Skip to main content
Version: 8.2511.x.x RR

Client policy

Client policies can be understood as client-specific configurations. Only one client policy per client is allowed.

User validation

validation.user.name.mandatory

  • Data type: boolean
  • Default: true
  • Description: Defines whether the user's name is mandatory or optional.

validation.user.firstname.mandatory

  • Data type: boolean
  • Default: true
  • Description: Defines whether the user's first name is mandatory or optional.

validation.user.email.mandatory

  • Data type: boolean
  • Default: true
  • Description: Defines whether the user's e-mail address is mandatory or optional.

validation.user.mobile.mandatory

  • Data type: boolean
  • Default: false
  • Description: Defines whether the user's mobile number is mandatory or optional.

validation.user.mobile.unique

  • Data type: boolean
  • Default: false
  • Description: Defines whether the user's mobile phone number must be unique per client. Uniqueness is checked by string comparison. There is no semantic comparison that checks whether two mobiles are logically identical (by handling spaces, country prefix, etc.). Use validation.user.phone.regex to enforce a specific format.

validation.user.phone.regex

  • Data type: String
  • Default: none (no validation check performed)
  • Description: Regular expression for input validation of telephone, telefax and mobile. Example: ^(\+|00)(\d ?(\d ?){0,14}|\d{2} ?(\d ?){0,13}|\d{3} ?(\d ?){0,12})$|^0(\d ?){0,13}$

validation.user.sex.mandatory

  • Data type: boolean
  • Default: false
  • Description: Defines whether the user's sex is mandatory or optional.

validation.user.country.mandatory

  • Data type: boolean
  • Default: false
  • Description: Defines whether the user's country is mandatory or optional.

validation.mobileSignature.msisdn.unique

  • Data type: boolean
  • Default: false
  • Description: Enable/disable uniqueness check of the MSISDN of mobile signature credentials. If the parameter is true, the MSISDN of mobile signature credentials must be unique per client. Otherwise, no uniqueness check is applied for MSISDNs.

User creation

create.user.country.default.id

  • Data type: int
  • Default: -1 (not set)
  • Description: Sets the default ID of the country drop-down menu on the user create page.

create.user.language.default.id

  • Data type: int
  • Default: -1 (not set)
  • Description: Sets the default ID of the language drop-down menu in the New user view. If the value is not set or invalid (e.g., not defined in the policy parameter allowed.user.languages), the system sets the language based on the request locale, if possible. Otherwise, the language is based on the nevisIDM default language.

create.user.loginid.uniquenesscheck.casesensitive

  • Data type: boolean
  • Default: false
  • Description: When creating a user, uniqueness of the loginID is checked. If this parameter is true, this check is done case-sensitively. If false, it is done case-insensitively. Setting this parameter to true might improve performance in certain databases. If you enable this parameter, you must guarantee case-insensitive uniqueness of loginIDs by other means. Else you risk inconsistent loginIDs.

allowed.user.languages

  • Data type: String, comma-separated list surrounded by square brackets

  • Default: [de, en, fr, it]

  • Description: A comma-separated list of ISO-639-1 language codes. With this parameter set, the allowed languages for users of the given client can be defined. User creation, user modification on the GUI and over SOAP, and user import on the GUI can only be executed successfully if the given user's language is part of the specified languages. The language of existing users is not adjusted automatically, but the user is forced to choose an allowed language upon modification.

    Notes:

    • The parameter is optional; the default value will be used if the parameter is not set.
    • If set, it must contain at least one valid ISO-639-1 language code.
    • Use the language code iw for Hebrew, in for Indonesian, and ji for Yiddish.

    Examples:

    • allowed.user.languages=[de, en, fr, it] → OK
    • allowed.user.languages='' → Not OK (value cannot be empty)
    • allowed.user.languages=[] → Not OK (value cannot be empty)
    • allowed.user.languages=[de] → OK
    • allowed.user.languages=[rt] → Not OK (invalid language code)

Login ID generator

loginIdGenerator.enabled

  • Data type: boolean
  • Default: false
  • Description: Enables the login ID generator.

loginIdGenerator.minValue

  • Data type: int
  • Default: 100000
  • Description: Specifies the minimum value of the login ID generator.

loginIdGenerator.maxValue

  • Data type: int
  • Default: 999999
  • Description: Specifies the maximum value of the login ID generator.

loginIdGenerator.prefix

  • Data type: String
  • Default: empty
  • Description: Specifies a configurable string prefix. All generated login IDs will be prefixed with this string.

