Settings

Definition

The Settings are a key or value storage of properties that are configured per tenant and on different services (Identity, Business, Synchronization and Audit).

Each services are managed by different tabs.

There are two types of Settings:

Built-in: these Settings are predefined and they can be updated but not deleted.
Configurable: these Settings are created by the administrator, they can be updated and deleted.

Configuration

You can access the Settings configuration :

by clicking on "System" → Settings
by clicking on "System" → "Configurations" → Service on which the element depend and perform an import/export.

Properties

Properties name	Type	Mandatory	Description	Values (default value in bold)	Modifiable after creation
Identifier	`String`	YES	The id is the unique identifier of each Setting. Conventions dictate that it begins with the service trigram, and then follows a dot sequence of key parts. Example: idm.search.max-size	-	NO
Type	`String`	YES	Allows to define the type of the value stored by the Setting.	Boolean, Byte, Byte Array, Character, Date, Date an Time, Double, Duration, Enum, Float, Integer, Json, Long, Object, Short, String, Secret, Credential.	NO
Multivalued	`Boolean`	NO	Indicates if the Setting can have several values.	true, false	NO
Value	`String`	NO	Allows to define the value(s) of the Setting.	-	YES

The description for a custom setting is manually editable by an I18N key.

Secret and Credential Settings

These types of Settings can only be managed by an administrator with the appropriate rights:

Settings management: sys.idm-setting-crud, sys.bum-setting-crud, sys.sync-setting-crud
Secret management: sys.idm-setting-secretmanager, sys.bum-setting-secretmanager, sys.sync-setting-secretmanager.

These secret Settings are always visible but cannot be edited if the administrator doesn't have the secret manager right.

It is possible to configure a Groovy script using the created Secret or Credential Settings to authenticate on a call to an external web service by SOAP envelope.
The Groovy script can be configured on an Object Policy or an Object validation rule for instance.
When running the Groovy script (either by lauching a scheduled job, or generating an event on an Object), the rule containing the Groovy script is executed.

Description

Preview

A Secret Setting is a single secret.

An Administrator can review Secret Settings. When opening them, they are displayed obfuscated. The Administrator must click on a specific "View" button to view the value in clear text.

When exporting configurations, the Secret Settings are not exported by default when using the GUI.

A Credential Setting is composed of username + secret.

When exporting configurations, the Credential Settings are not exported by default when using the GUI.

An Administrator can review Credential Settings. When opening them, they are displayed obfuscated. The Administrator must click on a specific "View" button to view the value in clear text.

Built-in Settings

A built-in Setting can not be deleted.

The value of a built-in Setting can be updated.

The description is displayed:

by clicking on the tool tip button next to the Setting name
by clicking on the "edit" button.

