16 Managing System Properties
The system configuration service enables you to manage system properties used by Oracle Identity Manager. This service allows you to create, modify, delete, or search existing system properties depending on their roles.
System properties define the characteristics that control the behavior of Oracle Identity Manager. You can define the functionality of consoles such as the Oracle Identity Administration and Oracle Identity Manager Self Service by using system properties. For example, you can define the number of consecutive attempts the user can make to login to Oracle Identity Manager unsuccessfully before Oracle Identity Manager locks the user account. In other words, a system property is an entity by which you can control the configuration of Oracle Identity Manager.
This chapter discusses the following topics:
16.1 System Properties in Oracle Identity Manager
Table 16-1 lists and describes the default system properties in Oracle Identity Manager.
Table 16-1 Default System Properties in Oracle Identity Manager
| Property Name | Keyword | Default Value | Description |
|---|---|---|---|
|
Access Policy Revoke If No Longer Applies Enhancement |
XL.AccessPolicyRevokeIfNoLongerAppliesEnhancement |
FALSE |
Determines if the Revoke if no longer applies flag in access policy is applicable. If the value is true, then this flag is applicable to child table data (entitlements) along with parent data. The user can determine if child data must be removed or retained when access policy no longer applies to user based on this flag. If the value if false, then child table data (entitlements) are always removed after access policy is no longer applied. Note: This property is not used in Oracle Identity Manager Release 2 (11.1.2) or later. |
|
Allows access policy based provisioning of multiple instances of a resource |
XL.AllowAPBasedMultipleAccountProvisioning |
FALSE |
Determines if multiple instances of a resource can be provisioned to multiple target resources. When the value is false, provisioning multiple instances of resource object via access policy is not allowed. When the value is true, provisioning multiple instances of resource object via access policy is allowed. |
|
Allows linking of access policies to reconciled and bulk loaded accounts |
XL.AllowAPHarvesting |
FALSE |
Determines if access policy engine can link access policies to reconciled accounts and to accounts created by the Bulk Load Utility. This property is used in the context of evaluating access policies for reconciled accounts and to accounts created by the Bulk Load Utility. For more information, see "Evaluating Policies for Reconciled and Bulk Load-Created Accounts". Note: This property is used in Oracle Identity Manager 11g Release 2 (11.1.2.2.0) or later. |
|
Are challenge questions disabled in OIM |
OIM.DisableChallengeQuestions |
FALSE |
Determines if challenge questions are enabled or disabled when a user logs in to Oracle Identity Manager for the first time. When value is False, challenge questions are enabled. When value is True, challenge questions are disabled. This property is primarily used in the context of Oracle Adaptive Access Manager (OAAM) configuration. When the value is TRUE, the challenge questions are handled by OAAM. |
|
Catalog Audit Data Collection |
XL.CatalogAuditDataCollection |
none |
Determines if catalog auditing is enabled or disabled. The default value is |
|
Catalog search MAX result size. Default value is -1 which means return all |
XL.CatalogSearchResultCap |
-1 |
When the data is huge in the request catalog and you encounter any issue with the performance of the catalog, you can change the value of this system property and provide some reasonable values, such as 500. As a result, catalog search will not return more than the specified value. If the value is -1, then no result size limit is applied on the catalog search result. |
|
CommonName generation plugin |
XL.DefaultCommonNamePolicyImpl |
oracle.iam.ldapsync.impl.plugins.FirstNameLastNamePolicy |
Determines the common name generation plugin to generate common name. |
|
Compiler Path for Connectors |
XL.CompilerPath |
Specifies the Java home depending on the application server. Note: If the path of the JDK directory is not included in the System Path variable, then you must set the path of the JDK directory in the XL.CompilerPath system property. If this is not done, then an error is encountered during the adapter compilation stage of the process performed when you import an XML file by using the Deployment Manager. |
|
|
Send create user email notification to both user and manager of user |
XL.NotifyUserCreateToOther |
TRUE |
Copies both user and the user's manager in the email notification that is sent when a user is created. |
|
Data Collection Session ID |
XL.DataCollectionSessionID |
dummy |
Specifies the session ID of the current Oracle Identity Analytics (OIA) Data collection session. |
|
Data Collection Status |
XL.DataCollectionStatus |
FINALIZED |
Specifies the status of the current OIA data collection session. |
|
Default Date Format |
XL.DefaultDateFormat |
yyyy/mm/dd hh:mm:ss z |
When creating reconciliation events by calling the APIs and date format is not passed as one of the arguments to the API, Oracle Identity Manager assumes that all the date field values are specified in Default Date Format. |
|
Default policy for username generation |
XL.DefaultUserNamePolicyImpl |
oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy |
Determines the username policy to use when generating a username. |
|
Default user name domain |
XL.UserNameDomain |
oracle.com |
This property is used by the DefaultComboPolicy to generate a user name in e-mail format. |
|
Direct Provisioning vs. Request for Access Policy Conflicts |
XL.DirectProvision |
TRUE |
By default, the value of this property is TRUE. If a user has multiple access policies and these policies provision a particular resource multiple times, and at least one policy specifies that the resource can be provisioned directly, then the resource is provisioned without creating a request. Setting this property to FALSE specifies that conflicts are resolved by creating a request for the resource, which are not provisioned directly. If there are no conflicts, then resources are provisioned based on what is defined in the access policy. |
|
Display Certification or Attestation |
OIM.ShowCertificationOrAttestation |
attestation |
