Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:adm:czechidm_installation_finalize [2018/10/12 10:50] klementm [Configure managers] |
tutorial:adm:czechidm_installation_finalize [2022/12/21 09:56] apeterova [Schedule the tasks] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Installation of CzechIdM - Final steps ====== | ||
+ | |||
+ | {{tag> | ||
+ | |||
+ | We presume that CzechIdM is already installed as described in [[.: | ||
+ | |||
+ | This tutorial contains some recommended steps to review and finalize the configuration for the production-ready version of CzechIdM. | ||
+ | |||
+ | ===== Systems & Virtual systems ===== | ||
+ | |||
+ | First of all, activate the module **acc** in **Settings** → **Modules** by clicking on the button **Activate**. | ||
+ | |||
+ | If you want to try CzechIdM account management without directly connecting some system, you could start with the [[: | ||
+ | ===== Notifications & e-mails ===== | ||
+ | |||
+ | Sending of e-mails is turned off by default; the e-mails are only logged in the **Notifications** → **E-mails history**. However, when you start to use CzechIdM, some processes should be able to notify the users. Configure the following: | ||
+ | |||
+ | * Emailer - add the configuration properties for [[: | ||
+ | * Review and adjust the [[.: | ||
+ | |||
+ | ===== Password policy ===== | ||
+ | |||
+ | Go to Settings → Password policies and set the [[: | ||
+ | |||
+ | It's recommended to set [[.: | ||
+ | |||
+ | If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[: | ||
+ | |||
+ | ===== Allow users into CzechIdM ===== | ||
+ | |||
+ | FIXME For 10.5+, userRole is created by default - [[: | ||
+ | |||
+ | In the fresh installation, | ||
+ | |||
+ | Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[.: | ||
+ | |||
+ | Users may authenticate by their local CzechIdM password, or you may configure authentication against some of the connected systems - typically AD or LDAP ([[: | ||
+ | |||
+ | ===== Configure the approval process ===== | ||
+ | |||
+ | Manual role assignment is always done by [[: | ||
+ | |||
+ | If you want to enable users to request a role change, you should also set some approval processes for their requests. The configuration options are described [[.: | ||
+ | |||
+ | ===== Configure managers ===== | ||
+ | |||
+ | Managers and guarantees of the contracts can be included in the approval process or they could manage their subordinates (if you set it in the [[: | ||
+ | |||
+ | The default algorithm evaluates the managers/ | ||
+ | |||
+ | **Example: | ||
+ | |||
+ | <code properties> | ||
+ | ## identity filters | ||
+ | ## subordinates by standard tree structure (manager will be found by contract on parent node) | ||
+ | idm.sec.core.filter.IdmIdentity.managersFor.impl=defaultManagersFilter | ||
+ | idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=defaultSubordinatesFilter | ||
+ | |||
+ | </ | ||
+ | |||
+ | If you don't want to use organizational structure for evaluating the managers - typically if it's the structure of departments and the managers and subordinates are at the same level in the structure - use rather [[: | ||
+ | |||
+ | **Example: | ||
+ | |||
+ | <code properties> | ||
+ | ## identity filters | ||
+ | idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter | ||
+ | idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=guaranteeSubordinatesFilter | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Configure subordinates provisioning ==== | ||
+ | |||
+ | Sometimes, we provision some details about the manager to the identity accounts. E.g. the attribute " | ||
+ | |||
+ | If you don't need this functionality, | ||
+ | |||
+ | <code properties> | ||
+ | idm.sec.acc.processor.identity-contract-provisioning-processor.includeSubordinates=false | ||
+ | idm.sec.acc.processor.identity-contract-before-save-processor.includeSubordinates=false | ||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Configure password reset for all systems including IdM ==== | ||
+ | |||
+ | Please try check you project if you want reset password to all connected systems including CzechIdM after user's state will be evaluated from disable state to enabled state. This change is processed by processor **IdentitySetPasswordProcessor (acc-identity-set-password-processor)**. You can disable it by configuration property or GUI agenda of processors (it is equivalent). | ||
+ | |||
+ | ===== Schedule the tasks ===== | ||
+ | |||
+ | FIXME This section is obsolete, most important tasks are scheduled by default in newer versions of CzechIdM | ||
+ | |||
+ | Review the [[: | ||
+ | |||
+ | By default, connected system' | ||
+ | |||
+ | If you don't want to automatically delete old records in the provisioning archive, remove scheduled run from the [[: | ||
+ | |||
+ | If you want to use validity of the [[: | ||
+ | |||
+ | * [[.: | ||
+ | * Ensure that [[: | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | If you want to use the [[: | ||
+ | |||
+ | If you want to use **Maximum password age**, schedule the tasks mentioned in [[.: | ||
+ | |||