Identity Service

Identity Service Built-in settings

Key	Description	Default Values
groovy.client.rest.http.connectionPoolRequestTimeoutMs	Timeout used when requesting a connection from the pool.	30000
groovy.client.rest.http.connectionPoolSize	Maximum number of connections total (`0` for infinite).	50
groovy.client.rest.http.connectionTimeToLiveSec	Max connection TTL duration (`-1` for infinite).	1800
groovy.client.rest.http.connectTimeoutMs	The connection timeout for the underlying HTTP client (`0` for infinite timeout).	10000
groovy.client.rest.http.keyStorePKCS12	PKCS12 that contains the key and certificate used for X509 client authentication.	**
groovy.client.rest.http.maxConnectionsPerRoute	Maximum number of connections per route (`0` for infinite).	5
groovy.client.rest.http.readTimeoutMs	Socket read timeout for the underlying HTTP client (`0` for infinite timeout).	10000
groovy.client.rest.http.trustStorePEM	The representation of a PEM file containing all trusted certificates for the Groovy REST client.
idm.app-logs.level.rule.level	Log levels are organized in the following ascending order: OFF ERROR WARN INFO DEBUG TRACE ALL. Log statements made in Rules at or below the selected level will be reported and available in the log screen under "System > Logs". The OFF level will disable Rule's log reporting.	OFF
idm.attributes.defaultMappings.email	The identifier of the attribute used to determine a user's email.	email
idm.attributes.defaultMappings.language	The identifier of the attribute used to determine a user's language.	preferredLanguage
idm.attributes.defaultMappings.mobile	The identifier of the attribute used to determine a user's mobile phone number.	mobile
idm.attributes.defaultMappings.name	The identifier of the attribute used to determine a user's name (for display).	commonName
idm.attribute.validation.failOnInvalidInternalId	Indicates whether or not an invalid internal identifier must trigger the failure of an Attribute Definition update, or if it should be silently ignored.	false
idm.object.activation.modes	Set of modes that can be used when activating/deactivating an object (in addition to ADMIN and AUTO). These are to be used, typically, in scripts.	-
idm.object.activation.rule	Groovy Rule that determines whether a requested enable/disable in a patch is authorized, in regards to the current mode and the requested mode (e.g: AUTO enabling will not be authorized on an ADMIN disabled object).	-
idm.object.builtin.flags	List of authorized flags to be used on objects. Let one reduce the list when only certain flags are used.	Values from F00 to F15.
idm.object.deduplication.failsafeComputeRules	Ignores computation rule failures during deduplication CREATE/PATCH simulation (temporary settings).	false
idm.role-assignments.cleanup.grace.period	Period after which soft deleted Role Assignments are actually removed.	P6M
idm.securityQuestions.count	Number of security questions that will be asked to the users.	3
idm.securityQuestions.keys	List of security questions identifiers that are configured on the tenant (used for translations, typically). Each security question is translated by the following i18n key: tenant.security-questions."question-key".label	Values from q01 to q22.
idm.securityQuestions.matching.limit	Matching value that determines whether an answer to a security question is correct. Depends on the matching strategy. Only useful for JARO_WINKLER and LEVENSHTEIN strategy.	0
idm.securityQuestions.matching.strategy	Matching strategy for the answers to security questions: EXACT_NORMALIZED (exact value after normalization), LEVENSHTEIN (use the LEVENSHTEIN distance), JARO_WINKLER (use the JARO-WINKLER distance).	EXACT_NORMALIZED
idm.securityQuestions.minLength	Minimum number of characters that are required in a security question answer.	2
idm.ssl.trust.trustStore	The representation of a PEM file containing all trusted certificates.	-
idm.system.user.email	Email to be used for the Identity Service system user (typically in notifications).	nomail@nomail.invalid
idm.system.user.language	Language to be used for the Identity Service system user (typically in notifications).
idm.system.user.name	Name to be used for the Identity Services ystem user (typically in notifications).	System
idm.system.user.phone	Phone to be used for the Identity Service system user (typically in notifications).
idm.system.user.systemPrefix	Prefix used to distinguish system users. Should not be changed from "system@@".	system@@
right.app.automatic	Indicate if "access" rights must automatically be created for Applications created in the Identity Service repository.	true
right.app.typeBased	Indicates if "access" rights must automatically be created for each Application Type (resource right), or for each Application (global right).	false
right.asset.automatic	Indicate if "access" rights must automatically be created for Assets created in the Identity Service repository.	true
right.asset.typeBased	Indicates if "access" rights must automatically be created for each Asset Type (resource right), or for each Asset (global right).	true

Security Questions

Security Questions is a mechanism where users can save a set of answers to common personal questions.
These responses are then used in certain scenarios to identify the user (especially in the event of retrieving/resetting authentication information).

22 Security Questions are defined by default, but the Administrator can create other Security Questions by using the setting idm.securityQuestions.keys

Default Values	Questions
q01	What was your childhood nickname?
q02	In what city did you meet your spouse/significant other?
q03	What is the name of your favorite childhood friend?
q04	What street did you live on in third grade?
q05	What is your oldest sibling's birthday month and year? (e.g., January 1900)
q06	What is the middle name of your youngest child?
q07	What is your oldest sibling's middle name?
q08	What school did you attend for sixth grade?
q09	What was your childhood phone number including area code? (e.g., 000-000-0000)
q10	What is your oldest cousin's first and last name?
q11	What was the name of your first stuffed animal?
q12	In which city or town did your mother and father meet?
q13	Where were you when you had your first kiss?
q14	What is the first name of the boy or girl that you first kissed?
q15	What was the last name of your third grade teacher?
q16	In which city does your nearest sibling live?
q17	What is your youngest brother's birthday month and year? (e.g., January 1900)
q18	What is your maternal grandmother's maiden name?
q19	In what city or town was your first job?
q20	What is the name of the place your wedding reception was held?
q21	What is the name of the college you applied to but didn't attend?
q22	Where were you when you first heard about 9/11?