If the login ID generator for a client reaches the maximum value, it will start looking for non-used login IDs starting from the minimum value. If all login IDs in the range are used, you need to increase the maximum value. You must also update the table storing the current login ID value so that it points to the last configured maximum value.

For example, if the default client ID is "100" and the default maximum value is "999999", update the table as follows:

update tidma_login_id_generation set current_value=999999 where client_id=100;

ExtId manual assignment

gui.create.user.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created users. If false, the extId is autogenerated.

gui.create.enterpriserole.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created enterprise roles. If false, the extId is autogenerated.

gui.create.profile.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created profiles. If false, the extId is autogenerated.

gui.create.unit.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created units. If false, the extId is autogenerated.

gui.create.credential.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created credentials. If false, the extId is autogenerated.

gui.create.application.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created applications. If false, the extId is autogenerated.

gui.create.role.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created roles. If false, the extId is autogenerated. If in this case the associated applications belong to multiple clients, nevisIDM takes the client policy of the first client (alphabetically). Therefore, we recommend enabling this parameter for all affected clients.

gui.create.policyconfig.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created policy configurations. If false, the extId is autogenerated.

gui.create.template.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created templates. If false, the extId is autogenerated.

gui.create.personalquestion.extid.setmanually

  • Data type: boolean
  • Default: false
  • Description: Allows you to manually set the extId of created personal questions. If false, the extId is autogenerated.

Credential types

availableCredentialTypes

  • Data type: int, comma-separated list surrounded by square brackets

  • Default: none (all credential types available)

  • Description: A comma-separated list of credential type IDs surrounded by square brackets, no spaces allowed. Only credentials of the enumerated types can be created in the client. The available credential types can be defined in the unit policy as well. In this case, all credential types defined in the unit policies must also be defined in the client policy.

    Possible values:

    type IDCredential type
    1Password
    2Certificate
    3SecurID
    4Ticket
    5Safeword
    6OTP
    8Temporary strong password
    9Generic credential
    10Kerberos
    11mTAN
    12Vasco Digipass token
    13PUK
    14URL ticket
    15Device password
    16Mobile signature
    17SAML federation
    18Security question
    19Context password
    20OATH
    21FIDO UAF
    22Recovery code
    23FIDO 2

    Examples:

    • availableCredentialTypes=[1,2] : only passwords and certificates available
    • availableCredentialTypes=[] : no credential types available
    • availableCredentialTypes= : all credential types available
    • availableCredentialTypes not defined: all credential types available

strongCredentialTypes

  • Data type: int, comma-separated list surrounded by square brackets

  • Default: [2,3,5,8,12] (Certificate, SecurID, Safeword, Temporary strong password, Vasco Digipass token)

  • Description: A comma-separated list of credential type IDs surrounded by square brackets, no spaces allowed. The credential types listed in this parameter are considered as strong credentials.

    The parameters weakCredentialTypes and strongCredentialTypes cannot contain the same credential ID.

    Examples:

    • strongCredentialTypes not in the policy → OK (use default values)
    • strongCredentialTypes='' → NOK (value cannot be empty)
    • strongCredentialTypes=[] → NOK (value cannot be empty)
    • strongCredentialTypes=[1,2,3] → OK
    • weakCredentialTypes=[1,2,3] and strongCredentialTypes=[3,5,6] → NOK (credential type 3 is defined in both)

weakCredentialTypes

  • Data type: int, comma-separated list surrounded by square brackets

  • Default: [1,4] (Password, Ticket)

  • Description: A comma-separated list of credential type IDs surrounded by square brackets, no spaces allowed. The credential types listed in this parameter are considered as weak credentials. If the deactivateWeakCredentialsOnStrongLogin parameter is true, the user's weak credentials will be disabled if the user logs in with a strong credential.

