Client policy
Client policies can be understood as client-specific configurations. Only one client policy per client is allowed.
| Name | Data type | Default | Description |
|---|---|---|---|
| address.ech0010. enabled | boolean | false | This parameter controls the availability of the optional user address extension according to eCH-0010. If set to "true", the attributes of the optional user address extension are available on the Web GUI. If set to "false", the attributes of the optional user address extension are not visible on the Web GUI. Up to WebService version 1.37 eCH-0010 address extensions will be present in the SOAP response depending on this parameter. From WebService version 1.38 they will be included into SOAP responses by default. Modifying is allowed for all of the supported WebService versions. |
| allowed.user. languages | String, comma-separated list surrounded by square brackets | [de, en, fr, it] Use the language code iw for Hebrew, in for Indonesian, and ji for Yiddish. | A comma-separated list of ISO-639-1 language codes. With this parameter set, the allowed languages of the given client’s users can be defined. If this parameter is set, user creation, user modification on the GUI and over SOAP, and user import on the GUI can only be executed successfully, if the given user’s language was part of the specified languages. The language of existing users won’t be adjusted automatically but the user is forced to choose an allowed language upon modification of a user. Notes and requirements: The parameter is optional, the default value will be used if the parameter is not set. However, if it is set, it must contain at least one valid ISO-639-1 language code. Examples:
|
| authentication. loginWithEmail. enabled | boolean | false | This parameter determines whether users of the referred client are allowed to log in with their e-mails or not. It replaces the global parameter in nevisidm-prod.properties file with the same name, which is deprecated now. When the property is true, all user e-mails have to be unique within their clients (the unique_email property on the user). Data consistency is being checked for every client on container startup and during runtime. If this property is not set, then these fallback rules apply: first we check for an explicit value in nevisidm-prod.properties file, else apply the default. |
| available CredentialTypes | int, comma-separated list surrounded by square brackets | none | A comma-separated list of credential type IDs (for possible values see below) surrounded by square brackets, no spaces allowed. Only credentials of the enumerated types can be created in the client. The available credential types can be defined in the unit policy as well. In this case, all credential types defined in the unit policies have to be defined in the client policy as well. The "availableCredentialTypes" parameter has to contain all credential type IDs which are defined in the unit policies. Possible values:
|
| create.user. country.default.id | int | -1 (not set) | Sets the default id of the country drop-down menu on the user create page. |
| create.user. language.default.id | int | -1 (not set) | Sets the default ID of the language drop-down menu in the New user view. If the value is not set or invalid (e.g., not defined in the policy parameter allowed.user.languages), then the system sets the language in the drop-down menu based on the request locale, if possible. Otherwise, the language of the drop-down menu is based on the nevisIDM default language. |
| create.user.loginid. uniquenesscheck. casesensitive | boolean | false | When creating a user, uniqueness of the loginID is checked. If this parameter is true, this check is done case-sensitive. If this parameter is false, this check is done case-insensitive. Setting this parameter to true might improve performance in certain databases. If you enable this parameter you have to guarantee case-insensitive uniqueness of loginIDs by other means. Else you risk inconsistent loginIDs. This parameter has no effect on the constraint that loginIDs must be unique, ignoring case. If this parameter is true, the attempted creation of a user with a loginID that differs only in case from an already existing loginID will result in an Exception. E.g., when attempting to insert a user with loginID UserLoginId when USERLoginId already exists. |
| data.classifications | List | null | This parameter allows configuring classification levels for supported entities. For details, see the chapter "Information classification with the REST API". |
| deactivateWeak CredentialsOn StrongLogin | boolean | false | If this parameter is true, the user's weak credentials will be disabled if the user logs in with a strong credential. The list of weak and strong credential types can be defined by setting the weakCredentialTypes and strongCredentialTypes parameters. |
| facing.css | string | css/facing.css | Specifies the path to the core stylesheet for this client. The path is cached in the user’s session (which requires at least a logout on change) and relative to the directory defined with the parameter web.gui.facing.location in the configuration file nevisidm-prod.properties (see the chapter "nevisidm-prod.properties"). |
| gui.create.application. extid.setmanually | boolean | false | Allows you to manually set the extId of created applications. If false, the extId is autogenerated. |