Business Service

Business Service Built-in settings

Key	Description	Default Values
authentication.levels.adm	The authentication level to use for an access to the ADM portal (see authentication.levels.mappings)	default
authentication.levels.builtinFeatures	Authentication levels required to access built-in features, such as the audit feature. If empty, access is allowed.
authentication.levels.mappings	This setting allow mapping a tenant defined key to a SAML authentication context class reference used by OpenAM. Example: "level": "default", "classRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
authentication.levels.usr	The authentication level to use for an access to the USR portal (see authentication.levels.mappings)
bum.accessCode.cleanup.gracePeriod	Configure a period duration (ISO 8601) corresponding to the grace period before access code are considered outdated and must be purged through a job.
bum.app-logs.level.rule.level	Log levels are organized in the following ascending order: OFF ERROR WARN INFO DEBUG TRACE ALL. Log statements made in Rules at or below the selected level will be reported and available in the log screen under "System > Logs". The OFF level will disable Rule's log reporting.	OFF
bum.feature.workflow.sequenceSimulationStrategy	Configure the sequence (SEQ) simulation behaviour in the context of a workflow execution.
bum.oath.display.appStoreUrl	The URL to the recommended OTP application on the Apple store.
bum.oath.display.brandImage	Base 64 encoded image to display on the first wizard step (the Google Authenticator logo for instance).
bum.oath.display.brandImageType	The mime type of the brand image.
bum.oath.display.googleStoreUrl	The URL to the recommended OTP application on the Google store.	https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
bum.oath.otp.issuer	Indicates the issuer of the OTP generation (defaults to tenant id if not specified).
bum.oath.otp.label	The label of the OTP generation account as will be presented to the user (defaults to the user id if not specified). The value can hold placeholders to replace attribute values (ex: "This account is for {object.commonName}").
bum.objects.recertification.campaign-reporting-collections	The Reporting collections by object kind where ad hoc and scheduled recertification campaigns should be published. Leave empty to disable publication.	JSON `{ "IDENTITY": "identityRecertificationCampaign", "ORGANIZATION": "organizationRecertificationCampaign", "RESOURCE": "resourceRecertificationCampaign", "ROLE": "roleRecertificationCampaign", "ROLE_PUBLICATION": "rolePublicationRecertificationCampaign" }`
bum.objects.recertification.retention	Retention period of Objects Recertification metadata.	P3Y
bum.role-assignments.recertification.campaign-reporting-collection	The Reporting collection where ad hoc and scheduled recertification campaigns should be published. Leave empty to disable publication.	recertificationCampaign
bum.role-assignments.recertification.retention	Retention period of Role Assignments Recertification metadata.	P3Y
bum.ssl.trust.trustStore	The representation of a PEM file containing all trusted certificates.
bum.system.user.email	Email to be used for the Business Service system user (typically in notifications).	nomail@nomail.invalid
bum.system.user.language	Language to be used for the Business Service system user (typically in notifications).
bum.system.user.name	Name to be used for the Business Service system user (typically in notifications).	System
bum.system.user.phone	Phone to be used for the Business Service system user (typically in notifications).
bum.system.user.systemPrefix	Prefix used to distinguish system users. Should not be changed from "system@@".	system@@
bum.user.mobile.applications.feature	The APP_PORTAL feature designated to be used in memority mobile application.
citadel.bum.workflow.user.task.limit.number.admins	Maximum number of admins to provide for a User task.	10
