Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:czechidm_installation_finalize [2019/10/31 14:19]
kopro add information about password reset 		tutorial:adm:czechidm_installation_finalize [2020/08/24 14:29]
apeterova init data - note
Line 21: Line 21:
 ===== Password policy ===== ===== Password policy =====
  
-Go to Settings -> Password policies and set the [[devel:documentation:adm:pwd|password policy]] according to your security standards.+Go to Settings -> Password policies and set the [[devel:documentation:password_policies|password policy]] according to your security standards
 + 
 +It's recommended to set [[tutorial:adm:block_user_unsuccessful_login_attemps|temporary blocking login after unsuccessful login attempts]].
  
 If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired). If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired).
Line 27: Line 29:
  
 ===== Allow users into CzechIdM ===== ===== Allow users into CzechIdM =====
 +
 +FIXME For 10.5+, userRole is created by default - [[devel:documentation:architecture:dev:events:init-data|]]. Change this section accordingly.
  
 In the fresh installation, users without any assigned role can do nothing after logging into CzechIdM. In the fresh installation, users without any assigned role can do nothing after logging into CzechIdM.
Line 32: Line 36:
 Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:adm:new_role|Create the role]] and [[tutorial:adm:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]. Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:adm:new_role|Create the role]] and [[tutorial:adm:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]].
  
 +Users may authenticate by their local CzechIdM password, or you may configure authentication against some of the connected systems - typically AD or LDAP ([[devel:documentation:security:dev:authentication#defaultaccauthenticator|Authentication against end system]]). Or you may configure [[tutorial:adm:sso_ad_domain|SSO]].
  
 ===== Configure the approval process ===== ===== Configure the approval process =====
  • by apeterova