This property is used to show/hide the certification and/or attestation features. Possible values are:
Note: After setting the value of this system property, you must restart Oracle Identity Manager. |
|
Does user have to provide challenge information during registration |
PCQ.PROVIDE_DURING_SELFREG |
TRUE |
If the value is TRUE, then users will have to provide challenge information during registration. |
|
Duplicate challenge responses allowed |
XL.IsDupResponsesAllowed |
FALSE |
This property is used to indicate whether or not duplicate challenge responses are allowed. |
|
Email Server |
XL.MailServer |
Email Server |
Name of the e-mail server. Note: After modifying the Email Server system property value, you must restart the server for the change to take effect. |
|
Email Validation Pattern |
XL.EmailValidationPattern |
[A-Za-z0-9\.\_\#\!\$\&\'\*\/\=\?\^\`\{\}\~\|\%\+\-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} |
This property contains the regular expression used to validate the email ID of a user. |
|
Enable 9.x permission checking when searching organizations |
XL.EnableOrgPermissionCheck |
TRUE |
This property controls the display of organizations in the organization search performed by the user. When XL.EnableOrgPermissionCheck = false, all the organizations are displayed when the user searches for organizations. When XL.EnableOrgPermissionCheck = true or the property is removed, only the organizations assigned to the user performing the search are displayed. |
|
Enable disabled resource instances when a user is enabled |
XL.EnableDisabledResources |
TRUE |
If the value is TRUE, then the disabled resource instances are enabled when a user is enabled. |
|
Enable Exception Reports |
XL.EnableExceptionReports |
TRUE |
This property is used to enable the exception reporting feature. Exception reporting is enabled only if the value is set to TRUE. |
|
Enables retrying failed callbacks feature |
OIM.RetryFailedCallbacks |
false |
This property enables Oracle Identity Manager to retry failed callback notifications at regular interval. All failed callback notifications are retried in their order of origin. The feature is disabled if the value is set to false. Changing the value to true, enables retry failed callback notifications. Note: If you change the value of this system property, then you must restart Oracle Identity Manager. |
|
Evaluate LDAP Container Rules for Entity Modification |
LDAPEvaluateContainerRulesForModify |
FALSE |
If the property value is TRUE, then the LDAP container rules defined in LDAPContainerRules.xml are evaluated for entity modification. However, if none of the rules match, then the default container is not returned. The original parent container of the entity is returned, which means that there is no change in the entity DN. For more information, see "Configuring LDAP Container Rules" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager. If the property value is FALSE, then the LDAP container rules defined in LDAPContainerRules.xml are not evaluated. The entity DN does not change. Note: This property only applies to a modification scenario and not to the entity creation scenario. |
|
FA Administrators Role Name IN LDAP |
FA.AdministratorsRole |
Administrators |
Name of this role, usually "Administrators", stored in the top of the user container in LDAP. This is the user who can login and manage SOA tasks lists. Note: This property is not used in Oracle Identity Manager. |
|
FA cookie-http-only flag turned on |
FA.CookieHTTPOnly |
false |
This property is seeded using the RoleCategorySeedMXBeanImplMBean by FA provisioning system. |
|
Flag for new permissioning model |
XL.NewPermissionModel |
False |
This system property determines the data object permission model for inserting, updating, and deleting records in the Oracle Identity Manager database. Before inserting, updating, and deleting records into a database table, Oracle Identity Manager checks the roles assigned to the user who wants to insert, update, or delete records. The roles have data objects assigned to them along with details of permissions to insert, update, or delete a record. For a user to insert, update, or delete records into the table, the user must have permissions for the all the roles assigned to him on that data object. If the user does not have insert, update, or delete permission on any one role, then the user is not allowed to insert, update, or delete records in the table corresponding to the data object. This applies when the value of this property is set to When the value is set to |
|
Force Password Change at First Login |
XL.ForcePasswordChangeAtFirstLogin |
TRUE or FALSE The default value for this property is FALSE if the user is created by self registration and TRUE if the user is created by any other method. |
This system property is no longer used in Oracle Identity Manager. |
|
Force to set questions at startup |
PCQ.FORCE_SET_QUES |
False |
When the user logs into the Oracle Identity Self Service or Oracle Identity System Administration for the first time, the user must set the default questions for resetting the password. Note: After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect. |
|
GTC Auto Import |
XL.GTCAutoImport |
true |
Based on the value of this property, the DM xml that is generated while GTC creation can be saved to a directory. The default value of this property is true. When the value of this property is set to "False", then while creating GTC, the DM xml (the xml that GTC creates and imports using Deployment Manager internally while GTC creation) created by the GTC framework is stored in the following directory: OIM_HOME/GTC/XMLOutput The naming convention followed for the DM xml is: GTCNAME_CURRENTDATE_ TIMESTAMP created using date format "yyyy-MM-dd-HH-mm-ss".xml For example: TRUSTEDCSV_2009-02-05-22-41-11.xml |
|
Homepage for Self Service console |
OIM.IdentityHomepage |
none |
This property is used to set the page to be displayed after a user logs in to Oracle Identity Manager Self Service. You can set one of the following as the value of this property:
Note: After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect. |
|
Indicates if referential integrity is enabled in target LDAP directory |
XL.IsReferentialIntegrityEnabledInLDAP |
FALSE |
The value of this property is TRUE if referential integrity in target LDAP directory is turned on. The value of this property is FALSE if referential integrity in target LDAP directory is turned off. |
|
Is DataProvider LDAP/DB |