citadel.bum.workflow.user.task.limit.number.candidates	Maximum number of candidates to provide for a User task.
citadel.bum.workflow.user.task.limit.number.commenters	Maximum number of commenters to provide for a User task.	10
groovy.client.rest.http.connectionPoolRequestTimeoutMs	Timeout used when requesting a connection from the pool.	30000
groovy.client.rest.http.connectionPoolSize	Maximum number of connections total (`0` for infinite).	50
groovy.client.rest.http.connectionTimeToLiveSec	Max connection TTL duration (`-1` for infinite).	1800
groovy.client.rest.http.connectTimeoutMs	The connection timeout for the underlying HTTP client (`0` for infinite timeout).	10000
groovy.client.rest.http.keyStorePKCS12	PKCS12 that contains the key and certificate used for X509 client authentication.	**
groovy.client.rest.http.maxConnectionsPerRoute	Maximum number of connections per route (`0` for infinite).	5
groovy.client.rest.http.readTimeoutMs	Socket read timeout for the underlying HTTP client (`0` for infinite timeout).	10000
groovy.client.rest.http.trustStorePEM	The representation of a PEM file containing all trusted certificates for the Groovy REST client
portal.adm.loadingSubtitle	Text to display as sub-heading while the Administration Portal is loading.	Portal
portal.adm.loadingTitle	Text to display as heading while the Administration Portal is loading.	Memority
portal.adm.windowTitle	Page title on the Administration Portal, as shown on browser title bar.	Memority Portal
portal.public-usr.features	List of Features accessible from the Public Portal
portal.usr.landing.feature	User Portal landing feature id after successful authentication. If not set the user is redirected to the default home page.
portal.usr.loadingSubtitle	Text to display as sub-heading while the User Portal is loading.	Portal
portal.usr.loadingTitle	Text to display as heading while the User Portal is loading.	Memority
portal.usr.windowTitle	Page title on the User Portal, as shown on browser title bar.	Memority Portal
ui.adm.breadcrumbs.historyPages ui.usr.breadcrumbs.historyPages	The maximum number of pages kept in history.	10
ui.adm.toolbar.displayAboutMenu ui.public-usr.toolbar.displayAboutMenu ui.usr.toolbar.displayAboutMenu	Whether to display or not the "About" menu in the toolbar at the top.	true
ui.adm.toolbar.displaySearch ui.public-usr.toolbar.displaySearch ui.usr.toolbar.displaySearch	EXPERIMENTAL, leave false. Whether to display or not the search area in the toolbar at the top (not implemented yet).	false
ui.adm.toolbar.displayUserMenu ui.public-usr.toolbar.displayUserMenu ui.usr.toolbar.displayUserMenu	Whether to display or not the "User Profile" menu in the toolbar at the top.	true
ui.adm.toolbar.environment ui.public-usr.toolbar.environment ui.usr.toolbar.environment	Environment information, which, if not empty, is displayed as a "warning" in the toolbar at the top.	-
ui.adm.toolbar.fixedToolbar ui.public-usr.toolbar.fixedToolbar ui.usr.toolbar.fixedToolbar	If true, the toolbar is pinned at the top and remains displayed even when the page is scrolled down.	false
ui.adm.toolbar.links ui.public-usr.toolbar.links ui.usr.toolbar.links	If not empty, display the configured links in the toolbar at the top.	-
ui.adm.toolbar.primaryLogo ui.public-usr.toolbar.primaryLogo ui.usr.toolbar.primaryLogo	The logo displayed in the upper left corner.	-
ui.adm.toolbar.secondaryLogo ui.public-usr.toolbar.secondaryLogo ui.usr.toolbar.secondaryLogo	The logo displayed in the upper right corner.	-
ui.usr.home.tiles	Configure the first row of tiles displayed in the home page.	-
ui.usr.menu.entries	The configuration of the left menu entries.	-
ui.usr.timeZone.value	Timezone to use in the following cases: when using a "date only" DateEditWidget for an attribute of type "Date & Time" when formatting variables of type "date" in workflow notifications