    The parameters weakCredentialTypes and strongCredentialTypes cannot contain the same credential ID.

deactivateWeakCredentialsOnStrongLogin

  • Data type: boolean
  • Default: false
  • Description: If this parameter is true, the user's weak credentials will be disabled if the user logs in with a strong credential. The list of weak and strong credential types can be defined by setting the weakCredentialTypes and strongCredentialTypes parameters.

Authentication

authentication.loginWithEmail.enabled

  • Data type: boolean
  • Default: false
  • Description: Determines whether users of the referred client are allowed to log in with their e-mails or not. It replaces the global parameter in nevisidm-prod.properties with the same name, which is deprecated. When the property is true, all user e-mails must be unique within their clients (the unique_email property on the user). Data consistency is checked for every client on container startup and during runtime. If this property is not set, then these fallback rules apply: first check for an explicit value in nevisidm-prod.properties, else apply the default.

Search and navigation

search.wildcard.enabled

  • Data type: boolean
  • Default: false
  • Description: Enables the automatic wildcard search, i.e., all search values are automatically pre- and postfixed with wildcards.

search.user.loginid.casesensitive

  • Data type: boolean
  • Default: false
  • Description: Determines if user searches by loginId are case-sensitive. Setting the parameter to true requires searches to be submitted in the correct case. Consider setting this to true only if not using Oracle database, since Oracle case-insensitive searches perform quite well.

search.pager.mode

  • Data type: String
  • Values: simple, wide
  • Default: simple
  • Description: Sets the page switcher display.

search.profile.rowsperpage

  • Data type: int
  • Default: 10
  • Description: Sets the maximum number of entries per page on the profile detail view.

search.profile.unitdisplayname.show

  • Data type: boolean
  • Default: false
  • Description: Enables the optional column "unit displayname" in the result table of the profile search.

search.profile.unitabbrname.show

  • Data type: boolean
  • Default: false
  • Description: Enables the optional column "unit abbreviation name" in the result table of the profile search.

search.dataroomrestrictions.enabled

  • Data type: boolean
  • Default: false
  • Description: Users in the client will have their search results restricted according to their data room.

gui.usersearch.defaultMode

  • Data type: String
  • Values: simple, advanced
  • Default: simple
  • Description: Controls the default search mode for the Search user view for each Client entity.

gui.usersearch.userstate.default

  • Data type: String
  • Values: active, disabled, archived
  • Default: none
  • Description: Specifies the state that will be used as default in the status dropdown list of the user search mask. If not set (or set to an invalid value), "all" will be used as default.

gui.profilesearch.profilestate.default

  • Data type: String
  • Values: active, disabled, archived
  • Default: none
  • Description: Specifies the state that will be used as default in the status dropdown list of the profile search mask. If not set (or set to an invalid value), "all" will be used as default.

unitSearch.enableClassicMode

  • Data type: boolean
  • Default: false
  • Description: Enable the classic mode for unit searches in the GUI instead of the JavaScript-based unit tree.

gui.unitTree.unauthorizedParents.visible

  • Data type: boolean
  • Default: true
  • Description: Controls the visibility of parent units in the unit tree explorer. If set to true, the whole path which leads from the root to a unit to which the user is authorized is visible, but the unauthorized parents are not selectable. If set to false, the first authorized unit in the tree becomes root, so that only authorized nodes are visible.

Selfadmin GUI

gui.selfadmin.email.change.allowed

  • Data type: boolean
  • Default: true
  • Description: Enable/disable the e-mail change in selfAdmin GUI.

gui.selfadmin.email.change.doubleInput

  • Data type: boolean
  • Default: false
  • Description: When set to true, creates an additional e-mail confirmation field if gui.selfadmin.email.change.allowed is also true. The two e-mail fields should receive the same input value. Can be combined with gui.selfadmin.email.change.verify.

gui.selfadmin.email.change.verify

  • Data type: boolean

  • Default: false

  • Description: Switches a verification process on when gui.selfadmin.email.change.allowed is also true. The user receives an e-mail with a one-time verification code to the new e-mail address. The user should then type this code in the verification input field. Only a successful verification makes the changes persistent. Can be combined with gui.selfadmin.email.change.doubleInput. The communication event is "Selfadmin ticket notification". Define e-mail templates for this event to use the verification procedure.

