Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:czechidm_installation_finalize [2019/10/31 14:19] – add information about password reset kopro
+++ tutorial:adm:czechidm_installation_finalize [2026/01/07 09:49] (current) – [Schedule the tasks] apeterova
@@ Line 1: / Line 1: @@
-====== Installation of CzechIdM - Final steps  ======
+====== Installation of CzechIdM - Final steps ======
 {{tag>installation quickstart configuration userRole email}}
-We presume that CzechIdM is already installed as described in [[tutorial:adm:czechidm_installation|]] or [[tutorial:adm:czechidm_installation_win|]].
+We presume that CzechIdM is already installed as described in [[.:czechidm_installation|]] or [[.:czechidm_installation_win|]].
 This tutorial contains some recommended steps to review and finalize the configuration for the production-ready version of CzechIdM.
@@ Line 9: / Line 9: @@
 ===== Systems & Virtual systems =====
-First of all, activate the module **acc** in **Settings** -> **Modules** by clicking on the button **Activate**.
+First of all, activate the module **acc** in **Settings** → **Modules** by clicking on the button **Activate**.
-If you want to try CzechIdM account management without directly connecting some system, you could start with the [[devel:documentation:modules_vs|Virtual systems]]. To use this, activate the module **vs** at **Settings** -> **Modules** by clicking on the button **Activate**.
+If you want to try CzechIdM account management without directly connecting some system, you could start with the [[:devel:documentation:modules_vs|Virtual systems]]. To use this, activate the module **vs** at **Settings** → **Modules** by clicking on the button **Activate**.
 ===== Notifications & e-mails =====
-Sending of e-mails is turned off by default; the e-mails are only logged in the **Notifications** -> **E-mails history**. However, when you start to use CzechIdM, some processes should be able to notify the users. Configure the following:
+Sending of e-mails is turned off by default; the e-mails are only logged in the **Notifications** → **E-mails history**. However, when you start to use CzechIdM, some processes should be able to notify the users. Configure the following:
-  * Emailer - add the configuration properties for [[devel:documentation:application_configuration:dev:backend#emailer|SMTP server and e-mail sending mode]] in the **Settings** -> **Configuration**
-  * Review and adjust the [[tutorial:adm:notifications_standard|standard notifications]] sent by CzechIdM according to your needs. **This is important so IdM behaves as you expect!**
+   * Emailer - add the configuration properties for [[:devel:documentation:application_configuration:dev:backend#emailer|SMTP server and e-mail sending mode]] in the **Settings**  → **Configuration**
+  * Review and adjust the [[.:notifications_standard|standard notifications]] sent by CzechIdM according to your needs. **This is important so IdM behaves as you expect!**
 ===== Password policy =====
-Go to Settings -> Password policies and set the [[devel:documentation:adm:pwd|password policy]] according to your security standards.
+Go to Settings → Password policies and set the [[:devel:documentation:password_policies|password policy]] according to your security standards.
-If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired).
+It's recommended to set [[.:block_user_unsuccessful_login_attemps|temporary blocking login after unsuccessful login attempts]].
+If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[:devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[:devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired).
 ===== Allow users into CzechIdM =====
+FIXME For 10.5+, userRole is created by default - [[:devel:documentation:architecture:dev:events:init-data|]]. Change this section accordingly.
 In the fresh installation, users without any assigned role can do nothing after logging into CzechIdM.
-Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:adm:new_role|Create the role]] and [[tutorial:adm:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]].
+Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[.:new_role|Create the role]] and [[.:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[:devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]].
+Users may authenticate by their local CzechIdM password, or you may configure authentication against some of the connected systems - typically AD or LDAP ([[:devel:documentation:security:dev:authentication#defaultaccauthenticator|Authentication against end system]]). Or you may configure [[.:sso_ad_domain|SSO]].
 ===== Configure the approval process =====
-Manual role assignment is always done by [[devel:documentation:role_change|role requests]]. In the fresh installation, the requests will be automatically approved, because no approvers are set yet.
