| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
tutorial:adm:czechidm_installation_finalize [2019/10/31 14:19]
kopro add information about password reset |
tutorial:adm:czechidm_installation_finalize [2022/12/21 09:56] (current)
apeterova [Schedule the tasks] |
| ====== Installation of CzechIdM - Final steps ====== | ====== Installation of CzechIdM - Final steps ====== |
| |
| {{tag>installation quickstart configuration userRole email}} | {{tag>installation quickstart configuration userRole email}} |
| |
| We presume that CzechIdM is already installed as described in [[tutorial:adm:czechidm_installation|]] or [[tutorial:adm:czechidm_installation_win|]]. | We presume that CzechIdM is already installed as described in [[.:czechidm_installation|]] or [[.:czechidm_installation_win|]]. |
| |
| This tutorial contains some recommended steps to review and finalize the configuration for the production-ready version of CzechIdM. | This tutorial contains some recommended steps to review and finalize the configuration for the production-ready version of CzechIdM. |
| ===== Systems & Virtual systems ===== | ===== Systems & Virtual systems ===== |
| |
| First of all, activate the module **acc** in **Settings** -> **Modules** by clicking on the button **Activate**. | First of all, activate the module **acc** in **Settings** → **Modules** by clicking on the button **Activate**. |
| | |
| If you want to try CzechIdM account management without directly connecting some system, you could start with the [[devel:documentation:modules_vs|Virtual systems]]. To use this, activate the module **vs** at **Settings** -> **Modules** by clicking on the button **Activate**. | |
| |
| | If you want to try CzechIdM account management without directly connecting some system, you could start with the [[:devel:documentation:modules_vs|Virtual systems]]. To use this, activate the module **vs** at **Settings** → **Modules** by clicking on the button **Activate**. |
| ===== Notifications & e-mails ===== | ===== Notifications & e-mails ===== |
| |
| Sending of e-mails is turned off by default; the e-mails are only logged in the **Notifications** -> **E-mails history**. However, when you start to use CzechIdM, some processes should be able to notify the users. Configure the following: | Sending of e-mails is turned off by default; the e-mails are only logged in the **Notifications** → **E-mails history**. However, when you start to use CzechIdM, some processes should be able to notify the users. Configure the following: |
| * Emailer - add the configuration properties for [[devel:documentation:application_configuration:dev:backend#emailer|SMTP server and e-mail sending mode]] in the **Settings** -> **Configuration** | |
| * Review and adjust the [[tutorial:adm:notifications_standard|standard notifications]] sent by CzechIdM according to your needs. **This is important so IdM behaves as you expect!** | * Emailer - add the configuration properties for [[:devel:documentation:application_configuration:dev:backend#emailer|SMTP server and e-mail sending mode]] in the **Settings** → **Configuration** |
| | * Review and adjust the [[.:notifications_standard|standard notifications]] sent by CzechIdM according to your needs. **This is important so IdM behaves as you expect!** |
| |
| ===== Password policy ===== | ===== Password policy ===== |
| |
| Go to Settings -> Password policies and set the [[devel:documentation:adm:pwd|password policy]] according to your security standards. | Go to Settings → Password policies and set the [[:devel:documentation:password_policies|password policy]] according to your security standards. |
| |
| If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired). | It's recommended to set [[.:block_user_unsuccessful_login_attemps|temporary blocking login after unsuccessful login attempts]]. |
| |
| | If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[:devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[:devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired). |
| |
| ===== Allow users into CzechIdM ===== | ===== Allow users into CzechIdM ===== |
| | |
| | FIXME For 10.5+, userRole is created by default - [[:devel:documentation:architecture:dev:events:init-data|]]. Change this section accordingly. |
| |
| In the fresh installation, users without any assigned role can do nothing after logging into CzechIdM. | In the fresh installation, users without any assigned role can do nothing after logging into CzechIdM. |
| |
| Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:adm:new_role|Create the role]] and [[tutorial:adm:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]. | Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[.:new_role|Create the role]] and [[.:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[:devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]. |
| |