    The verify code is technically implemented with a ticket credential created with the Default Ticket Policy. The ticket policy parameter ticketReuseEnabled is ignored here — the ticket can be used only once.

    This can be combined with gui.selfadmin.mobile.change.verify, but it is not allowed to change e-mail and mobile in one stroke. Change them in a two-step process.

gui.selfadmin.mobile.change.allowed

  • Data type: boolean
  • Default: true
  • Description: Enable/disable the mobile change in selfAdmin GUI.

gui.selfadmin.mobile.change.doubleInput

  • Data type: boolean
  • Default: false
  • Description: With this parameter set to true, the selfadmin GUI holds an additional mobile confirmation field. Precondition is that gui.selfadmin.mobile.change.allowed is also true. The user must enter the same value in both mobile fields, else a corresponding error message will be displayed. Can be combined with gui.selfadmin.mobile.change.verify.

gui.selfadmin.mobile.change.verify

  • Data type: boolean

  • Default: false

  • Description: Switches a verification process on. Precondition is that gui.selfadmin.mobile.change.allowed is also true. The user receives an SMS message with a one-time verification code to the new mobile phone number. The user should then type this code in the verification input field. Only a successful confirmation makes the changes persistent. Can be combined with gui.selfadmin.mobile.change.doubleInput. The corresponding communication event is "Selfadmin mobile notification". Define SMS templates for this event to use the verification procedure.

    This can be combined with gui.selfadmin.email.change.verify, but it is not allowed to change e-mail and mobile in one stroke.

gui.selfadmin.mobile.change.maxTrials

  • Data type: int
  • Default: 3
  • Description: Configures the maximum number of subsequent unsuccessful mobile change trials in combination with enabled SMS verification. This feature prevents a malicious or unintentional SMS flood to a user's mobile device. All successful and unsuccessful trials are audited.

gui.selfadmin.mobile.change.ticketPolicyExtId

  • Data type: String

  • Default: none

  • Description: The verify code is technically implemented with a ticket credential. These special purpose tickets refer to the policy which you define via this parameter. The provided ticket policy must define the following parameters:

    • SMS_SMTP.smtp.host
    • SMS_SMTP.smtp.port
    • SMS_SMTP.message.from
    • SMS_SMTP.message.to
    • SMS_SMTP.message.subject

    The ticket policy parameter ticketReuseEnabled is ignored here — the ticket can be used only once.

GUI appearance and behavior

gui.redirect.enabled

  • Data type: boolean
  • Default: true
  • Description: If the user has no session anymore or it has expired, nevisIDM will redirect the user to the entrance page. This behavior can be disabled by setting gui.redirect.enabled=false. In that case, the user will not be redirected. This is especially helpful for direct links into nevisIDM.

gui.deputy.enabled

  • Data type: boolean
  • Default: false
  • Description: Controls the visibility of the subuser infrastructure in the GUI (see the chapter "Subuser concept").

gui.profileAdmin.multiRoleUnassign.enabled

  • Data type: boolean
  • Default: true
  • Description: Enable/disable multiple role unassignments. If true, the Unassign roles view is accessible from the profile administration view, allowing unassigning multiple non-nevisIDM roles from a profile in one step.

gui.mandatoryEnumProperties.initiallyNotSet

  • Data type: boolean
  • Default: false
  • Description: Determines the initially preselected value for mandatory enum properties. If true, the preselected value will be <not set> instead of the first available value.

gui.help.link.en

  • Data type: String
  • Default: none
  • Description: Sets the link for the Help button in the header of the nevisIDM GUI when the selected display language is English. If the parameter is not set, the Help button is hidden.

gui.help.link.de

  • Data type: String
  • Default: none
  • Description: Sets the link for the Help button in the header of the nevisIDM GUI when the selected display language is German. If the parameter is not set, the Help button is hidden.

gui.help.link.it

  • Data type: String
  • Default: none
  • Description: Sets the link for the Help button in the header of the nevisIDM GUI when the selected display language is Italian. If the parameter is not set, the Help button is hidden.

gui.help.link.fr

  • Data type: String
  • Default: none
  • Description: Sets the link for the Help button in the header of the nevisIDM GUI when the selected display language is French. If the parameter is not set, the Help button is hidden.

