ivy.securitysystem.yaml
[engineDir]/configuration/reference/ivy.securitysystem.yaml
1#
2# -------------------------------------------
3# Axon.ivy Security System Configuration
4# -------------------------------------------
5#
6# This file shows all configuration of the Security Systems of the Axon.ivy engine applications.
7# https://developer.axonivy.com/doc/8.0/engine-guide/configuration/index.html#users
8#
9# Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting them to your needs.
10# https://developer.axonivy.com/doc/8.0/engine-guide/configuration/files/ivy-yaml.html
11#
12# OVERRIDING:
13# Any configuration value of this file can be set in alternative sources.
14# * environment variables: of the operating system can set app config entries.
15# Their key must be prefixed with 'IVY_'.
16# https://developer.axonivy.com/doc/8.0/engine-guide/configuration/advanced-configuration.html#overriding-configuration
17#
18
19
20
21# == Security Systems ==
22#
23# List of Security Systems.
24# A security system defines how users and roles are managed.
25# Security systems that are configured here can be used by applications.
26# !! If you change a security system then all users that are no longer defined by the changed security system will be deleted.
27# !! SecuritySystem changes are immediately reloaded and a user synchronization is executed. Wrong or incomplete configurations may lead to accidentally removing users!
28# !! Switching from Microsoft Active Directory or Novell eDirectory to Axon.ivy Security System keeps all synchronized users, but requires to set new passwords for them.
29# !! Tasks assigned to the deleted users are moved to the UNASSIGNED state and has to be manually reassigned later to a new user or role.
30#
31SecuritySystems:
32
33 # Example security system with name myIvySecuritySystem
34 mySecuritySystem:
35 # The Security System manages the user and roles in the system database.
36 # If it's ivy Security System, no additional configuration is needed.
37 # If it's Microsoft Active Directory or Novell eDirectory the secuity system uses LDAP to import users and role relations from AD to system database.
38 # [Format:ENUMERATION][Values:ivy Security System, Microsoft Active Directory, Novell eDirectory]
39 Provider: "ivy Security System"
40
41 Connection:
42 # Url to the naming and directory service
43 # - LDAP: ldap://<hostname>:<port> - port can be omitted if it is default port 389
44 # - LDAPS: ldaps://<hostname>:<port> - port can be omitted if it is default port 636
45 # NOTE: security protocol needs to be set to "ssl" for LDAPS (Environment.java.naming.security.protocol, see below).
46 Url: ldap://localhost:389
47
48 # How to authenticate to the naming and directory service
49 # none = no authentication (default if UserName/Password NOT configured)
50 # simple = user name and password is used (default if UserName/Password is configured)
51 # [Format:ENUMERATION][Values:none, simple]
52 AuthenticationKind: simple
53
54 # User name to authenticate to the naming and directory service (java.naming.security.principal).
55 # Valid formats are...
56 # - LDAP Distingushed Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com
57 # - Active Directory user name like Administrator@axonivy.com
58 UserName: ""
59
60 # Password to authenticate to the naming and directory service (java.naming.security.credentials).
61 # [Format:PASSWORD]
62 Password: ""
63
64 # Use a connection pool to store established LDAP connections.
65 # [Format:BOOLEAN]
66 UseLdapConnectionPool: false
67
68 # Flag indicating if an insecure SSL connections is allowed (no server certificate verification).
69 # NOTE: Setting EnableInsecureSSL to true will turn off server certificate verification.
70 # Whenever possible the LDAP server certificate (or its root certificate)
71 # should be added to the Ivy Engine trust store.
72 # See SSL.Client.TrustStore in the https://developer.axonivy.com/doc/8.0/engine-guide/configuration/files/ivy-yaml.html
73 # on how to configure the engine truststore.
74 # [Format:BOOLEAN]
75 EnableInsecureSSL: false
76
77 Retry:
78 # Number of times a call should be retried after a failure.
79 # [Format:NUMBER]
80 Count: 3
81
82 # Delay in milliseconds before the next retry call, after a failure.
83 # With each retry the delay time doubles.
84 # [Format:NUMBER]
85 Delay: 500
86
87 # Here you can configure additional environment properties for the LDAP context.
88 Environment:
89 # How to handle LDAP aliases.
90 # https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
91 # [Format:ENUMERATION][Values:always, never, finding, searching]
92 "java.naming.ldap.derefAliases": always
93
94 # Specifying the security protocol.