| | Users may authenticate by their local CzechIdM password, or you may configure authentication against some of the connected systems - typically AD or LDAP ([[:devel:documentation:security:dev:authentication#defaultaccauthenticator|Authentication against end system]]). Or you may configure [[.:sso_ad_domain|SSO]]. |
| |
| ===== Configure the approval process ===== | ===== Configure the approval process ===== |
| |
| Manual role assignment is always done by [[devel:documentation:role_change|role requests]]. In the fresh installation, the requests will be automatically approved, because no approvers are set yet. | Manual role assignment is always done by [[:devel:documentation:role_change|role requests]]. In the fresh installation, the requests will be automatically approved, because no approvers are set yet. |
| | |
| If you want to enable users to request a role change, you should also set some approval processes for their requests. The configuration options are described [[tutorial:adm:role_change_configuration|here]]. | |
| |
| | If you want to enable users to request a role change, you should also set some approval processes for their requests. The configuration options are described [[.:role_change_configuration|here]]. |
| |
| ===== Configure managers ===== | ===== Configure managers ===== |
| |
| Managers and guarantees of the contracts can be included in the approval process or they could manage their subordinates (if you set it in the [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]). If you use these features, make sure that CzechIdM uses a correct algorithm for evaluating managers and subordinates relationship. | Managers and guarantees of the contracts can be included in the approval process or they could manage their subordinates (if you set it in the [[:devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]). If you use these features, make sure that CzechIdM uses a correct algorithm for evaluating managers and subordinates relationship. |
| |
| The default algorithm evaluates the managers/subordinates by their position in the organizational structure and also includes directly set guarantees. This is set by [[devel:documentation:architecture:dev:filters#defaultmanagersfilter|DefaultManagersFilter]] and [[devel:documentation:architecture:dev:filters#defaultsubordinatesfilter|DefaultSubordinatesFilter]]. | The default algorithm evaluates the managers/subordinates by their position in the organizational structure and also includes directly set guarantees. This is set by [[:devel:documentation:architecture:dev:filters#defaultmanagersfilter|DefaultManagersFilter]] and [[:devel:documentation:architecture:dev:filters#defaultsubordinatesfilter|DefaultSubordinatesFilter]]. |
| |
| **Example:** | **Example:** |
| |
| <code properties> | <code properties> |
| idm.sec.core.filter.IdmIdentity.managersFor.impl=defaultManagersFilter | idm.sec.core.filter.IdmIdentity.managersFor.impl=defaultManagersFilter |
| idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=defaultSubordinatesFilter | idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=defaultSubordinatesFilter |
| | |
| </code> | </code> |
| |
| If you don't want to use organizational structure for evaluating the managers - typically if it's the structure of departments and the managers and subordinates are at the same level in the structure - use rather [[devel:documentation:architecture:dev:filters#guaranteemanagersfilter|GuaranteeManagersFilter]] and [[devel:documentation:architecture:dev:filters#guaranteesubordinatesfilter|GuaranteeSubordinatesFilter]]. | If you don't want to use organizational structure for evaluating the managers - typically if it's the structure of departments and the managers and subordinates are at the same level in the structure - use rather [[:devel:documentation:architecture:dev:filters#guaranteemanagersfilter|GuaranteeManagersFilter]] and [[:devel:documentation:architecture:dev:filters#guaranteesubordinatesfilter|GuaranteeSubordinatesFilter]]. |
| |
| **Example:** | **Example:** |
| |
| <code properties> | <code properties> |
| idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter | idm.sec.core.filter.IdmIdentity.managersFor.impl=guaranteeManagersFilter |
| idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=guaranteeSubordinatesFilter | idm.sec.core.filter.IdmIdentity.subordinatesFor.impl=guaranteeSubordinatesFilter |
| | |
| </code> | </code> |
| | |
| ==== Configure subordinates provisioning ==== | ==== Configure subordinates provisioning ==== |
| |
| idm.sec.acc.processor.identity-contract-provisioning-processor.includeSubordinates=false | idm.sec.acc.processor.identity-contract-provisioning-processor.includeSubordinates=false |
| idm.sec.acc.processor.identity-contract-before-save-processor.includeSubordinates=false | idm.sec.acc.processor.identity-contract-before-save-processor.includeSubordinates=false |
| | |
| </code> | </code> |
| | |
| ==== Configure password reset for all systems including IdM ==== | ==== Configure password reset for all systems including IdM ==== |
| | |