facing.css

  • Data type: String
  • Default: css/facing.css
  • Description: Specifies the path to the core stylesheet for this client. The path is cached in the user's session (which requires at least a logout on change) and is relative to the directory defined with the parameter web.gui.facing.location in nevisidm-prod.properties. Note: Do not try to specify different directory structures for different brandings — simply have different versions of facing.css in the same directories, e.g., specify css/facing-brand1.css or css/facing-brandX.css.

unit.indicator

  • Data type: String
  • Values: short, hierarchical
  • Default: short
  • Description: Indicates how the unit is displayed.
    • short: a short displayname based on unit name, localized displayname, and abbreviation name is used (e.g., 11010 - unit u1a en - u1a en)
    • hierarchical: the localized hierarchical name is used (e.g., unit u en >> unit u1 en >> unit u1a en)

User import

userBulkImport.ignoreInvalidEntries

  • Data type: boolean
  • Default: false
  • Description: Defines whether it is allowed to upload Excel documents that contain invalid rows. If true, valid rows will be imported even if the file contains invalid rows. The invalid rows will be ignored. If false, no user will be imported if the file contains invalid rows.

userBulkImport.maxEntries

  • Data type: int
  • Default: 100
  • Description: Defines the maximum number of users to be created by the import. The maximum value is limited to 65000.

userBulkImport.templateMode

  • Data type: String
  • Values: GENERATED, CUSTOM
  • Default: GENERATED
  • Description: Defines whether a generic or a custom template is used for the import.

userBulkImport.templatePath

  • Data type: String
  • Default: empty
  • Description: If CUSTOM template mode is used, this parameter defines the path of the template file.

userBulkImport.templateVersion

  • Data type: double
  • Default: 1.0
  • Description: Defines which template version has to be used.

Web service behavior

webservice.selfadmin.deleteCaller

  • Data type: String
  • Values: archive, delete
  • Default: archive
  • Description: Determines whether the caller is deleted or archived by the deleteCaller web service. If the value is delete, the caller will be deleted. If the value is archive, the caller will be archived.

Data classification

data.classifications

  • Data type: List
  • Default: null
  • Description: Allows configuring classification levels for supported entities. For details, see the chapter "Information classification with the REST API".

Address extension

address.ech0010.enabled

  • Data type: boolean
  • Default: false
  • Description: Controls the availability of the optional user address extension according to eCH-0010. If set to true, the attributes of the optional user address extension are available on the Web GUI. If set to false, the attributes of the optional user address extension are not visible on the Web GUI. Up to WebService version 1.37 eCH-0010 address extensions will be present in the SOAP response depending on this parameter. From WebService version 1.38 they will be included into SOAP responses by default.

Other features

application.feature.othergender.enabled

  • Data type: boolean
  • Default: false
  • Description: Enables the third possible gender option "other" for users of the client. Disabling this policy does not affect the already stored gender data of a user and its presentation. Note: The "other" gender is not supported in the user import feature.

user.email.unicode.allowed

  • Data type: boolean
  • Default: false
  • Description: Allows having unicode characters in e-mail addresses. An e-mail address is valid if it has a valid top level domain (TLD) and exactly one @ sign. This client policy has precedence over the configuration parameter application.feature.email.validation.enabled.

Migration hints for the "login with e-mail" feature

With the Client policy parameter authentication.loginWithEmail.enabled you can enable the "login with e-mail" feature. Additionally, you need the derived, technical attribute unique_email of the user table TIDMA_USER. You have to migrate user information manually. For this purpose:

  • Connect to the database with a client (for example, a MariaDB client, Oracle Instant Client or pgAdmin for PostgreSQL), and

  • Submit a statement such as you can see in the following samples:

    • Before enabling:

      1. Manually make all email addresses of users in that client unique.
      2. Execute the SQL statement to copy them to the unique_email column.
      UPDATE TIDMA_USER
      SET unique_email = email,
          ctl_mod_uid  = 'migration',
          ctl_mod_dat  = SYSDATE,
          ctl_tcn      = ctl_tcn + 1
      WHERE email is not null;

    • Before disabling: Nothing to do.