ivy.securitysystem.yamlΒΆ

[engineDir]/configuration/reference/ivy.securitysystem.yaml

  1#
  2# -------------------------------------------
  3# Axon.ivy Security System Configuration
  4# -------------------------------------------
  5#
  6# This file shows all configuration of the Security Systems of the Axon.ivy engine applications.
  7# https://developer.axonivy.com/doc/8.0/engine-guide/configuration/index.html#users
  8# 
  9# Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting them to your needs.
 10# https://developer.axonivy.com/doc/8.0/engine-guide/configuration/files/ivy-yaml.html
 11# 
 12# OVERRIDING:
 13# Any configuration value of this file can be set in alternative sources. 
 14# * environment variables: of the operating system can set app config entries. 
 15#    Their key must be prefixed with 'IVY_'. 
 16#    https://developer.axonivy.com/doc/8.0/engine-guide/configuration/advanced-configuration.html#overriding-configuration
 17# 
 18
 19
 20
 21# == Security Systems ==
 22# 
 23# List of Security Systems. 
 24# A security system defines how users and roles are managed.
 25# Security systems that are configured here can be used by applications.
 26# !! If you change a security system then all users that are no longer defined by the changed security system will be deleted.
 27# !! SecuritySystem changes are immediately reloaded and a user synchronization is executed. Wrong or incomplete configurations may lead to accidentally removing users!
 28# !! Switching from Microsoft Active Directory or Novell eDirectory to Axon.ivy Security System keeps all synchronized users, but requires to set new passwords for them.
 29# !! Tasks assigned to the deleted users are moved to the UNASSIGNED state and has to be manually reassigned later to a new user or role. 
 30#    
 31SecuritySystems:
 32
 33  # Example security system with name myIvySecuritySystem
 34  mySecuritySystem:
 35    # The Security System manages the user and roles in the system database. 
 36    # If it's ivy Security System, no additional configuration is needed. 
 37    # If it's Microsoft Active Directory or Novell eDirectory the secuity system uses LDAP to import users and role relations from AD to system database.
 38    # [Format:ENUMERATION][Values:ivy Security System, Microsoft Active Directory, Novell eDirectory]
 39    Provider: "ivy Security System"
 40
 41    Connection:
 42      # Url to the naming and directory service
 43      # - LDAP:  ldap://<hostname>:<port>   - port can be omitted if it is default port 389
 44      # - LDAPS: ldaps://<hostname>:<port>  - port can be omitted if it is default port 636
 45      # NOTE: security protocol needs to be set to "ssl" for LDAPS (Environment.java.naming.security.protocol, see below).
 46      Url: ldap://localhost:389
 47        
 48      # How to authenticate to the naming and directory service
 49      # none = no authentication (default if UserName/Password NOT configured)
 50      # simple = user name and password is used (default if UserName/Password is configured)
 51      # [Format:ENUMERATION][Values:none, simple]
 52      AuthenticationKind: simple
 53        
 54      # User name to authenticate to the naming and directory service (java.naming.security.principal).
 55      # Valid formats are... 
 56      # - LDAP Distingushed Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com
 57      # - Active Directory user name like Administrator@axonivy.com
 58      UserName: ""
 59        
 60      # Password to authenticate to the naming and directory service (java.naming.security.credentials).
 61      # [Format:PASSWORD]
 62      Password: ""
 63        
 64      # Use a connection pool to store established LDAP connections.
 65      # [Format:BOOLEAN]
 66      UseLdapConnectionPool: false
 67      
 68      # Flag indicating if an insecure SSL connections is allowed (no server certificate verification).
 69      # NOTE: Setting EnableInsecureSSL to true will turn off server certificate verification.
 70      #       Whenever possible the LDAP server certificate (or its root certificate)
 71      #       should be added to the Ivy Engine trust store.
 72      #       See SSL.Client.TrustStore in the https://developer.axonivy.com/doc/8.0/engine-guide/configuration/files/ivy-yaml.html
 73      #       on how to configure the engine truststore.
 74      # [Format:BOOLEAN]
 75      EnableInsecureSSL: false
 76
 77      Retry:
 78        # Number of times a call should be retried after a failure.
 79        # [Format:NUMBER]
 80        Count: 3
 81
 82        # Delay in milliseconds before the next retry call, after a failure.
 83        # With each retry the delay time doubles.
 84        # [Format:NUMBER]
 85        Delay: 500
 86
 87      # Here you can configure additional environment properties for the LDAP context.