| Please try check you project if you want reset password to all connected systems including CzechIdM after user's state will be evaluated from disable state to enabled state. This change is processed by processor **IdentitySetPasswordProcessor (acc-identity-set-password-processor)**. You can disable it by configuration property or GUI agenda of processors (it is equivalent). | Please try check you project if you want reset password to all connected systems including CzechIdM after user's state will be evaluated from disable state to enabled state. This change is processed by processor **IdentitySetPasswordProcessor (acc-identity-set-password-processor)**. You can disable it by configuration property or GUI agenda of processors (it is equivalent). |
| |
| ===== Schedule the tasks ===== | ===== Schedule the tasks ===== |
| |
| Review the [[devel:documentation:scheduled_task|scheduled tasks]] in **Settings** -> **Task scheduler**. | FIXME This section is obsolete, most important tasks are scheduled by default in newer versions of CzechIdM |
| | |
| | Review the [[:devel:documentation:scheduled_task|scheduled tasks]] in **Settings** → **Task scheduler**. |
| | |
| | By default, connected system's synchronization is not scheduled. To do so, you have to add it. Add a new scheduled task SynchronizationSchedulableTaskExecutor, fill in the Synchronization Save the event and click Add under Scheduled starts. To run the event periodically, set a [[.:create_and_configure_trigger|CRON trigger]]. |
| | |
| | If you don't want to automatically delete old records in the provisioning archive, remove scheduled run from the [[:devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#deleteprovisioningarchivetaskexecutor|DeleteProvisioningArchiveTaskExecutor]]. |
| | |
| | If you want to use validity of the [[:devel:documentation:identities#contracts|contracts]] and standard [[:devel:documentation:hr_processes|HR processes]] in CzechIdM, make sure that HR processes will be started every day. There are 2 options: |
| | |
| | * [[.:create_and_configure_trigger|Schedule]] the Hr…Process tasks. |
| | * Ensure that [[:devel:documentation:synchronization:dev:relation-sync|synchronization of contracts]] from some resource will run every day and the "After end, start the HR processes" option is ticked in the configuration of this synchronization. |
| |
| By default, connected system's synchronization is not scheduled. To do so, you have to add it. Add a new scheduled task SynchronizationSchedulableTaskExecutor, fill in the Synchronization uuid which you can find by opening a synchronization of your system in the URL of the page following synchronization-configs. So, if you have a URL "http://localhost:8080/idm/#/system/f5h4bd76-9218-5fz8-7e5u-0ds772ag968u/synchronization-configs/94b6thj6-2nb1-84g2-sfd2-dgd4f99adsf24/detail?_k=uct1ra", the UID is "94b6thj6-2nb1-84g2-sfd2-dgd4f99adsf24". Save the event and click Add under Scheduled starts. To run the event periodically, set a [[tutorial:adm:create_and_configure_trigger|CRON trigger]]. | <note warning>Start the 3 Hr…Processs tasks at least once **manually**, otherwise they won't be started after end of synchronization.</note> |
| |
| If you don't want to automatically delete old records in the provisioning archive, remove scheduled run from the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#deleteprovisioningarchivetaskexecutor|DeleteProvisioningArchiveTaskExecutor]]. | If you want to use the [[:devel:documentation:accounts:dev:protection-system|]] for some connected system, you must schedule the [[:devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]] to start once every day. |
| |
| If you want to use validity of the [[devel:documentation:identities#contracts|contracts]] and standard [[devel:documentation:hr_processes|HR processes]] in CzechIdM, make sure that HR processes will be started every day. There are 2 options: | If you want to use **Maximum password age**, schedule the tasks mentioned in [[.:czechidm_installation_finalize#password_policy|Password policy section]] to run once every day. |
| * [[tutorial:adm:create_and_configure_trigger|Schedule]] the Hr...Process tasks. | |
| * Ensure that [[devel:documentation:synchronization:dev:relation-sync|synchronization of contracts]] from some resource will run every day and the "After end, start the HR processes" option is ticked in the configuration of this synchronization. | |
| <note warning>Start the 3 Hr...Processs tasks at least once **manually**, otherwise they won't be started after end of synchronization.</note> | |
| |
| If you want to use the [[devel:documentation:accounts:dev:protection-system|Account protection system]] for some connected system, you must schedule the [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#accountprotectionexpirationtaskexecutor|AccountProtectionExpirationTaskExecutor]] to start once every day. | |
| |
| If you want to use **Maximum password age**, schedule the tasks mentioned in [[...:czechidm_installation_finalize#password_policy|Password policy section]] to run once every day. | |