+Manual role assignment is always done by [[:devel:documentation:role_change|role requests]]. In the fresh installation, the requests will be automatically approved, because no approvers are set yet.
-If you want to enable users to request a role change, you should also set some approval processes for their requests. The configuration options are described [[tutorial:adm:role_change_configuration|here]].
+If you want to enable users to request a role change, you should also set some approval processes for their requests. The configuration options are described [[.:role_change_configuration|here]].
 ===== Configure managers =====
-Managers and guarantees of the contracts can be included in the approval process or they could manage their subordinates (if you set it in the [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]). If you use these features, make sure that CzechIdM uses a correct algorithm for evaluating managers and subordinates relationship.
+Managers and guarantees of the contracts can be included in the approval process or they could manage their subordinates (if you set it in the [[:devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]). If you use these features, make sure that CzechIdM uses a correct algorithm for evaluating managers and subordinates relationship.
-The default algorithm evaluates the managers/subordinates by their position in the organizational structure and also includes directly set guarantees. This is set by [[devel:documentation:architecture:dev:filters#defaultmanagersfilter|DefaultManagersFilter]] and [[devel:documentation:architecture:dev:filters#defaultsubordinatesfilter|DefaultSubordinatesFilter]].
+The default algorithm evaluates the managers/subordinates by their position in the organizational structure and also includes directly set guarantees. This is set by [[:devel:documentation:architecture:dev:filters#defaultmanagersfilter|DefaultManagersFilter]] and [[:devel:documentation:architecture:dev:filters#defaultsubordinatesfilter|DefaultSubordinatesFilter]].
 **Example:**
 <code properties>
@@ Line 53: / Line 56: @@
 idm.sec.core.filter.IdmIdentity.managersFor.impl=defaultManagersFilter
 idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=defaultSubordinatesFilter
 </code>
-If you don't want to use organizational structure for evaluating the managers - typically if it's the structure of departments and the managers and subordinates are at the same level in the structure - use rather [[devel:documentation:architecture:dev:filters#guaranteemanagersfilter|GuaranteeManagersFilter]] and [[devel:documentation:architecture:dev:filters#guaranteesubordinatesfilter|GuaranteeSubordinatesFilter]].
+If you don't want to use organizational structure for evaluating the managers - typically if it's the structure of departments and the managers and subordinates are at the same level in the structure - use rather [[:devel:documentation:architecture:dev:filters#guaranteemanagersfilter|GuaranteeManagersFilter]] and [[:devel:documentation:architecture:dev:filters#guaranteesubordinatesfilter|GuaranteeSubordinatesFilter]].
 **Example:**
 <code properties>
@@ Line 63: / Line 67: @@
 idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter
 idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=guaranteeSubordinatesFilter
 </code>
 ==== Configure subordinates provisioning ====
@@ Line 74: / Line 79: @@
 idm.sec.acc.processor.identity-contract-provisioning-processor.includeSubordinates=false
 idm.sec.acc.processor.identity-contract-before-save-processor.includeSubordinates=false
 </code>
 ==== Configure password reset for all systems including IdM ====
 Please try check you project if you want reset password to all connected systems including CzechIdM after user's state will be evaluated from disable state to enabled state. This change is processed by processor **IdentitySetPasswordProcessor (acc-identity-set-password-processor)**. You can disable it by configuration property or GUI agenda of processors (it is equivalent).
 ===== Schedule the tasks =====
-Review the [[devel:documentation:scheduled_task|scheduled tasks]] in **Settings** -> **Task scheduler**.
+Review the [[:devel:documentation:scheduled_task|scheduled tasks]] in **Settings** → **Task scheduler**.