95 # If this property is unspecified, the behaviour is determined by the service provider.
96 # https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
97 # [Format:ENUMERATION][Values:, ssl]
98 "java.naming.security.protocol": ""
99
100 # Specifying how referrals encountered by the service provider are to be processed.
101 # https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html
102 # [Format:ENUMERATION][Values:follow, ignore, throw]
103 "java.naming.referral": follow
104
105 Binding:
106 # Default Context to import from.
107 # The security system only sees and can import objects below the default context.
108 # Normally, you want to see and import all users of a security system then set the default context to the root object/domain.
109 # If you want to import only users from a certain department or location, then you can set the default context to the appropriate organization unit or location.
110 # See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.
111 # Format = LDAP Distingushed Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com
112 DefaultContext: ou=ivyteam,dc=axonivy,dc=com
113
114 # If configured, then the security system imports only the users that are members of this user group.
115 # See also DefaultContext and UserFilter to control/filter the users that are imported.
116 # Format = LDAP Distingushed Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com
117 ImportUsersOfGroup: ""
118
119 # The security system only imports users that match the given filter.
120 # See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.
121 # Format = LDAP Search Filter (RFC 4515)
122 UserFilter: "(&(objectClass=user)(!(objectClass=computer)))"
123
124 UserAttribute:
125 # The LDAP attribute that stores the name of a user
126 # [AD:sAMAccountName][ND:uid]
127 Name: "sAMAccountName"
128
129 # The LDAP attribute that stores the full name of a user
130 # [AD:displayName][ND:fullName]
131 FullName: "displayName"
132
133 # The LDAP attribute that stores the mail address of a user
134 EMail: "mail"
135
136 # The LDAP attribute that stores the langauge of a user
137 Language: ""
138
139 # Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)
140 Properties:
141 # Maps a user property to an LDAP attribute
142 # In the example below 'phoneNumber' is the name of the user property.
143 # The value of the property is imported from the LDAP attribute 'phone' of the user.
144 #phoneNumber: phone
145
146 Membership:
147 # The LDAP attribute that stores the user groups a user is member of
148 # [AD:memberOf][ND:groupMembership]
149 UserMemberOfAttribute: "memberOf"
150
151 # Should the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership.
152 # Sometimes this LDAP attribute is not available because of security concerns.
153 # If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.
154 # [Format:BOOLEAN]
155 # [AD:true][ND:false]
156 UseUserMemberOfForUserRoleMembership: true
157
158 # The LDAP attribute that stores the user groups a user group is member of
159 # [AD:memberOf][ND:groupMembership]
160 UserGroupMemberOfAttribute: memberOf
161
162 # The LDAP attribute that stores the members (user, user groups) of a user group
163 # [AD:member][ND:uniqueMember]
164 UserGroupMembersAttribute: member
165
166 # Does the security system has to traverse nested groups (groups that are members of a group) to find all users that are member of a user group?
167 # Some external security systems provide all users on the member attribute of a user group even those that are members of nested groups.
168 # [Format:BOOLEAN]
169 # [AD:true][ND:false]
170 TraverseNestedGroups: true
171
172 Import:
173 # Should users be imported on demand or by the synchronizing job.
174 # If OnDemand is set to:
175 # true: then users are not imported by the synchronization job. Instead, a user is imported the first time she logs in.
176 # false: then users are imported by the user synchronizing job. If a user was not yet imported by the user synchronization job she is also imported the first time she logs in.
177 # [Format:BOOLEAN]
178 OnDemand: false
179
180 # The number of objects the security system can read in one LDAP request
181 # [Format:NUMBER]
182 PageSize: 500
183
184 # Flag to indicate if the daily security system synchronization should run (true) or not (false).
185 # When the synchronization runs is defined by UpdateTime.
186 # [Format:BOOLEAN]
187 UpdateEnabled: true
188
189 # Time of day when the security system will synchronize the users.
190 # Daily security system synchronization can be switched on or off by setting UpdateEnabled.
191 # Format is hh:mm. e.g. "02:00" or "14:15"
192 # [Format:DAYTIME]
193 UpdateTime: "00:00"
194
195 UserSynch:
196 # Whether the user should be synchronized with the external security system at login or not.
197 # If the user does not exist yet, it will be synchronized anyway. In case of slow external
198 # security system connections it can make sense to deactivate this setting.
199 OnLogin: true