| gui.create.credential. extid.setmanually | boolean | false | Allows you to manually set the extId of created credentials. If false, the extId is autogenerated. |
| gui.create.enterpriserole. extid.setmanually | boolean | false | Allows you to manually set the extId of created enterprise roles. If false, the extId is autogenerated. |
| gui.create.policyconfig. extid.setmanually | boolean | false | Allows you to manually set the extId of created policy configurations. If false, the extId is autogenerated. |
| gui.create.profile. extid.setmanually | boolean | false | Allows you to manually set the extId of created profiles. If false, the extId is autogenerated. |
| gui.create.template. extid.setmanually | boolean | false | Allows you to manually set the extId of created templates. If false, the extId is autogenerated. |
| gui.create.unit. extid.setmanually | boolean | false | Allows you to manually set the extId of created units. If false, the extId is autogenerated. |
| gui.create.user. extid.setmanually | boolean | false | Allows you to manually set the extId of created users. If false, the extId is autogenerated. |
| gui.create.role. extid.setmanually | boolean | false | This parameter allows manual setting of the extId of the created role. If set to false, nevisIDM autogenerates the extId. If in this case the associated applications belong to multiple clients, nevisIDM takes the client policy of the first client (that is, the client whose name comes first alphabetically). Therefore, we recommend enabling this parameter for all affected clients. |
| gui.deputy.enabled | boolean | false | This parameter controls the visibility of the subuser infrastructure in the GUI (see the chapter "Subuser concept"). |
| gui.help.link.en | string | none | This parameter sets the link for the Help button in the header of the nevisIDM GUI, if the selected display language is English. If the parameter is not set, the Help button is hidden. |
| gui.help.link.de | string | none | This parameter sets the link for the Help button in the header of the nevisIDM GUI, if the selected display language is German. If the parameter is not set, the Help button is hidden. |
| gui.help.link.it | string | none | This parameter sets the link for the Help button in the header of the nevisIDM GUI, if the selected display language is Italian. If the parameter is not set, the Help button is hidden. |
| gui.help.link.fr | string | none | This parameter sets the link for the Help button in the header of the nevisIDM GUI, if the selected display language is French. If the parameter is not set, the Help button is hidden. |
| gui.mandatoryEnum Properties.initiallyNotSet | boolean | false | This parameter determines the initially preselected value for mandatory enum properties. If the parameter is true, the preselected value will be <not set>, instead of the first available value. |
| gui.profileAdmin. multiRoleUnassign.enabled | boolean | true | Enable/disable multiple role unassignments. If the parameter is true, the Unassign roles view is accessible from the profile administration view. This view allows unassigning multiple non-nevisIDM roles from a profile in one step. |
| gui.profilesearch. profilestate.default | string | none | This parameter specifies the state that will be used as default in the status dropdown list of the profile search mask. It can be set to active, disabled, archived. If it is not set (or set to an invalid value), "all" will be used as default. |
| gui.redirect.enabled | boolean | true | If the user has no session anymore or it has expired, nevisIDM will redirect the user to the entrance page. This behavior can be disabled by setting gui.redirect.enabled=false in the client policy. In that case, the user will not be redirected. This is especially helpful for direct links into nevisIDM. |
| gui.selfadmin.email. change.allowed | boolean | true | Enable/disable the e-mail change in selfAdmin GUI. |
| gui.selfadmin.email. change.doubleInput | boolean | false | This parameter, when set to true, creates an additional e-mail confirmation field if gui.selfadmin.email.change.allowed is also true. The two e-mail fields should receive the same input value. Can be combined with gui.selfadmin.email.change.verify. |
| gui.selfadmin.email. change.verify | boolean | false | This parameter switches a verification process on, when gui.selfadmin.email.change.allowed is also true. The user receives an e-mail with a one-time verification code to the new e-mail address. The user should then type this code in the verification input field. Only a successful verification makes the changes persistent. Can be combined with gui.selfadmin.email.change.doubleInput. The communication event is then "Selfadmin ticket notification". Define e-mail templates for this event to use the verification procedure. This can also be combined with gui.selfadmin.mobile.change.verify, but it is not allowed to change e-mail and mobile in one stroke. Change e-mail and mobile in a two-step-process. The verify code is technically implemented with a ticket credential that will be created with the Default Ticket Policy. The ticket policy parameter ticketReuseEnable is ignored here, the ticket can be used only once. |
| gui.selfadmin.mobile. change.allowed | boolean | true | Enable/disable the mobile change in selfAdmin GUI. |