-By default, connected system's synchronization is not scheduled. To do so, you have to add it. Add a new scheduled task SynchronizationSchedulableTaskExecutor, fill in the Synchronization uuid which you can find by opening a synchronization of your system in the URL of the page following synchronization-configs. So, if you have a URL "http://localhost:8080/idm/#/system/f5h4bd76-9218-5fz8-7e5u-0ds772ag968u/synchronization-configs/94b6thj6-2nb1-84g2-sfd2-dgd4f99adsf24/detail?_k=uct1ra", the UID is "94b6thj6-2nb1-84g2-sfd2-dgd4f99adsf24". Save the event and click Add under Scheduled starts. To run the event periodically, set a [[tutorial:adm:create_and_configure_trigger|CRON trigger]].
+There are multiple tasks that are connected to personal processes. Default settings work fine, if there is no regular source (HR) system synchronization. However, typical IdM solution requires regular source system synchronization and you typically want to use validity of the [[:devel:documentation:identities#contracts|contracts]] and standard [[:devel:documentation:hr_processes|HR processes]]. The best practise to schedule HR synchronization and other tasks is the following "train":
-If you don't want to automatically delete old records in the provisioning archive, remove scheduled run from the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#deleteprovisioningarchivetaskexecutor|DeleteProvisioningArchiveTaskExecutor]].
+  * Synchronization of organization structure from HR
+      * Add a new scheduled task **Run synchronization **  (SynchronizationSchedulableTaskExecutor), select the source system for HR organization structure. Fill in the description, e.g. "COMP0100-01 Synchronization HR organization structure"
+      * Save the event and click **Add**  under **Scheduled starts**. To run the event periodically, set **Repeated start**  or a [[.:create_and_configure_trigger|CRON trigger]].
+      * Schedule it after midnight, e.g. at 01:00. Also take into account, when the data is populated to the source system.
+  * Synchronization of identities from HR
+      * Add a new scheduled task **Run synchronization**, select the source system for HR identities. Fill in the description, e.g. "COMP0100-02 Synchronization HR identities"
+      * Save the event and click **Add**  under **Scheduled starts**. Choose **Other task**  and select the previous task for synchronization of HR organization.
+  * Synchronization of contracts from HR
+      * Add a new scheduled task **Run synchronization**, select the source system for HR contracts. Fill in the description, e.g. "COMP0100-03 Synchronization HR contracts"
+      * Save the event and click **Add**  under **Scheduled starts**. Choose **Other task**  and select the previous task for synchronization of HR identities.
+  * **HR process - enable contract**  (HrEnableContractProcess)
+      * Find the scheduled task with this name. Update its description, e.g. "COMP0100-04 HR: Start of contracts validity"
+      * Remove the default scheduled start (only the scheduled start, don't remove the whole task!). Instead, Add a new Scheduled start of the type Other task, select the previous task for synchronization of HR contracts
+  * **HR process - end of contract ** (HrEndContractProcess)
+      * Find the task and update its description, e.g. "COMP0100-05 HR: End of contracts validity"
+      * Remove the default scheduled start, add a new of the type Other task, select the previous task for HR enable contract.
