| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
tutorial:adm:czechidm_installation_finalize [2019/08/05 15:23]
apeterova provisioning of subordinates |
tutorial:adm:czechidm_installation_finalize [2020/03/02 09:26]
apeterova password and auth |
| ===== Password policy ===== | ===== Password policy ===== |
| |
| Go to Settings -> Password policies and set the [[devel:documentation:adm:pwd|password policy]] according to your security standards. | Go to Settings -> Password policies and set the [[devel:documentation:password_policies|password policy]] according to your security standards. |
| | |
| | It's recommended to set [[tutorial:adm:block_user_unsuccessful_login_attemps|temporary blocking login after unsuccessful login attempts]]. |
| |
| If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired). | If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired). |
| Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:adm:new_role|Create the role]] and [[tutorial:adm:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]. | Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:adm:new_role|Create the role]] and [[tutorial:adm:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]. |
| |
| | Users may authenticate by their local CzechIdM password, or you may configure authentication against some of the connected systems - typically AD or LDAP ([[devel:documentation:security:dev:authentication#defaultaccauthenticator|Authentication against end system]]). Or you may configure [[tutorial:adm:sso_ad_domain|SSO]]. |
| |
| ===== Configure the approval process ===== | ===== Configure the approval process ===== |
| idm.sec.acc.processor.identity-contract-before-save-processor.includeSubordinates=false | idm.sec.acc.processor.identity-contract-before-save-processor.includeSubordinates=false |
| </code> | </code> |
| | |
| | ==== Configure password reset for all systems including IdM ==== |
| | Please try check you project if you want reset password to all connected systems including CzechIdM after user's state will be evaluated from disable state to enabled state. This change is processed by processor **IdentitySetPasswordProcessor (acc-identity-set-password-processor)**. You can disable it by configuration property or GUI agenda of processors (it is equivalent). |
| ===== Schedule the tasks ===== | ===== Schedule the tasks ===== |
| |
| If you want to use validity of the [[devel:documentation:identities#contracts|contracts]] and standard [[devel:documentation:hr_processes|HR processes]] in CzechIdM, make sure that HR processes will be started every day. There are 2 options: | If you want to use validity of the [[devel:documentation:identities#contracts|contracts]] and standard [[devel:documentation:hr_processes|HR processes]] in CzechIdM, make sure that HR processes will be started every day. There are 2 options: |
| * [[tutorial:adm:create_and_configure_trigger|Schedule]] the Hr...Process tasks. | * [[tutorial:adm:create_and_configure_trigger|Schedule]] the Hr...Process tasks. |
| * Ensure that [[devel:documentation:synchronization:dev:relation-sync|synchronization of contracts]] from some resource will run every day and the "After end, start the HR processes" option is ticked in the configuration of this synchronization. Also, start the 3 Hr...Processs tasks at least once **manually**, otherwise they won't be started after end of synchronization. | * Ensure that [[devel:documentation:synchronization:dev:relation-sync|synchronization of contracts]] from some resource will run every day and the "After end, start the HR processes" option is ticked in the configuration of this synchronization. |
| | <note warning>Start the 3 Hr...Processs tasks at least once **manually**, otherwise they won't be started after end of synchronization.</note> |
| |
| If you want to use the [[devel:documentation:accounts:dev:protection-system|Account protection system]] for some connected system, you must schedule the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]] to start once every day. | If you want to use the [[devel:documentation:accounts:dev:protection-system|Account protection system]] for some connected system, you must schedule the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]] to start once every day. |
| |
| If you want to use **Maximum password age**, schedule the tasks mentioned in [[...:czechidm_installation_finalize#password_policy|Password policy section]] to run once every day. | If you want to use **Maximum password age**, schedule the tasks mentioned in [[...:czechidm_installation_finalize#password_policy|Password policy section]] to run once every day. |