Synchronization Service

Synchronization Service Built-in settings

Key	Description	Default Values
domino.task.report.recipient
domino.task.report.replyto
domino.task.report.sender
groovy.client.rest.http.connectionPoolRequestTimeoutMs	Timeout used when requesting a connection from the pool.	30000
groovy.client.rest.http.connectionPoolSize	Maximum number of connections total (`0` for infinite).	50
groovy.client.rest.http.connectionTimeToLiveSec	Max connection TTL duration (`-1` for infinite).	1800
groovy.client.rest.http.connectTimeoutMs	The connection timeout for the underlying HTTP client (`0` for infinite timeout).	10000
groovy.client.rest.http.keyStorePKCS12	PKCS12 that contains the key and certificate used for X509 client authentication.	**
groovy.client.rest.http.maxConnectionsPerRoute	Maximum number of connections per route (`0` for infinite).	5
groovy.client.rest.http.readTimeoutMs	Socket read timeout for the underlying HTTP client (`0` for infinite timeout).	10000
groovy.client.rest.http.trustStorePEM	The representation of a PEM file containing all trusted certificates for the Groovy REST client
prov.task.accountInformation.reporting.id		accountInformation
prov.task.audit.maxErrorNb	Maximal errors count attached into an audit log for a Provisioning task.	50
prov.task.execution.event.publish		true
prov.task.operation.reporting.id		provOperations
prov.task.report.maxErrorNb	Maximal errors count reported in a Provisioning report.	100
prov.task.taskReport.reporting.id		provReports
sync.app-logs.level.rule.level	Log levels are organized in the following ascending order: OFF ERROR WARN INFO DEBUG TRACE ALL. Log statements made in Rules at or below the selected level will be reported and available in the log screen under "System > Logs". The OFF level will disable Rule's log reporting.	OFF
sync.ssl.trust.trustStore	The representation of a PEM file containing all trusted certificates.
sync.system.user.email	Email to be used for the Synchronization Service system user (typically in notifications).	no-reply@memority.fr
sync.system.user.language	Language to be used for the Synchronization Service system user (typically in notifications).
sync.system.user.name	Name to be used for the Synchronization Service system user (typically in notifications).
sync.system.user.phone	Phone to be used for the Synchronization Service system user (typically in notifications).
sync.system.user.systemPrefix	Prefix used to distinguish system users. Should not be changed from "system@@".	system@@
sync.task.audit.maxErrorNb	Maximal errors count attached into an audit log for a Synchronization task.	50
sync.task.execution.event.publish		true
sync.task.import.maxFileSize	Maximum authorized file size for Synchronization file upload.	10485760
sync.task.operation.reporting.id		syncOperations
sync.task.report.maxErrorNb	Maximal errors count reported in a Synchronization report.	100
sync.task.taskReport.reporting.id		syncReports

Audit Service

There is one built-in setting (audit.search.defaultFilter) on this service that is used to configure a search expression for audit events.

In this case, the event names that end with "execution" and "processing" will not be displayed in the audit report.

CODE

{
    "NOT": {
        "OR": [
            {
                "prop": "title",
                "op": "ENDS_WITH",
                "values": [
                    "_EXECUTION"
                ]
            },
            {
                "prop": "title",
                "op": "ENDS_WITH",
                "values": [
                    "_PROCESSING"
                ]
            }
        ]
    }
}

Notification Service

There is one built-in setting (audit.search.defaultFilter) on this service that is used to configure the Reporting collection where SMS Notification reports should be published.

If empty the publication will be disabled.

Access Service

Access Service Built-in settings

Key	Description	Default Values
amcp.am.available-authentication-levels	All authentication levels available for the tenant.	-
amcp.am.default-assertion-signature-certificates.saml	The default certificate used to sign SAML assertions.	-
amcp.am.default-assertion-signature-certificates.ws-fed	The default certificate used to sign WSFED assertions.	-
amcp.am.federation-mapping-reporting-collection	Identifier of reporting configuration containing federation mappings.	federationMapping
amcp.am.federation-reporting-collection	Identifier of reporting configuration containing federations.	federation
amcp.attribute.validation.failOnInvalidCustomAttributeIndex		false
amcp.ssl.trust.trustStore	The representation of a PEM file containing all trusted certificates.	-

Tenant Configuration Service

There is one built-in setting (atlas.captcha.type) on this service that is used to configure the type of captcha used (in Public Access Tasks for example).