| gui.selfadmin.mobile. change.doubleInput | boolean | false | With this parameter set to true, the selfadmin GUI holds an additional mobile confirmation field. Precondition is that gui.selfadmin.mobile.change.allowed is also true. The user must enter the same value in both mobile fields, else a corresponding error message will be displayed. Can be combined with gui.selfadmin.mobile.change.verify. |
| gui.selfadmin.mobile. change.maxTrials | int | 3 | Configures the maximum number of subsequent unsuccessful mobile change trials in combination with enabled SMS verification. This feature prevents a malicious or unintentional SMS flood to some user’s mobile device. All the successful and unsuccessful trials are audited. |
| gui.selfadmin.mobile. change.ticketPolicyExtId | string | - | The verify code is technically implemented with a ticket credential. These special purpose tickets refer to the policy which you define via this parameter. The provided ticket policy must define the following parameters:SMS_SMTP.smtp.hostSMS_SMTP.smtp.portSMS_SMTP.message.fromSMS_SMTP.message.toSMS_SMTP.message.subject.The ticket policy parameter ticketReuseEnabled is ignored here, the ticket can be used only once. |
| gui.selfadmin.mobile. change.verify | boolean | false | This parameter switches a verification process on. Precondition is that gui.selfadmin.mobile.change.allowed is also true. The user receives an SMS message with a one-time verification code to the new mobile phone number. The user should then type this code in the verification input field. Only a successful confirmation makes the changes persistent. Can be combined with gui.selfadmin.mobile.change.doubleInput. The corresponding communication event is "Selfadmin mobile notification".Define SMS templates for this event to use the verification procedure. (Appendix B - Template Examples) This can be combined also with gui.selfadmin.email.change.verify, but it is not allowed to change e-mail and mobile in one stroke. Change e-mail and mobile in a two-step-process. |
| gui.unitTree. unauthorizedParents. visible | boolean | true | This controls the visibility of parent units in the unit tree explorer. If set to true, the whole path which leads from the root to a unit to which the user is authorized is visible, but the unauthorized parents are not selectable. If set to false, the first authorized unit in the tree becomes root, so that only authorized nodes are visible. |
| gui.usersearch. defaultMode | string | simple | This parameter controls the default search mode for the Search user view, for each Client entity. The default search mode is "simple". For the expanded search mode, set the attribute to "advanced". |
| gui.usersearch. userstate.default | string | none | This parameter specifies the state that will be used as default in the status dropdown list of the user search mask. It can be set to active, disabled, archived. If it is not set (or set to an invalid value), "all" will be used as default. |
| loginIdGenerator. enabled loginIdGenerator. minValue loginIdGenerator. maxValue loginIdGenerator. prefix | - | - | Settings of the login ID generator. The generator is disabled by default. The following settings are available:
For example, if the default client ID is "100", and the default maximum value is "999999", you need to update the table as follows: update tidma_login_id_generation set current_value=999999 where client_id=100; |
| search.dataroom restrictions.enabled | boolean | false | Users in the client will have their search result restricted according to their data room. |
| search.pager.mode | string | simple | Sets the page switcher display. Valid values are "simple" or "wide". |
| search.profile. rowsperpage | int | 10 | Sets the maximum number of entries per page on the profile detail view. |
| search.profile. unitabbrname.show | boolean | false | Enables the optional column "unit abbreviation name" in the result table of the profile search. |
| search.profile. unitdisplayname.show | boolean | false | Enables the optional column "unit displayname" in the result table of the profile search. |
| search.user. loginid.casesensitive | boolean | false | This parameter determines if user searches by loginId are case-sensitive. Setting the parameter true requires searches to be submitted in the correct case. This has to be made sure by the customer. Consider setting the parameter true only if using a MySQL database, since Oracle case-insensitive searches perform quite well. |
| search.wildcard. enabled | boolean | false | Enables the automatic wildcard search, i.e., all search values are automatically pre- and postfixed with wildcards. |
| strongCredentialTypes | int, comma-separated list surrounded by square brackets | 2 - Certificate 3 – SecurID 5 – Safeword 8 - Temp. strong password 12 - Vasco Digipass token | A comma-separated list of credential type IDs (for possible values see below) surrounded by square brackets, no spaces allowed. The credential types listed in this parameter are considered as strong credentials. Possible values:
weakCredentialTypes and strongCredentialTypes cannot contain the same credential id.Example:
|
| unit.indicator | string | short | This parameter indicates how the unit is displayed. short: a short displayname based on unit name, localized displayname and abbreviation name is used (e.g., 11010 - unit u1a en - u1a en) hierarchical: the localized hierarchical name ist used (e.g., unit u en >> unit u1 en >> unit u1a en) |