OIM.DataProvider |
DB |
Specifies if the data provider is LDAP or Oracle Identity Manager database. The default value is DB, which indicates that the database is the data provider. Change the value to LDAP to specify LDAP as the data provider. |
|
Is disabled manager allowed |
AllowDisabledManagers |
FALSE |
Specifies whether a user in the disabled state can be set as a manager for another user. |
|
Is OIM Notifications disabled (true/false) |
XL.DisableAllNotifications |
false |
This property is used to enable or disable all notifications in Oracle Identity Manager. When the value of this property is set to false, notifications are enabled. When the value of this property is true, notifications are disabled. |
|
Is Self-Registration Allowed |
XL.SelfRegistrationAllowed |
TRUE |
If the value is TRUE, then the users are allowed to self-register. |
|
LDAP Reservation Plugin |
XL.LDAPReservationPluginImpl |
oracle.iam.identity.usermgmt.impl.plugins.reservation.ReservationInOID |
This property determines the LDAP reservation plugin implementation to be picked up for reservation of user attributes. |
|
Level of Role Auditing |
XL.RoleAuditLevel |
None |
This property controls the amount of audit data collected when an operation is performed on a role, such as creation or modification. The supported levels are:
|
|
Maximum Number of Login Attempts |
XL.MaxLoginAttempts |
10 |
Determines how many consecutive times the user can attempt to login to Oracle Identity Manager unsuccessfully before Oracle Identity Manager locks the user account. Note: If the user account is locked, then it can be unlocked by any one of the following ways:
|
|
Maximum Number of Password Reset Attempts |
XL.MaxPasswordResetAttempts |
3 |
Determines how many consecutive times the user can attempt to reset the password unsuccessfully before Oracle Identity Manager locks the user account. Important: When the user account is locked, the user cannot unlock it. If this occurs, then contact the system administrator. |
|
Minimum length of challenge response |
XL.ResponseMinLength |
0 |
This property is used to set the minimum length of answers to challenge questions. |
|
Notify manager with the user password reset email |
XL.NotifyPasswordGenerationToOther |
TRUE |
When the value of this property is TRUE, the email notification for reset password is sent to the manager. |
|
Number of Correct Answers |
PCQ.NO_OF_CORRECT_ANSWERS |
3 |
This value represents how many questions the user must answer correctly to reset user password. |
|
Number of Questions |
PCQ.NO_OF_QUES |
3 Note: The value set for PCQ.NO_OF_QUES must not be less than the value set for PCQ.NO_OF_CORRECT_ANSWERS. |
Sets the number of questions that must be completed by a user who is using the Web Application to reset the user's password. |
|
Number of records to be executed in a batch during Catalog Enrichment |
XL.CatalogEnrichmentBatchSize |
500 |
This property determines how many records must be processed in a batch by the catalog job during catalog enrichment. |
|
OIA integration status |
OIM.IsOIAIntegrationEnabled |
FALSE |
Specifies whether OIA is integrated with Oracle Identity Manager. Set the value of this property to If you set the value of this property to Note: You must do a full import of role memberships at least once after this property is enabled. |
|
Old Password Validator |
OIM.OldPasswordValidator |
oracle.iam.identity.usermgmt.impl.ContainerLoginPasswordVerifier |
The property specifies the name of the plugin class to be used for verifying old passwords. |
|
Organization Delete/Disable Action |
ORG.DisableDeleteActionEnabled |
FALSE |
If this property is set to TRUE, then users can disable/delete the organization even if the organization contains users and suborganizations. If this property is FALSE, then users cannot disable/delete the organization if the organization contains users and suborganizations. The default value is FALSE. |
|
Organization Process Inheritance |
XL.OrganizationProcessInherit |
TRUE |
If a resource is added to an organization as permitted resource, then by setting this property to TRUE, the same resource is automatically added as the permitted resource for suborganizations. |
|
Organization Process Restriction |
XL.OrganizationProcessRestrict |
FALSE |
This property is for internal use by Oracle Identity Manager. You must not use this property. |
|
Organization Self-Serviceable |
ORG.SELF_SERVICEABLE_DEFAULT |
FALSE |
Determines whether the default value for a process is self-serviceable and if it is set or not. This is used to determine which resources can be self requested. This is same as selecting the option from Oracle Identity Manager Design Console. The only difference is that by using this system property, it is allowed for a particular organization. |
|
Pending Cancelled Tasks |
XL.PendingCancelled |
true |
If this property is set to TRUE and tasks are configured to allow cancellation while they are pending, then these tasks are moved to Pending Cancelled (PX) status if the corresponding process instance is cancelled. If the property is set to FALSE, then tasks are moved to Cancelled (X) status when corresponding process instance is cancelled. Note that process instances are called by Oracle Identity Manager when the corresponding resource instances are revoked. |
|
Period to Delay User Delete |
XL.UserDeleteDelayPeriod |
0 |
This property is used to specify the time period before deleting a user. When this property is set and a user is deleted, the user's state is changed to disabled and "automatically delete on date" is set to current date plus the delay period. If this property is not set, then the user is automatically deleted at the expiration of the end date by the Disable/Delete User After End Date scheduled job. |
|
Property dictates whether database name will be displayed |
XL.TOOLBAR_DBNAME_DISPLAY |
TRUE |
If the value is TRUE, then the database name is displayed on the Design Console. |
|
Property to indicate whether the auditing engine should send a JMS message |
XL.SendAuditJMSMessage |
false |
When the value of this property is set to True and the XL.UserProfileAuditDataCollection property is set to an audit data collection level, then the account reconciliation performs the matching in the database layer at a batch-level and performs the event action by using the provisioning APIs. This in turn triggers the audit event handlers for account reconciliation. Note: This property is for internal use by Oracle Identity Manager. You must not use this property. |