 88      Environment:
 89        # How to handle LDAP aliases. 
 90        # https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
 91        # [Format:ENUMERATION][Values:always, never, finding, searching]
 92        "java.naming.ldap.derefAliases": always
 93         
 94        # Specifying the security protocol. 
 95        # If this property is unspecified, the behaviour is determined by the service provider. 
 96        # https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
 97        # [Format:ENUMERATION][Values:, ssl]
 98        "java.naming.security.protocol": ""
 99         
100        # Specifying how referrals encountered by the service provider are to be processed. 
101        # https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html
102        # [Format:ENUMERATION][Values:follow, ignore, throw]
103        "java.naming.referral": follow
104
105    Binding:
106      # Default Context to import from. 
107      # The security system only sees and can import objects below the default context. 
108      # Normally, you want to see and import all users of a security system then set the default context to the root object/domain.
109      # If you want to import only users from a certain department or location, then you can set the default context to the appropriate organization unit or location.
110      # See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.
111      # Format = LDAP Distingushed Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com
112      DefaultContext: ou=ivyteam,dc=axonivy,dc=com
113        
114      # If configured, then the security system imports only the users that are members of this user group.
115      # See also DefaultContext and UserFilter to control/filter the users that are imported.
116      # Format = LDAP Distingushed Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com
117      ImportUsersOfGroup: ""
118        
119      # The security system only imports users that match the given filter.
120      # See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.
121      # Format = LDAP Search Filter (RFC 4515)
122      UserFilter: "(&(objectClass=user)(!(objectClass=computer)))"
123
124    UserAttribute:
125      # The LDAP attribute that stores the name of a user
126      # [AD:sAMAccountName][ND:uid]
127      Name: "sAMAccountName"
128        
129      # The LDAP attribute that stores the full name of a user
130      # [AD:displayName][ND:fullName]
131      FullName: "displayName"
132        
133      # The LDAP attribute that stores the mail address of a user
134      EMail: "mail"
135        
136      # The LDAP attribute that stores the langauge of a user
137      Language: ""
138      
139      # Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)
140      Properties:
141        # Maps a user property to an LDAP attribute
142        # In the example below 'phoneNumber' is the name of the user property. 
143        # The value of the property is imported from the LDAP attribute 'phone' of the user.
144        #phoneNumber: phone
145
146    Membership:
147      # The LDAP attribute that stores the user groups a user is member of
148      # [AD:memberOf][ND:groupMembership]
149      UserMemberOfAttribute: "memberOf"
150      
151      # Should the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership.
152      # Sometimes this LDAP attribute is not available because of security concerns. 
153      # If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.
154      # [Format:BOOLEAN]
155      # [AD:true][ND:false]
156      UseUserMemberOfForUserRoleMembership: true
157      
158      # The LDAP attribute that stores the user groups a user group is member of
159      # [AD:memberOf][ND:groupMembership]
160      UserGroupMemberOfAttribute: memberOf
161      
162      # The LDAP attribute that stores the members (user, user groups) of a user group
163      # [AD:member][ND:uniqueMember]
164      UserGroupMembersAttribute: member
165      
166      # Does the security system has to traverse nested groups (groups that are members of a group) to find all users that are member of a user group?
167      # Some external security systems provide all users on the member attribute of a user group even those that are members of nested groups.
168      # [Format:BOOLEAN]
169      # [AD:true][ND:false]
170      TraverseNestedGroups: true
171      
172    Import:
173      # Should users be imported on demand or by the synchronizing job.
174      # If OnDemand is set to: 
175      # true: then users are not imported by the synchronization job. Instead, a user is imported the first time she logs in. 
176      # false: then users are imported by the user synchronizing job. If a user was not yet imported by the user synchronization job she is also imported the first time she logs in.
177      # [Format:BOOLEAN]
178      OnDemand: false
179
180    # The number of objects the security system can read in one LDAP request
181    # [Format:NUMBER]
182    PageSize: 500
183
184    # Flag to indicate if the daily security system synchronization should run (true) or not (false).
185    # When the synchronization runs is defined by UpdateTime.
186    # [Format:BOOLEAN]
187    UpdateEnabled: true
188      
189    # Time of day when the security system will synchronize the users.
190    # Daily security system synchronization can be switched on or off by setting UpdateEnabled.
191    # Format is hh:mm. e.g. "02:00" or "14:15"
192    # [Format:DAYTIME]
193    UpdateTime: "00:00"