+  * **HR process - contract exclusion**  (HrContractExclusionProcess)
+      * Find the task and update its description, e.g. "COMP0100-06 HR: Exclude contract"
+      * Remove the default scheduled start, add a new of the type Other task, select the previous task for HR end contract
+  * **Recalculate all automatic roles by attribute**  (ProcessAllAutomaticRoleByAttributeTaskExecutor)
+      * Add this as a new scheduled task (be careful when selecting the exact name). Set description, e.g. "COMP0100-07 Recalculate all automatic roles by attribute"
+      * Add a new scheduled start of the type Other task, select the previous task for HR contract exclusion
+  * **Recalculate skipped automatic role by tree structure for contracts and other positions ** (ProcessSkippedAutomaticRoleByTreeForContractTaskExecutor)
+      * Add this as a new scheduled task (be careful when selecting the exact name). Set description, e.g. "COMP0100-08 Recalculate skipped automatic role by tree structure for contracts"
+      * Add a new scheduled start of the type Other task, select the previous task for all automatic roles recalculation
+  * **Contracts expiration**  (IdentityContractExpirationTaskExecutor)
+      * Find the task and update its description, e.g. "COMP0100-09 Remove roles by expired identity contracts"
+      * Remove the default scheduled start, add a new of the type Other task, select the previous task for recalculation of skipped automatic roles
+  * **Assigned roles - start of validity**  (IdentityRoleValidRequestTaskExecutor)
+      * Find the task and update its description, e.g. "COMP0100-10 Start of assigned role validity"
+      * Remove the default scheduled start, add a new of the type Other task, select the previous task for contracts expiration
+  * **Assigned roles - expiration**  (IdentityRoleExpirationTaskExecutor)
+      * Find the task and update its description, e.g. "COMP0100-11 Remove expired roles"
+      * Remove the default scheduled start, add a new of the type Other task, select the previous task for start of role validity
+In this setup, make sure to correctly configure synchronization of identities and contract - the tab **Specific settings**. Uncheck the options "After end, start the HR processes" and "After end, start the automatic role recalculation". Those two options start some of the tasks mentioned above. Those tasks should run just once to avoid data collisions and we prefer to schedule the tasks separately (easier problem solving). However, if you decide to use those options instead of the "train of tasks", make sure to start the 3 Hr…Process tasks at least once **manually**, otherwise they won't be started after end of synchronization.
+**Other:**
+You can unschedule the task Recalculate currently used contract time slices (SelectCurrentContractSliceTaskExecutor) if you don't use [[:devel:documentation:identities:dev:contractual-relationship-slice|]]. On the other hand, if you want to use time slices, schedule this task to the train of processes and also make sure to schedule Process contract slices marked as invalid (dirty flag) (ClearDirtyStateForContractSliceTaskExecutor).
+You can change the scheduled start of the task **Retry provisioning periodically**  (RetryProvisioningTaskExecutor) so this task runs less often. In some environments, it is enough to retry the failed provisioning operations e.g. once an hour instead of every 5 minutes.
+If you want to use the [[:devel:documentation:accounts:dev:protection-system|]] for some connected system, tha task [[:devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]] must start once every day.
+If you want to use **Maximum password age**, schedule the tasks mentioned in [[.:czechidm_installation_finalize#password_policy|Password policy section]] to run once every day.
+If you don't want to automatically delete old records in the provisioning archive, remove scheduled run from the [[:devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#deleteprovisioningarchivetaskexecutor|DeleteProvisioningArchiveTaskExecutor]].
+===== Service Desk Link Configuration =====
+The IdStory product allows you to configure a Service Desk link in the application footer for a specific project.
+{{:tutorial:adm:pasted:20260105-094907.png}}
+The configuration is done using the following configuration option:
+<code bash>
+idm.pub.app.show.footer.serviceDesk.link=
+</code>
-If you want to use validity of the [[devel:documentation:identities#contracts|contracts]] and standard [[devel:documentation:hr_processes|HR processes]] in CzechIdM, make sure that HR processes will be started every day. There are 2 options:
+Please provide the full URL of your Service Desk in this configuration property, for example:
-  * [[tutorial:adm:create_and_configure_trigger|Schedule]] the Hr...Process tasks.
+//https://redmine.bcvsolutions.eu///
-  * Ensure that [[devel:documentation:synchronization:dev:relation-sync|synchronization of contracts]] from some resource will run every day and the "After end, start the HR processes" option is ticked in the configuration of this synchronization.
-<note warning>Start the 3 Hr...Processs tasks at least once **manually**, otherwise they won't be started after end of synchronization.</note>
-If you want to use the [[devel:documentation:accounts:dev:protection-system|Account protection system]] for some connected system, you must schedule the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]] to start once every day.
+Since IdStory versions **14.16.2** and **15.7.1**, the default value of this property **is empty**, and therefore the Service Desk link is not displayed in the application footer by default.
-If you want to use **Maximum password age**, schedule the tasks mentioned in [[...:czechidm_installation_finalize#password_policy|Password policy section]] to run once every day.