|
Proxy User Email Notification |
XL.ProxyNotificationTemplate |
Notify Proxy User |
The corresponding PTY_VALUE is the e-mail definition name that is sent when a proxy user is created. User gets a notification e-mail when the user is made the proxy for some other user. |
|
Recon Batch Size |
OIM.ReconBatchSize |
500 |
This property is used to specify the batch size for reconciliation. You can specify 0 as the value for this to indicate that the reconciliation will not be performed in batches. Note: When using trusted source reconciliation from Oracle Directory Server Enterprise Edition (ODSEE), the value of this property must not be 0. When the value is 0, users are not created in Oracle Identity Manager. Note: You must restart Oracle Identity Manager server after setting this property. |
|
Record Read Limit |
XL.READ_LIMIT |
500 |
Sets the maximum number of records that can be displayed in a query result set in the Oracle Identity System Administration. |
|
Request Notification Level |
RequestNotificationLevel |
0 |
This property indicates whether or not notification is sent to the requester and beneficiary when a request is created or the request status is changed. This property can have the following values:
For request notification level 2, notifications are sent for request creation and change of status to any of the Request End statuses. Request End statuses include Request Failed and other failure related statuses, Request Completed, Request Withdrawn, and Request Closed. |
|
Reset with generated password |
XL.ResetWithGeneratedPwd |
TRUE |
If a user's password is to be reset, then this property determines how the password is to be reset by the delegated administrator. If this property is set to true, then the password is always automatically generated. If set to false, then an additional option of setting the password manually is provided. Note: This property is not used in Oracle Identity Manager Release 2 (11.1.2) or later. |
|
Retry Count for recon event |
Recon.RetryCount |
5 |
This property determines the reconciliation retry count. The retry count value is picked up from the value of this property. If you specify a value that is greater than 0, then auto retry is configured. If you specify 0 as the value of this property, then auto retry is not configured. |
|
Role SoD Check Topology Name |
RoleSoDCheckTopologyName |
This property is used to define the topology name which informs SIL (SoD Invocation Library) the SoD Engine to be used for performing SoD checks. The topology name is defined in the SILConfig.xml file and is a combination of an identity management system, target system and an SoD Engine. Role SoD Check based on SIL is supported only if you are using OIA as the SoD engine. The default topology name set in the SILConfig.xml file if you are using OIA is If you set the value of this property to If you want to use a topology name other than the default, then it must be defined in the SILConfig.xml file and registered with SIL. For details on registering new topology name with SIL, see "Using Segregation of Duties (SoD)" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager. Note: This property is used only for non-FA role SoD check. |
|
|
Search Stop Count |
XL.IDADMIN_STOP_COUNT |
300 |
This property determines the maximum number of records that are displayed in the advanced search result. If the search criteria specified returns more number of records than that value of this property, then the number of records displayed is limited to this value. In addition, a warning is displayed stating that the results exceed maximum counts and you must refine your search with additional attributes. |
|
Segregation of Duties (SOD) Check Required |
XL.SoDCheckRequired |
FALSE |
This property indicates whether or not Segregation of Duties (SoD) check is required. |
|
Send email notification based on user locale |
XL.SendEmailNotificationBasedOnUserLocale |
false |
This property determines whether an email notification is sent based on the receiver's (user/manager/assignee/requestor) locale when the value is set to true. If the value is set to false, then the notification is in English irrespective of the receiver's locale. |
|
Should send notifications in recon or not |
Recon.SEND_NOTIFICATION |
true |
Determines if notification is sent to the user when the user login and password are generated in postprocess event handler for user creation via trusted source reconciliation. If the value is set to true, then notification is sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation. If the value is set to false, then notification is not sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation. |
|
Show left navigation taskflow panel in Self Service console? |
OIM.IdentityShowLeftNav |
true |
This property is used to specify whether the left pane, which is the primary navigation tool, must be displayed when a user is logged in to Oracle Identity Manager Self Service. Set the value of this property to Note:
|
|
Shows tasks assigned to group users with highest priority or least load only |
XL.ShowTaskAssignedToGroupUserOnly |
FALSE |
If the value is TRUE, then the tasks are assigned to group users with highest priority or least load only when the assignment type is Group User With Least Load. |
|
Show toolbar navigation in Self Service console? |
OIM.IdentityShowToolbar |
false |
This property is used to specify whether the links (in the upper-right-hand corner of the page) such as Accessibility, Help, and so on must be displayed to a user logged in to Oracle Identity Self Service. Set the value of this property to Note:
|
|
Skin Family for OIM UI |
OIM.SkinFamily |
DEFAULT |
The ADF skin family for Oracle Identity Manager UI that the application uses at runtime. The default skin is 'skyros'. The default skin used in the UI in a fresh installation as well in an upgraded version is provided by DEFAULT, which is the default value of this property. You can change the value to:
Note: The value of this property is case-sensitive. |
|
Skin Version for OIM UI |
OIM.SkinVersion |
DEFAULT |
The skin version, if any, for the skin family being used for Oracle Identity Manager UI. If the skin has a version, then set trinidad-config.xml SKIN-VERSION to be the skin version of your skin. Otherwise, set the default value for this property if you want to select the skin marked to be the default for that skin family. The default value of this property is DEFAULT, which specifies that the default skin version is being used, which is v1 of the skyros skin. |
