ivy.securitysystem.yamlΒΆ

[engineDir]/configuration/reference/ivy.securitysystem.yaml

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#
# -------------------------------------------
# Axon.ivy Security System Configuration
# -------------------------------------------
#
# This file shows all configuration of the Security Systems of the Axon.ivy engine applications.
# https://developer.axonivy.com/doc/9.1/engine-guide/configuration/index.html#users
# 
# Copy contents of this reference file to 'configuration/ivy.yaml' before adjusting them to your needs.
# https://developer.axonivy.com/doc/9.1/engine-guide/configuration/files/ivy-yaml.html
# 
# OVERRIDING:
# Any configuration value of this file can be set in alternative sources. 
# * environment variables: of the operating system can set app config entries. 
#    Their key must be prefixed with 'IVY_'. 
#    https://developer.axonivy.com/doc/9.1/engine-guide/configuration/advanced-configuration.html#overriding-configuration
# 



# == Security Systems ==
#
# List of Security Systems. 
# A security system defines how users and roles are managed.
# Security systems that are configured here can be used by applications.
# !! If you change a security system then all users that are no longer defined by the changed security system will be disabled.
# !! SecuritySystem changes are immediately reloaded and a user synchronization is executed.
# !! Switching from Microsoft Active Directory or Novell eDirectory to Axon.ivy Security System keeps all synchronized users, but requires to set new passwords for them.
#
SecuritySystems:

  # Example security system with name myIvySecuritySystem
  mySecuritySystem:
    # The Security System manages the user and roles in the system database. 
    # If it's ivy Security System, no additional configuration is needed. 
    # If it's Microsoft Active Directory or Novell eDirectory the security system uses LDAP to import users and role relations from AD to system database.
    # [Format:ENUMERATION][Values:ivy Security System, Microsoft Active Directory, Novell eDirectory]
    Provider: "ivy Security System"

    Connection:
      # Url to the naming and directory service
      Url: ldap://localhost:389
        
      # How to authenticate to the naming and directory service
      # none = no authentication (default if UserName/Password NOT configured)
      # simple = user name and password is used (default if UserName/Password is configured)
      # [Format:ENUMERATION][Values:none, simple]
      AuthenticationKind: simple
        
      # User name to authenticate to the naming and directory service (java.naming.security.principal).
      # Valid formats are... 
      # - LDAP Distinguished Name (RFC 4514) like cn=Administrator,dc=axonivy,dc=com
      # - Active Directory user name like Administrator@axonivy.com
      UserName: ""
        
      # Password to authenticate to the naming and directory service (java.naming.security.credentials).
      # [Format:PASSWORD]
      Password: ""
        
      # Use a connection pool to store established LDAP connections.
      # [Format:BOOLEAN]
      UseLdapConnectionPool: false

      Retry:
        # Number of times a call should be retried after a failure.
        # [Format:NUMBER]
        Count: 3

        # Delay in milliseconds before the next retry call, after a failure.
        # With each retry the delay time doubles.
        # [Format:NUMBER]
        Delay: 500

      # Here you can configure additional environment properties for the LDAP context.
      Environment:
        # How to handle LDAP aliases. 
        # https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
        # [Format:ENUMERATION][Values:always, never, finding, searching]
        "java.naming.ldap.derefAliases": always
         
        # Specifying the security protocol. 
        # If this property is unspecified, the behavior is determined by the service provider. 
        # https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html
        # [Format:ENUMERATION][Values:, ssl]
        "java.naming.security.protocol": ""
         
        # Specifying how referrals encountered by the service provider are to be processed. 
        # https://docs.oracle.com/javase/jndi/tutorial/ldap/referral/index.html
        # [Format:ENUMERATION][Values:follow, ignore, throw]
        "java.naming.referral": follow

    Binding:
      # Default Context to import from. 
      # The security system only sees and can import objects below the default context. 
      # Normally, you want to see and import all users of a security system then set the default context to the root object/domain.
      # If you want to import only users from a certain department or location, then you can set the default context to the appropriate organization unit or location.
      # See also EverybodyUserGroupName and UserFilter to control/filter the users that are imported.
      # Format = LDAP Distinguished Name (RFC 4514) like dc=axonivy,dc=com or ou=ivyteam,dc=axonivy,dc=com
      DefaultContext: ""
        