| unitSearch. enableClassicMode | boolean | false | Enable the classic mode for unit searches in the GUI instead of the JavaScript-based unit tree. |
| userBulkImport. ignoreInvalidEntries | boolean | false | This parameter is used for the user import feature. It defines whether it is allowed to upload not only flawless excel documents. If the parameter is true, the valid rows will be imported even if the excel file contains invalid rows as well. The invalid rows will be ignored. If the parameter is false, no user will be imported if the excel file contains invalid rows. |
| userBulkImport. maxEntries | int | 100 | This parameter is used for the user import feature. It defines the maximum number of users to be created by the import. The maximum value is limited to 65000. |
| userBulkImport. templateMode | string | GENERATED | This parameter is used for the user import feature. It defines whether a generic or a custom template is used for the import. Its value can be GENERATED or CUSTOM. |
| userBulkImport. templatePath | string | empty | This parameter is used for the user import feature. If custom template is used, this parameter defines the path of the template file. |
| userBulkImport. templateVersion | double | 1.0 | This parameter is used for the user import feature. It defines which template version has to be used. |
| validation. mobileSignature. msisdn.unique | boolean | false | Enable/disable uniqueness check of the MSISDN of mobile signature credentials. If the parameter is true, the MSISDN of the mobile signature credentials has to be unique per client. Otherwise, no uniqueness check is applied for MSISDNs. |
| validation.user. email.mandatory | boolean | true | Defines whether the user’s e-mail address is mandatory or optional. |
| validation.user. firstname.mandatory | boolean | true | Defines whether the user’s first name is mandatory or optional. |
| validation.user. mobile.mandatory | boolean | false | Defines whether the user’s mobile number is mandatory or optional. |
| validation.user. mobile.unique | boolean | false | Defines whether the user's mobile phone number must be unique per client. Uniqueness is checked by string comparison. There is no semantic comparison that checks whether two mobiles are logically identical (by handling spaces, country prefix, etc.). Use validation.user.phone.regex to enforce a specific format. |
| validation.user. name.mandatory | boolean | true | Defines whether the user’s name is mandatory or optional. |
| validation.user. sex.mandatory | boolean | false | Defines whether the user’s sex is mandatory or optional. |
| validation.user. country.mandatory | boolean | false | Defines whether the user’s country is mandatory or optional. |
| validation.user. phone.regex | string | none, i.e., no validation check performed | Regular expression for input validation of telephone, telefax and mobile. Example: `^(+ |
| weakCredentialTypes | int, comma-separated list surrounded by square brackets | 1 - Password 4 – Ticket | A comma-separated list of credential type IDs (for possible values see below) surrounded by square brackets, no spaces allowed. The credential types listed in this parameter are considered as weak credentials. If the deactivateWeakCredentialsOnStrongLogin parameter is true, the user's weak credentials will be disabled, if the user logs in with a strong credential.Possible values:
weakCredentialTypes and strongCredentialTypes cannot contain the same credential id.Example:
|
| webservice. selfadmin.deleteCaller | String, possible values: archive, delete | archive | This parameter determines whether the caller is deleted or archived by the deleteCaller web service. If the value of the parameter is "deleted", the caller will be deleted. If the value of the parameter is "archive", the caller will be archived. |
| application.feature. othergender.enabled | Boolean | false | This parameter enables the third possible gender option "other" for users of the client. Disabling this policy does not affect the already stored gender data of a user and its presentation. Note: The "other" gender is not supported on the user import feature. |
| user.email. unicode.allowed | boolean | false | This parameter allows having unicode characters in e-mail addresses. An e-mail address is valid if it has a valid top level domain (TLD) and exactly one @ sign. This client policy has precedence over the configuration parameter application.feature.email.validation.enabled. For more information on the parameter application.feature.email.validation.enabled, see Configuration files. |
Migration hints for the "login with e-mail" feature
With the Client policy parameter authentication.loginWithEmail.enabled you can enable the "login with e-mail" feature (for a description, see the previous table). Additionally, you need the derived, technical attribute unique_email of the user table TIDMA_USER. You have to migrate user information manually. For this purpose,
Connect to the database with a client (for example, a MariaDB client or Oracle Instant Client), and
Submit a statement such as you can see in the following samples:
Before enabling:
- Manually make all email addresses of users in that client unique.
- Execute the SQL statement to copy them to the unique_email column.
UPDATE TIDMA_USER
SET unique_email = email,
ctl_mod_uid = 'migration',
ctl_mod_dat = SYSDATE,
ctl_tcn = ctl_tcn + 1
WHERE email is not null;Before disabling: Nothing to do.