|
Specifies the LDAP container mapper plug-in to be used |
LDAPContainerMapperPlugin |
oracle.iam.ldapsync.impl.DefaultLDAPContainerMapper |
When Oracle Identity Manager is installed with LDAP synchronization enabled, this plug-in determines in which container users and roles are to be created. Value of this system property indicates the default Oracle Identity Manager plug-in name used for computing the container values. If the default plug-in does not meet the requirement, then you can define your own plug-in to determine the container and specify the name of the plug-in in this system property. Note: For information about this plug-in, see "Developing LDAP Container Rules" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager. |
|
Unlock Account Automatically After Time Period |
XL.UnlockAfter |
0 days |
This property is used to automatically unlock user accounts after the specified time period. The default value is zero days. This means that user will not be automatically unlocked. To unlock users based on this system property, specify the value as a non-zero positive integer. |
|
URL for challenge questions modification |
OIM.ChallengeQuestionsModificationURL |
NONE |
When a user is locked, an automatic unlock occurs after a prescribed time period. This property defines that time period in seconds. Therefore, for example, if a user account is locked and the value of this property is 86400 seconds (one day), then the account is automatically unlocked after one day. The value of this property is the URL within OAAM that handles the challenge questions. For example: http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=registerQuestions |
|
URL for change password |
OIM.ChangePasswordURL |
NONE |
This property is used in combination with the property OIM.DisableChallengeQuestions. The value of this property is the URL within OAAM that handles the change password functionality. For example: http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=changePassword |
|
Use of Default Questions |
PCQ.USE_DEF_QUES |
TRUE |
For customers who have customized their UI to allow end-users to set their own challenge questions, this property determines whether the user must select challenge questions from a predefined list in the Web Application, or if users are required to provide their own questions. Note: Functionality that allows end-users to set their own challenge questions is not supported in the standard out-of-the-box user interface. |
|
Use Row Restriction |
XL.UseRowRestriction |
FALSE |
Note: This property is for internal use by Oracle Identity Manager. You must not use this property. |
|
Use semicolon as delimiter in API parameters |
XL.UseSemiColonAsDelimiter |
FALSE |
This property is used to specify whether or not semicolon should be used as a delimiter to the API input parameter values. Some APIs accepted string input values that are separated by semicolon. This has been changed to use a vertical bar "|" instead. To keep backward compatibility, this new property can be used to go back to using semicolons. The default value is FALSE signifying the usage of "|". When set to TRUE, the input for those APIs are accepted with semicolon as separator. |
|
User Attribute Reservation Enabled |
XL.IsUsrAttribReservEnabled |
TRUE |
This property is used to enable user attribute reservation. |
|
User Id reuse property.Requires dropping the index present on USR_LOGIN column |
XL.UserIDReuse |
FALSE |
Determines whether a deleted user account can be reused. To reuse a deleted user account, assign this property a value of TRUE and drop the unique index for the USR_LOGIN column in the USR table and create a nonunique index. To prevent a user account from being reused, assign this property a value of FALSE. Note: It is imperative to de-provision all accounts associated with a deleted user, because if you create a new user with the same user name as that of the deleted user by setting the |
|
User Language |
user.language |
en |
The user.language value is configured during installation for Locale handling at server side. |
|
User profile audit data collection level |
XL.UserProfileAuditDataCollection |
Resource Form |
This property controls the user profile data that is collected for audit purpose when an operation is performed on the user, such as creation, modification, or deletion of a user, role grants or revokes, and resource provisioning or deprovisioning. Depending upon the property value, such as Resource Form or None, the data is populated in the UPA table. The audit levels are specified as values of this property. The supported levels are:
|
|
User Region |
user.region |
US |
The user.region value is configured during installation for Locale handling at server side. |
|
User Variant |
user.variant |
The user.variant value is configured during installation for locale handling at server side. |
|
|
Xellerate User resource provision mode |
XLUserResource.ProvisionMode |
DB |
This property determines whether provisioning of the Xellerate User resource to the user's organization occurs in the database layer through stored procedure, or in the Java layer via Event Handlers. Note: See Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about Event Handlers. This property has the following allowed values:
|
|
Whether or not email should be validated for uniqueness |
OIM.EmailUniqueCheck |
TRUE |
This property is available in an Oracle Identity Manager 11g Release 2 (11.1.2.1.0) deployment that has been upgraded from an earlier release of Oracle Identity Manager. If the value of this property is FALSE, then Email Uniqueness check is not performed by Oracle Identity Manager. If the value if TRUE, then Email Uniqueness check is performed by Oracle Identity Manager. Note: If this property is not present, then Email Uniqueness check is performed by Oracle Identity Manager. |
Oracle Identity Manager provides a set of system properties that are not present in the PTY table by default. You can add these system properties to the PTY table by using the Oracle Identity System Administration, and then use the properties to change some of the default settings in Oracle Identity Manager. For example, if you want to configure the number of times Oracle Identity Manager retries to get a connection when the JDBC connection fails, then you can configure the JDBC Connection Retry Attempts system property.
