Installation of CzechIdM - Final steps

We presume that CzechIdM is already installed as described in Installation of CzechIdM - Linux - CentOS8 or Installation of CzechIdM - Windows.

This tutorial contains some recommended steps to review and finalize the configuration for the production-ready version of CzechIdM.

First of all, activate the module acc in SettingsModules by clicking on the button Activate.

If you want to try CzechIdM account management without directly connecting some system, you could start with the Virtual systems. To use this, activate the module vs at SettingsModules by clicking on the button Activate.

Sending of e-mails is turned off by default; the e-mails are only logged in the NotificationsE-mails history. However, when you start to use CzechIdM, some processes should be able to notify the users. Configure the following:

Go to Settings → Password policies and set the password policy according to your security standards.

It's recommended to set temporary blocking login after unsuccessful login attempts.

If you want to use Maximum password age, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks PasswordExpirationWarningTaskExecutor (notify users before the password expiration) and PasswordExpiredTaskExecutor (notify users when their password expired).

FIXME For 10.5+, userRole is created by default - Init application and data. Change this section accordingly.

In the fresh installation, users without any assigned role can do nothing after logging into CzechIdM.

Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called userRole. Create the role and add Permissions to it. Recommended settings is written in the example permissions for userRole.

Users may authenticate by their local CzechIdM password, or you may configure authentication against some of the connected systems - typically AD or LDAP (Authentication against end system). Or you may configure SSO.

Manual role assignment is always done by role requests. In the fresh installation, the requests will be automatically approved, because no approvers are set yet.

If you want to enable users to request a role change, you should also set some approval processes for their requests. The configuration options are described here.

Managers and guarantees of the contracts can be included in the approval process or they could manage their subordinates (if you set it in the userRole). If you use these features, make sure that CzechIdM uses a correct algorithm for evaluating managers and subordinates relationship.

The default algorithm evaluates the managers/subordinates by their position in the organizational structure and also includes directly set guarantees. This is set by DefaultManagersFilter and DefaultSubordinatesFilter.


## identity filters
## subordinates by standard tree structure (manager will be found by contract on parent node)

If you don't want to use organizational structure for evaluating the managers - typically if it's the structure of departments and the managers and subordinates are at the same level in the structure - use rather GuaranteeManagersFilter and GuaranteeSubordinatesFilter.


## identity filters

Sometimes, we provision some details about the manager to the identity accounts. E.g. the attribute "manager" in Active Directory is the link to the user's manager. To make this link up-to-date, IdM does provisioning for new and original subordinates of the manager every time, when the manager's contract changes.

If you don't need this functionality, which can be time consuming, switch it off like this:


Please try check you project if you want reset password to all connected systems including CzechIdM after user's state will be evaluated from disable state to enabled state. This change is processed by processor IdentitySetPasswordProcessor (acc-identity-set-password-processor). You can disable it by configuration property or GUI agenda of processors (it is equivalent).

Review the scheduled tasks in SettingsTask scheduler.

By default, connected system's synchronization is not scheduled. To do so, you have to add it. Add a new scheduled task SynchronizationSchedulableTaskExecutor, fill in the Synchronization uuid which you can find by opening a synchronization of your system in the URL of the page following synchronization-configs. So, if you have a URL "http://localhost:8080/idm/#/system/f5h4bd76-9218-5fz8-7e5u-0ds772ag968u/synchronization-configs/94b6thj6-2nb1-84g2-sfd2-dgd4f99adsf24/detail?_k=uct1ra", the UID is "94b6thj6-2nb1-84g2-sfd2-dgd4f99adsf24". Save the event and click Add under Scheduled starts. To run the event periodically, set a CRON trigger.

If you don't want to automatically delete old records in the provisioning archive, remove scheduled run from the DeleteProvisioningArchiveTaskExecutor.

If you want to use validity of the contracts and standard HR processes in CzechIdM, make sure that HR processes will be started every day. There are 2 options:

  • Schedule the Hr…Process tasks.
  • Ensure that synchronization of contracts from some resource will run every day and the "After end, start the HR processes" option is ticked in the configuration of this synchronization.
Start the 3 Hr…Processs tasks at least once manually, otherwise they won't be started after end of synchronization.

If you want to use the Account protection system for some connected system, you must schedule the AccountProtectionExpirationTaskExecutor to start once every day.

If you want to use Maximum password age, schedule the tasks mentioned in Password policy section to run once every day.

  • by apeterova