Users - Start-up guide
This guide must be followed before you can start to use the system.
This article describes the steps that have to be done with the Users package in Smart ID before you can start to use the system. There are many options included in the Users package. These options have default settings that can be changed. Read all about the options for the Users package here: Users - Options. The other packages also have options.
Add users-beans.xml
To use the Users package, create a users-beans.xml file with the following information:
users-beans.xml
CODE<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> <description> Custom Spring configuration for distribution project -> PRIME Identity Management </description> <!-- START beginning patch get user data from logged in user (ussp)--> <bean id="UsersLoadLoggedInUserDataTask" class="de.vps.act.processexecution.delegation.ActionBasedJavaDelegate"> <property name="action" ref="UsersLoadLoggedInUserDataAction"/> </bean> <bean id="UsersLoadLoggedInUserDataAction" class="de.vps.act.action.coreobjects.CoreObjectSearchManagerExecutingAction"> <property name="coreObjectSearchManager" ref="coreObjectSearchManager"/> <property name="coreTemplateName" value="UsersCt"/> <property name="filterProvider"> <bean class="de.vps.act.kernel.datasource.filter.provider.SecurityIdentifierBasedFilterProvider"> <property name="filterField" value="coreObject_id"/> <property name="securityIdentitiesExtractor" ref="securityIdentitiesExtractor"/> </bean> </property> </bean> <!-- END patch get user data from logged in user --> <!-- END non filtering filter to pass all data fields to ussp instead of data pool related fields not only necessary for stella (R&S) --> <!-- START USSP can't handle Juel Expression - Definiition to clear Juel Expression --> <bean id="preLoginRequest" class="de.nexus.prime.auth.rest.model.PreLoginRequest"> <property name="temporaryUser" value="preLoginProcessUSSPUser"/> <property name="password" value="1234"/> </bean> <bean id="UsersLoadPreLoggedInUserDataTask" class="de.vps.act.processexecution.delegation.ActionBasedJavaDelegate"> <property name="action" ref="UsersLoadPreLoggedInUserDataAction"/> </bean> <bean id="UsersLoadPreLoggedInUserDataAction" class="de.vps.act.action.coreobjects.CoreObjectSearchManagerExecutingAction"> <property name="coreObjectSearchManager" ref="coreObjectSearchManager"/> <property name="coreTemplateName" value="UsersCt"/> <property name="filterProvider" ref="UsersLoadPreLoggedInUserDataProvider" /> </bean> <bean id="UsersLoadPreLoggedInUserDataProvider" class="de.vps.act.domain.searcharea.filterprovider.SearchFieldBasedFilterProvider"> <property name="juelExpressionResolver" ref="juelExpressionResolver"/> <property name="searchFields"> <util:list> <bean class="de.vps.act.domain.searcharea.SearchField" p:searchCondition="EQUALS" p:value="#{'$'}{UsersDp_Email}" p:dataType="STRING"> <constructor-arg value="Email"/> </bean> </util:list> </property> </bean> <bean id="loginProcessUser" class="java.lang.String"> <constructor-arg value="loginProcessUser"/> </bean> <!-- END USSP Pre-Loginprocess "Forget Password" --> </beans>
Place the file in <path to operator>/spring.
If docker-compose is running, enter this command for the changes to apply:
CODEdocker-compose up -d --force-recreate
Change the batch synchronization role
For the synchronization functionality to work (that is, "BatchSync") you must define the new role in the docker-compose.yml file
Open docker-compose.yml for editing.
In the 'ENVIRONMENT > SYSTEM_PROPERTIES' section for IDM operator, make sure that the following parameter exists:
"batchSync.permissionRole": "Administrator"
Example: batchSync.permissionRole is added to docker-compose.yml
docker-compose.yml
CODE.... environment: - 'SYSTEM_PROPERTIES={ "batchSync.permissionRole": "Administrator", "zipPacker.signZip": true, "zipUnpacker.verifyZip": true, }' ......
If docker-compose is running, enter this command for the changes to apply:
CODEdocker-compose up -d --force-recreate
Step-by-step instruction for the administrator
Log in to Identity Manager Admin
Log in to Identity Manager Admin as administrator. Default login credentials are username: admin, password: admin.
It is recommended to change the password for the administrator user.
Upload the users package in Identity Manager Admin
In Identity Manager Admin, select the Configuration File tab.
Click Upload configuration.
Click Select file and search for the Users.zip file.
Click Upload.
For information about how to change default use case settings, see Users - Options.
Option: Change the default roles that shall be visible in Identity Manager Operator
The default roles that shall be visible in Identity Manager Operator are listed in a CSV file that is included in the users.zip.
By default, the following roles for Identity Manager Operator are set:
Approver
Self-Service user
Operator
To change the default roles that shall be visible in Identity Manager Operator, for example, add a role, you must first add it in the CSV file and then also add it in Identity Manager Admin:
Change or update the CSV file:
Open the CSV file for editing.
Add or change the text for the roles in the file. For example, add a role called "Helpdesk".
Update Identity Manager Admin:
Go to Home > Roles.
To add a role click New. Add, for example, the role "Helpdesk", as you added in the CSV file in step 1b. Click Save and Edit.
In the Permissions tab, select the permissions for the role.
Click Save.
Identity Manager Admin can include more roles than in the CSV file, but those roles are only used in Identity Manager Admin. The permissions for those roles are set under "General Admin".
Set options
There are options that can be set for many of the use cases. These are described here: Users - Options.
Set the options that need to be changed from the default values.
Step-by-step instruction for the operator
Log in to Identity Manager Operator
Log in to Identity Manager Operator with your user account.
The first time you log in to Identity Manager Operator, use these credentials, username: operator, password: operator.
It is recommended to change the password for the operator.
Upload the default roles in Identity Manager Operator
In the Quick search drop-down list, select Default roles.
Click Upload default roles.
Search for the CSV file and upload it.
When you have uploaded the default roles, you can edit the roles for a user. See Edit roles.
You can also create default roles manually, see Create default role manually.
Create reasons
When you deactivate, activate, lock, or delete a user in Identity Manager Operator, you must enter a reason. The reasons must be created before you start to use the system.
For more information, see Create reason.
Create identifier
When you create a user in Identity Manager Operator, you must set an identifier that will be used for personal identification of the user. The identifier can be, for example, passport, driver license, national ID card, or health card. The identifier must be created before you start to use the system.
For more information, see Create identifier.