See Also:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about GTCTable 16-2 lists the system properties you can add to the PTY table:
Table 16-2 Nondefault System Properties
| Property Name | Description | Keyword | Sample Value |
|---|---|---|---|
|
OIM Database Query Retry Attempts |
Number of times SQL queries to be retried for handling Oracle RAC failures. In the absence of this property in the PTY table, SQL queries for handling Oracle RAC failures are retried three times by default. |
OIM.DBQueryRetryAttempts |
5 |
|
OIM Database Query Retry Interval |
Time in seconds after which each SQL retry takes place for Oracle RAC failures. In the absence of the property in the PTY table, SQL query occurs after every 7 seconds by default. |
OIM.DBQueryRetryInterval |
10 seconds |
|
JDBC Connection Retry Attempts |
Number of times Oracle Identity Manager retries to get a connection when the JDBC connection fails. In the absence of this property in the PTY table, the JDBC connection is retried three times by default. |
OIM.JDBCConnectionRetryAttempts |
5 When the value is 0, it means no retry. |
|
JDBC Connection Retry Interval |
Time in seconds between each JDBC connection retry. In the absence of this property in the PTY table, each JDBC connection retry occurs at an interval of 7 seconds. |
OIM.JDBCConnectionRetryInterval |
10 seconds |
|
Default Tenant GUID |
In non-MT mode of Oracle Identity Manager, this property is to be set with a value that works as a tenant GUID for applications that expect a value for the tenant GUID. In MT mode, this property is not required. This is because the tenant GUID is part of the user attributes. |
OIM.DefaultTenantGUID |
201 |
|
Allowed Back URLs |
This property is required if you want to setup any non-OIM/OAM URLs to be a valid backURL on the Track Self Registration Request page. Oracle Identity Manager validates the back URLs and redirect URLs against a list of URLs provided by this system property. The value of this property is a comma-separated list of URLs that Oracle Identity Manager allows for redirection. |
XL.AllowedBackURLs |
http://OIM_HOST:OIM_PORT/ |
16.2 Creating and Managing System Properties
This section discusses the following topics:
16.2.1 Creating System Properties
Oracle Identity Manager provides you with the capability of creating your own system properties. You can create system properties according to your requirements if you choose not to use any of the predefined system properties listed in "System Properties in Oracle Identity Manager".
You can create a system property by using the Create System Property page in Oracle Identity Manager Administration. You can open this page only if you are authorized to create system properties.
While creating a system property, you specify values for the Property Name, Keyword, and Value fields. These values are saved in the PTY table of the Oracle Identity Manager database.
To create a system property:
-
Login to Oracle Identity System Administration.
-
In the left pane, under System Management, click System Configuration. The Advanced Administration is displayed with the System Configuration section in the System Management tab is active.
-
On the left pane, from the Actions menu, select Create. Alternatively, you can click the create icon on the toolbar. The Create System Property page is displayed, as shown in Figure 16-1:
-
On the Create System Property form, enter details of the system property. Table 16-3 describes the fields of this form.
Table 16-3 Fields of the Create System Property Form
Field Description Property Name
Enter a name of the system property.
Keyword
Enter a unique ID for the system property. You can enter the keyword in any format.
Note: The property name can be translated to various locales, but the keyword cannot be translated.
Value
Enter a value for the system property, for example, 4.
-
Click Perform to create the system property. A message confirming that the system property has been created is displayed. For the new system property that is created, by default, the data level is set to 2 and login_required is set to true.
After the system property is created, you can use SQL to set the values for the following system property fields that are automatically added to the system property recorded in the PTY table of the database:
-
Data Level: Every system property has a data level associated with it. The data level field determines the kind of operations that can be performed on a system property. Data levels are a means of specifying the operations that can be performed on a system property. For example, a data level value of 1 for a system property indicates that the system property can neither be modified nor deleted. The default value of this field is 2.
The data level field cannot be modified by using the UI. It can only be modified by using a SQL script. Table 16-3 lists and describes the various data levels associated with a system property.
Table 16-4 Data Levels Associated with a System Property
Data Level Description 0
Indicates that the system property can be modified or deleted
1
Indicates that the system property cannot be modified or deleted
2
Indicates that the system property can only be modified
3
Indicates that a system property can only be deleted
-
Log In Required: This field specifies whether or not a login is required to access the system property. The default value of this field is 1, which means that a login is required to access the system property. You can change the value of this field to 0 by using a SQL script.
-
LKU_KEY: This field determines the set of values that can be specified in the Value field of a system property. The default value of this field for a newly created system property is null.
Oracle Identity Manager represents sets using two tables, the LKU and LKV tables. The LKU table holds keys that identify each set. The LKV table defines the members of each set, in which each row in the LKV table uses one column to identify the set (a LKU_KEY column in the LKU table), and another column to declare a value that will be a member of that set.
LKU_KEY is a column in the LKU table of the Oracle Identity Manager database. For a system property with non-null value in the LKU_KEY column, you can insert the values in this column from a predefined set of values that are in the LKV table. This is done by using a SQL script to include any valid LKU_KEY column value from the LKU table to associate multiple values with the system property. See step 7 for more details.
-
-
If you want to modify the data level of the system property, then run the following SQL statement:
UPDATE PTY SET PTY_DATA_LEVEL=DATA_LEVEL_VALUE WHERE PTY_KEYWORD = SYSTEM_PROPERTY_KEYWORD;
In this SQL statement:
-
DATA_LEVEL_VALUE is any value listed in the Data level column of Table 16-4.