      # If configured, then the security system imports only the users that are members of this user group.
      # See also DefaultContext and UserFilter to control/filter the users that are imported.
      # Format = LDAP Distinguished Name (RFC 4514) of a user group like cn=AxonIvyUser,ou=ivyteam,dc=axonivy,dc=com
      # Tip for eDirectory: To improve synch performance you have to add an index on the groupMembership attribute.
      ImportUsersOfGroup: ""
        
      # The security system only imports users that match the given filter.
      # See also DefaultContext and EverybodyUserGroupName to control/filter the users that are imported.
      # Format = LDAP Search Filter (RFC 4515)
      UserFilter: "(&(objectClass=user)(!(objectClass=computer)))"

    UserAttribute:
      # The LDAP attribute that stores the unique identifier of a user
      # This identifier is used during synchronization to identify a renamed user 
      # [AD:objectGUID][ND:GUID]
      Id: objectGUID

      # The LDAP attribute that stores the name of a user
      # [AD:sAMAccountName][ND:uid]
      Name: sAMAccountName
        
      # The LDAP attribute that stores the full name of a user
      # [AD:displayName][ND:fullName]
      FullName: displayName
        
      # The LDAP attribute that stores the mail address of a user
      EMail: email
        
      # The LDAP attribute that stores the language of a user
      Language: ""
      
      # Here you can specify a list of additional LDAP attributes that are imported and available as user properties (IUser.getProperty)
      Properties:
        # Maps a user property to an LDAP attribute
        # In the example below 'phoneNumber' is the name of the user property. 
        # The value of the property is imported from the LDAP attribute 'phone' of the user.
        #phoneNumber: phone

    Membership:
      # The LDAP attribute that stores the user groups a user is member of
      # [AD:memberOf][ND:groupMembership]
      UserMemberOfAttribute: memberOf
      
      # Can the security system use the LDAP attribute configured in UserMemberOfAttribute (memberOf, groupMembership) to import user role membership.
      # Sometimes this LDAP attribute is not available because of security concerns. 
      # If you set this to false, then the security system will import the user role membership with an alternative but slower mechanism.
      # [Format:BOOLEAN]
      UserMemberOfLookupAllowed: true
      
      # The LDAP attribute that stores the user groups a user group is member of
      # [AD:memberOf][ND:groupMembership]
      UserGroupMemberOfAttribute: memberOf
      
      # The LDAP attribute that stores the members (user, user groups) of a user group
      # [AD:member][ND:uniqueMember]
      UserGroupMembersAttribute: member
      
      # This property defines how the synchronization find all users that are member of a user group.
      # Normally the default should be fine for you, only if you have some security settings on your directory it can be possible that you need switch to TRAVERSE.
      # The setting TRAVERSE may have a big inpact on your synchronization speed if you use an 'ImportUsersOfGroup'.
      # [Format:ENUMERATION][Values:MATCHING_RULE, DIRECT, TRAVERSE]
      # [AD:MATCHING_RULE][ND:DIRECT]
      NestedGroupsLookup: MATCHING_RULE
      
    Import:
      # Should users be imported on demand or by the synchronizing job.
      # If OnDemand is set to: 
      # true: then users are not imported by the synchronization job. Instead, a user is imported the first time she logs in. 
      # false: then users are imported by the user synchronizing job. If a user was not yet imported by the user synchronization job she is also imported the first time she logs in.
      # [Format:BOOLEAN]
      OnDemand: false

    # The number of objects the security system can read in one LDAP request
    # [Format:NUMBER]
    PageSize: 500
      
    # Time of day when the security system will synchronize the users.
    # The engine must be running at this time otherwise the synchronization will not be executed.
    # Format is hh:mm. e.g. "02:00" or "14:15"
    # [Format:DAYTIME]
    UpdateTime: "00:00"