Users - Start-up guide

1. To use the Users package, create a users-beans.xml file with the following information:

   users-beans.xml

   CODE

   <?xml version="1.0" encoding="UTF-8"?>
   <beans xmlns="http://www.springframework.org/schema/beans"
              xmlns:util="http://www.springframework.org/schema/util"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:p="http://www.springframework.org/schema/p"
              xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
   
   
           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
   
           <description>
                   Custom Spring configuration for distribution project -> PRIME Identity Management
           </description>
   
           <!-- START beginning patch get user data from logged in user (ussp)-->
           <bean id="UsersLoadLoggedInUserDataTask" class="de.vps.act.processexecution.delegation.ActionBasedJavaDelegate">
                   <property name="action" ref="UsersLoadLoggedInUserDataAction"/>
           </bean>
   
           <bean id="UsersLoadLoggedInUserDataAction" class="de.vps.act.action.coreobjects.CoreObjectSearchManagerExecutingAction">
                   <property name="coreObjectSearchManager" ref="coreObjectSearchManager"/>
                   <property name="coreTemplateName" value="UsersCt"/>
                   <property name="filterProvider">
                           <bean class="de.vps.act.kernel.datasource.filter.provider.SecurityIdentifierBasedFilterProvider">
                                   <property name="filterField" value="coreObject_id"/>
                                   <property name="securityIdentitiesExtractor" ref="securityIdentitiesExtractor"/>
                           </bean>
                   </property>
           </bean>
           <!-- END patch get user data from logged in user -->
   
   
           <!-- END non filtering filter to pass all data fields to ussp instead of data pool related fields not only necessary for stella (R&S) -->
   
           <!-- START USSP can't handle Juel Expression - Definiition to clear Juel Expression -->
           <bean id="preLoginRequest" class="de.nexus.prime.auth.rest.model.PreLoginRequest">
                   <property name="temporaryUser" value="preLoginProcessUSSPUser"/>
                   <property name="password" value="1234"/>
           </bean>
   
           <bean id="UsersLoadPreLoggedInUserDataTask" class="de.vps.act.processexecution.delegation.ActionBasedJavaDelegate">
                   <property name="action" ref="UsersLoadPreLoggedInUserDataAction"/>
           </bean>
   
           <bean id="UsersLoadPreLoggedInUserDataAction" class="de.vps.act.action.coreobjects.CoreObjectSearchManagerExecutingAction">
                   <property name="coreObjectSearchManager" ref="coreObjectSearchManager"/>
           <property name="coreTemplateName" value="UsersCt"/>
           <property name="filterProvider" ref="UsersLoadPreLoggedInUserDataProvider" />
           </bean>
   
           <bean id="UsersLoadPreLoggedInUserDataProvider" class="de.vps.act.domain.searcharea.filterprovider.SearchFieldBasedFilterProvider">
           <property name="juelExpressionResolver" ref="juelExpressionResolver"/>
           <property name="searchFields">
               <util:list>
                   <bean class="de.vps.act.domain.searcharea.SearchField" p:searchCondition="EQUALS" p:value="#{'$'}{UsersDp_Email}" p:dataType="STRING">
                       <constructor-arg value="Email"/>
                   </bean>
               </util:list>
           </property>
           </bean>
   
           <bean id="loginProcessUser" class="java.lang.String">
                   <constructor-arg value="loginProcessUser"/>
           </bean>
   
           <!-- END USSP Pre-Loginprocess "Forget Password" -->
   
   </beans>

2. Place the file in <path to operator>/spring.

3. If docker-compose is running, enter this command for the changes to apply:

   CODE

   docker-compose up -d --force-recreate

For the synchronization functionality to work (that is, "BatchSync") you must define the new role in the docker-compose.yml file

1. Open docker-compose.yml for editing.
2. In the 'ENVIRONMENT > SYSTEM_PROPERTIES' section for IDM operator, make sure that the following parameter exists:

   1. "batchSync.permissionRole": "Administrator"
      
      Example: batchSync.permissionRole is added to docker-compose.yml

      docker-compose.yml

      CODE

      ....
          environment:
            - 'SYSTEM_PROPERTIES={
      		  "batchSync.permissionRole": "Administrator",
                "zipPacker.signZip": true,
                "zipUnpacker.verifyZip": true,
              }'
      ......

3.  If docker-compose is running, enter this command for the changes to apply:

   CODE

   docker-compose up -d --force-recreate

• Log in to Identity Manager Admin as administrator. Default login credentials are username: admin, password: admin.

  

  It is recommended to change the password for the administrator user.

1. In Identity Manager Admin, select the Configuration File tab.
2. Click Upload configuration. 
3. Click Select file and search for the Users.zip file.
4. Click Upload.

For information about how to change default use case settings, see Users - Options.

The default roles that shall be visible in Identity Manager Operator are listed in a CSV file that is included in the users.zip.

By default, the following roles for Identity Manager Operator are set:

• Approver
• Self-Service user
• Operator
  

To change the default roles that shall be visible in Identity Manager Operator, for example, add a role, you must first add it in the CSV file and then also add it in Identity Manager Admin:

1. Change or update the CSV file:
   1. Open the CSV file for editing.
   2. Add or change the text for the roles in the file. For example, add a role called "Helpdesk".
2. Update Identity Manager Admin:
   1. Go to Home > Roles.
   2. To add a role click New. Add, for example, the role "Helpdesk", as you added in the CSV file in step 1b. Click Save and Edit.
   3. In the Permissions tab, select the permissions for the role.
   4. Click Save.

Identity Manager Admin can include more roles than in the CSV file, but those roles are only used in Identity Manager Admin. The permissions for those roles are set under "General Admin".

There are options that can be set for many of the use cases. These are described here: Users - Options.

• Set the options that need to be changed from the default values.

• Log in to Identity Manager Operator with your user account.

  

  The first time you log in to Identity Manager Operator, use these credentials, username: operator, password: operator.

  It is recommended to change the password for the operator.

1. In the Quick search drop-down list, select Default roles.
   
2. Click Upload default roles.
3. Search for the CSV file and upload it.

When you have uploaded the default roles, you can edit the roles for a user. See Edit roles.

You can also create default roles manually, see Create default role manually.

When you deactivate, activate, lock, or delete a user in Identity Manager Operator, you must enter a reason. The reasons must be created before you start to use the system.

For more information, see Create reason.

When you create a user in Identity Manager Operator, you must set an identifier that will be used for personal identification of the user. The identifier can be, for example, passport, driver license, national ID card, or health card. The identifier must be created before you start to use the system.

For more information, see Create identifier.

• Users LDAP - Start-up guide
• Users CSV - Start-up guide
• Shared credentials - Start-up guide
• Cards - Start-up guide
• Temporary cards - Start-up guide
• Mobile ID - Start-up guide
• Virtual smart card - Start-up guide
• Users - Options