-
SYSTEM_PROPERTY_KEYWORD is the unique ID for the system property that you entered in the Keyword field in Step 4.
Note:
Any special character (.) is not allowed in the beginning or end of Keyword fields while creating or updating a system property. In case of Value fields, special characters are allowed in the beginning or in the end. -
-
If you want to modify the value of the Log In Required field, then run the following command:
UPDATE PTY SET PTY_LOGINREQUIRED=LOGIN_REQUIRED_VALUE WHERE PTY_KEYWORD = SYSTEM_PROPERTY_KEYWORD;
In this command:
-
LOGIN_REQUIRED _VALUE can take a value of either 0 or 1.
If a login is required for accessing the system property, then enter
1.Otherwise, enter0. -
SYSTEM_PROPERTY_KEYWORD is the unique ID for the system property that you entered in the Keyword field in Step 4.
-
-
If you want to define the set of values that can be specified in the Value field of a system property, then run the following commands:
-
Run the following command to insert a row into the LKU table:
INSERT INTO LKU (LKU_KEY, LKU_LOOKUP_KEY, LKU_TYPE, LKU_GROUP, LKU_REQUIRED, LKU_TYPE_STRING_KEY, LKU_FIELD, LKU_DATA_LEVEL, LKU_CREATE, LKU_CREATEBY, LKU_UPDATE, LKU_UPDATEBY, LKU_NOTE, LKU_ROWVER) VALUEs (LKU_KEY_VALUE, LKU_LOOKUP_KEY_VALUE,...);
For example, if you want to update a set of values for the Title field, then run the following INSERT statement:
INSERT INTO LKU (LKU_KEY, LKU_LOOKUP_KEY, LKU_TYPE, LKU_GROUP, LKU_REQUIRED, LKU_TYPE_STRING_KEY, LKU_FIELD, LKU_DATA_LEVEL, LKU_CREATE, LKU_CREATEBY, LKU_UPDATE, LKU_UPDATEBY, LKU_NOTE, LKU_ROWVER) VALUES (201, Title, ...);
Here, LKU_KEY_VALUE is 201 that uniquely identifies the record in the LKU table, and LKU_LOOKUP_KEY_VALUE is Title.
Note:
You must insert a record in the LKU table before inserting any record in the LKV table because the value of LKU_KEY is used in the LKV insert statement. -
Run the following command to insert a row into the LKV table:
INSERT INTO LKV (LKV_KEY, LKU_KEY, LKV_ENCODED, LKV_DECODED, LKV_LANGUAGE, LKV_COUNTRY, LKV_VARIANT, LKV_DISABLED, LKV_DATA_LEVEL, LKV_CREATE, LKV_CREATEBY, LKV_UPDATE, LKV_UPDATEBY, LKV_NOTE, LKV_ROWVER) VALUES (LKV_KEY_VALUE, LKU_KEY_VALUE, LKV_ENCODED_VALUE, LKV_DECODED_VALUE, ...);
For example, to define the set of values for the Title field as Mr, Ms, and Dr, run the following INSERT statements:
INSERT INTO LKV (LKV_KEY, LKU_KEY, LKV_ENCODED, LKV_DECODED, LKV_LANGUAGE, LKV_COUNTRY, LKV_VARIANT, LKV_DISABLED, LKV_DATA_LEVEL, LKV_CREATE, LKV_CREATEBY, LKV_UPDATE, LKV_UPDATEBY, LKV_NOTE, LKV_ROWVER) VALUES (1001, 201, 'Ms', 'Miss', ...); INSERT INTO LKV (LKV_KEY, LKU_KEY, LKV_ENCODED, LKV_DECODED, LKV_LANGUAGE, LKV_COUNTRY, LKV_VARIANT, LKV_DISABLED, LKV_DATA_LEVEL, LKV_CREATE, LKV_CREATEBY, LKV_UPDATE, LKV_UPDATEBY, LKV_NOTE, LKV_ROWVER) VALUES (1002, 201, 'Mr', 'Mister', ...); INSERT INTO LKV (LKV_KEY, LKU_KEY, LKV_ENCODED, LKV_DECODED, LKV_LANGUAGE, LKV_COUNTRY, LKV_VARIANT, LKV_DISABLED, LKV_DATA_LEVEL, LKV_CREATE, LKV_CREATEBY, LKV_UPDATE, LKV_UPDATEBY, LKV_NOTE, LKV_ROWVER) VALUES (1003, 201, 'Dr', 'Doctor', ...);
In this example:
-
LKV_KEY_VALUE is 1001, 1002, and 1003 respectively that uniquely identifies the records in the LKV table
-
LKV_ENCODED_VALUE is Ms, Mr, and Dr respectively
-
LKV_DECODED_VALUE is Miss, Mister, and Doctor respectively
See Also:
"Configuring Custom Attributes" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about the LKU and LKV tables -
-
Run the following command to update the value of the LKU_KEY column in the PTY table:
UPDATE PTY SET LKU_KEY=LKU_KEY_COLUMN_IN_THE_LKV_TABLE WHERE PTY_KEYWORD = SYSTEM_PROPERTY_KEYWORD;
In this command:
-
LKU_KEY_COLUMN_IN_THE_LKV_TABLE is the value of the LKU_KEY column in the LKV table.
-
SYSTEM_PROPERTY_KEYWORD is the unique ID for the system property that you entered in the Keyword field in Step 4.
Note:
If you want to view the changes in Oracle Identity Manager Advanced Administration, then you must run purge cache immediately after modifying a system property by using Microsoft SQL.
