idm.sec.filter.IdmIdentity.managerLeftSubordinateAccess.enabled=true
+</code>
+==== Account attributes in technical account entity report (from idm-tech version 2.1.0) ====
+<code properties>
+# list of attributes from account connector object added to technical account entity report
+idm.sec.tech.account.report.connector.object.attributes=
+</code>
+The property ''idm.sec.tech.account.report.connector.object.attributes''  defines attributes of the account on the system that will be added to the technical account entity report. If you want to define multiple attributes, separate them with a comma.
+<note important> If properties of the account on the system are defined and the system is unavailable during report generation, the attempt to retrieve attributes for each account will wait for the internal IdM timeout. </note>
+==== Role requests ====
+=== Configurable extensive role requests with NORMAL priority (from 14.11.0, 15.3.0) ===
+<code properties>
+# Minimal total count of roles in role request (business subrole tree included) to be run with NORMAL priority
+# -1 means "don't use this feature"
+idm.sec.core.roleRequest.normalPriority.roleCountThreshold=-1
+</code>
+By default, role requests initiated from the frontend (whether individually via "Submit a request" or through bulk actions) are executed with HIGH priority. This configuration item, if it has a value other than the default -1 (in which case nothing happens), specifies that if a role request contains at least this number of roles (summed across all concepts and complete business role trees), the role request will be launched with NORMAL priority.
+This is useful in cases where extensive role requests are blocking regular operations.