-
-
16.2.2 Purging Cache
Whenever you make any change to a system property by using any method other than from the Advanced Administration, you must run purge cache to get the changes reflected in Oracle Identity Manager:
To clear the server cache:
-
Depending on the operating system being used, navigate to the following directory:
-
For Microsoft Windows:
OIM_HOME\server\bin\
-
For UNIX:
OIM_HOME/server/bin/
-
-
Run one of the following commands:
-
For Microsoft Windows:
PurgeCache.bat CATEGORY_NAME -
For UNIX:
sh PurgeCache.sh CATEGORY_NAME
The CATEGORY_NAME name argument represents the Oracle Identity Manager category name that is to be purged, for example, FormDefinition.
To purge all the categories, pass a value of "All" to the PurgeCache utility. It is recommended to clear all the categories.
sh PurgeCache.sh All
-
16.2.3 Searching for System Properties
Oracle Identity Manager Advanced Administration allows you to perform the following types of search operations for system properties:
16.2.3.1 Performing a Simple Search
To perform a simple search for system properties:
-
Login to Oracle Identity System Administration.
-
In the left pane, under System Management, click System Configuration. Alternatively, you can click the System Management tab, and then click System Configuration in Advanced Administration.
-
In the left pane, enter a search criterion in the Search field for the system property that you want to search. You can include wildcard characters (*) in your search criterion.
If you search without any value or with wild card character * in the Search field, then all the system properties are displayed. You can filter your search by combining characters with the wildcard characters. For example, to search all system properties starting with p, you can enter p* in the Search field.
-
Click the icon next to the Search field. A list of all system properties that meet the search criterion is displayed, as shown in Figure 16-2.
The search results table displays the system property names and keywords. You can click a property name to open the details for the system property.
16.2.3.2 Performing an Advanced Search
To perform an advanced search for system properties:
-
In the left pane of the System Configuration section, click Advanced Search. The Properties: Advanced Search page is displayed.
-
In the list adjacent to the Property Name field, select a search condition.
-
In the Property Name field, enter a search criterion for the system property that you want to search. You can include wildcard characters (*) in your search criterion. Select the search conditions in the list adjacent to the fields. The search conditions include Begins with, Contains, Does not begin with, Does not contain, Does not end with, Does not equal, Ends with, Equals, Is not present, and Is present.
-
Click Search. The system properties that match the search criterion are displayed in the search results table, as shown in Figure 16-3:
The search result displays key, property name, keyword, value, allowed value, and date level for each system property.
16.2.4 Modifying System Properties
A modify operation lets you modify an existing system property by using the System Property Detail page. If any system property is tagged with a set of allowed values, then you must specify a value from that set only.
Note:
While modifying a system property that has multiple values attached to it, a message is displayed if the modified value is not part of the values defined in the LKU and LKV tables. For information about associating multiple values to a system property, see step 7 of "Creating System Properties".You cannot modify the Property Name and Keyword fields of a system property created in a non-English locale. As a workaround, delete the existing system property and create a new one with the desired values.
In an English locale, non-ASCII characters are allowed in a system property name. When you modify the name of a system property to include non-ASCII characters, you must ensure the following if you want the changes to be translated into other languages:
As the translation bundles (.properties file) are not automatically updated, you must update the .properties file corresponding to the language into which you want the name to be translated. The value of the Property Name field of a system property is the translation key for all translation bundles. If the system property name contains a space, then you must replace the space with the tilde (~) character. This is illustrated by the following example:
Suppose you change the name of a system property to "Direct Provisioning vs Request for Access Policy Conflicts" in an English locale. Now suppose you want this to be translated to Italian. The given key and translation value in the translation bundle for Italian is as follows:
Direct~Provisioning~vs~Request~for~Access~Policy~Conflicts = Provisioning diretto rispetto a richiesta di conflitti dei criteri di accesso
Change the above entry to:
Konflikt~zwischen~direktem~Provisioning~und~Anforderung~von~Zugriffs-Policy~XL = Provisioning diretto rispetto a richiesta di conflitti dei criteri di accesso
To modify a system property:
-
Search for the system property that you want to modify.
-
In the Property Name column of the search results table, click the system property that you want to modify.
The System Property Details page is displayed, as shown in Table 16-4.
-
If you want to modify the Property Name, keyword, and the Value fields, then perform Step 4 of "Creating System Properties".
-
If you want to modify the Log In Required field, then perform Step 7 of "Creating System Properties".
-
If you want to modify the Allowed Values column, then perform Step 8 of "Creating System Properties".
-
If you want to modify the data level associated with a system property, then perform Step 6 of "Creating System Properties".
-
Click Save to save the changes made.
A message confirming that the system property has been modified is displayed.
16.2.5 Deleting System Properties
Note:
You can delete a system property only if the data level of that system property is set to either 0 or 3. While deleting a system property, the following message is displayed if the data level associated with the system property is not appropriate:The security level for this data item indicates that it cannot be deleted.
For a description of the data levels, see Table 16-4, "Data Levels Associated with a System Property".
-
In the Advanced Administration, click the System Management tab and then click System Configuration.
-
On the left pane, search for the system property that you want to delete.
-
In the Property Name column of the search results table, select the system property that you want to delete.
-
From the Actions menu, select Delete. A message is displayed asking for confirmation. Click OK.
-
A message is displayed confirming that the system property has been deleted. Click OK.