Configuring Oracle Identity Governance

18 Configuring Oracle Identity Governance

You can control the behavior of various Oracle Identity Governance components by using system properties. Managing system properties involve understanding the predefined and configurable system properties, searching and modifying the system properties, and configuring various components and the identity provider by using the system properties.

This content applies only to OIG Bundle Patch 12.2.1.4.220703 and releases earlier to July 22 Bundle Patch.

This chapter describes how to configure Oracle Identity Governance deployment by using system configuration properties. It contains the following sections:

18.1 About System Properties

System Properties are entities that lets you control the configuration of Oracle Identity Manager.

System properties define the characteristics that control the behavior of Oracle Identity Manager. You can define the functionality of user interfaces, such as the Oracle Identity Manager Self Service and Oracle Identity Administration, by using system properties. For example, you can define the number of consecutive attempts the user can make to login to Oracle Identity Manager unsuccessfully before Oracle Identity Manager locks the user account. In other words, a system property is an entity by which you can control the configuration of Oracle Identity Manager.

18.2 Types of System Properties

Various system properties are predefined in the PTY table of the database. In addition, you can add some system properties to the PTY table.

This section describes the different types of system properties in the following topics:

18.2.1 Default System Properties in Oracle Identity Governance

Default system properties are predefined in the PTY table. Each system property has a keyword and default value.

Table 18-1 describes default system properties in Oracle Identity Governance.

Table 18-1 Default System Properties in Oracle Identity Governance

Property Name	Keyword	Default Value	Description
Access Policy Revoke If No Longer Applies Enhancement	XL.AccessPolicyRevokeIfNoLongerAppliesEnhancement	FALSE	Determines if the Revoke if no longer applies flag in access policy is applicable. If the value is true, then this flag is applicable to child table data (entitlements) along with parent data. The user can determine if child data must be removed or retained when access policy no longer applies to user based on this flag. If the value if false, then child table data (entitlements) are always removed after access policy is no longer applied. Note: This property is not used in Oracle Identity Manager Release 2 (11.1.2) or later.
Allows access policy based provisioning of multiple instances of a resource	XL.AllowAPBasedMultipleAccountProvisioning	FALSE	Determines if multiple instances of a resource can be provisioned to multiple target resources. When the value is false, provisioning multiple instances of resource object via access policy is not allowed. When the value is true, provisioning multiple instances of resource object via access policy is allowed.
Allows control over role hierarchical access policy evaluation	XL.AllowRoleHierarchicalPolicyEval	FALSE	This property is used to control allowing role hierarchical access policy evaluation. When this system property is set to TRUE, access from inherited access policies is given to the user. If set to FALSE, access from access policies attached to inherited roles is not given to the user.
Allows linking of access policies to reconciled and bulk loaded accounts	XL.AllowAPHarvesting	FALSE	Determines if access policy engine can link access policies to reconciled accounts and to accounts created by the Bulk Load Utility. This property is used in the context of evaluating access policies for reconciled accounts and to accounts created by the Bulk Load Utility. Note: This property is used in Oracle Identity Manager 11g Release 2 (11.1.2.2.0) or later.
Allows linking of access policies to Direct Provisioned accounts	XL.APHarvestDirectProvisionAccount	FALSE	This property is used to link access policies to accounts that are provisioned through Direct Provisioning. When this system property is set to True, the account which is provisioned through Direct Provisioning is linked to the Access Policy based provisioned account. If set to FALSE, then the account which is provisioned through Direct Provisioning is not linked to the Access Policy based provisioned account.
Allows linking of access policies to request based accounts	XL.APHarvestRequestAccount	FALSE	This property is used to link access policies to accounts that are provisioned through Request Provisioning. When this system property is set to True, the account which is provisioned through Request Provisioning is linked to the Access Policy based provisioned account. If set to FALSE, then the account which is provisioned through Request Provisioning is not linked to the Access Policy based provisioned account.
XL.APHarvesting.AllowAccountDataUpdate	XL.APHarvesting.AllowAccountDataUpdate	FALSE	This property is used to update the account data with the policy defaults for the accounts linked to the access policies. When this system property is set to True, the account data is updated with the policy defaults for the accounts linked to access policy. If set to False or if the system property does not exist, the account data is not updated. Note: This system property is available only after you apply Oracle Identity Governance Bundle Patch 12.2.1.4.201011.
Do not evaluate Access policy for disabled user	XL.DoNotEvaluateAPForDisableUsers	FALSE	If the value is set to TRUE, then disabled users are not evaluated for Evaluate User Policies by Access Policy. If the value is set to FALSE, then disabled users are evaluated by Evaluate User Policies Scheduler Job. Note: This system property is available only after you apply Oracle Identity Governance Bundle Patch 12.2.1.4.211010.
Are challenge questions disabled in OIM	OIM.DisableChallengeQuestions	FALSE	Determines if challenge questions are enabled or disabled when a user logs in to Oracle Identity Manager for the first time. When value is False, challenge questions are enabled. When value is True, challenge questions are disabled. This property is primarily used in the context of Oracle Adaptive Access Manager (OAAM) configuration. When the value is TRUE, the challenge questions are handled by OAAM. When the value is FALSE, then PWR.PWR_CHA_POLICY_ENABLED is honored to determine if challenge policy is enabled or not.
Catalog Additional Application Details Task Flow	CatalogAdditionalApplicationDetailsTaskFlow	/WEB-INF/oracle/iam/ui/common/tfs/empty-tf.xml#empty-tf	A custom task flow is to be displayed when an application is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
Catalog Additional Entitlement Details Task Flow	CatalogAdditionalEntitlementDetailsTaskFlow	/WEB-INF/oracle/iam/ui/common/tfs/empty-tf.xml#empty-tf	A custom task flow is to be displayed when an entitlement is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
Catalog Additional Role Details Task Flow	CatalogAdditionalRoleDetailsTaskFlow	/WEB-INF/oracle/iam/ui/common/tfs/empty-tf.xml#empty-tfs	A custom task flow is to be displayed when a role item is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
Catalog Advanced Search Maximum Applications	CatalogAdvancedSearchMaxApps	15	In the default form for catalog advanced search, you can search for entitlements by specifying the list of applications to search from. This system property controls the maximum number of applications that can be selected for entitlement search.
Catalog Advanced Search Taskflow	CatalogAdvancedSearchTaskflow	/WEB-INF/oracle/iam/ui/catalog/tfs/catalog-advanced-search-tf.xml#catalog-advanced-search-tf	Determines the taskflow used for catalog search. If you create custom taskflow for catalog search, then change the value of this property to the complete path of the custom taskflow.
Catalog Attributes for Sorting Search Results	CatalogSortAttributes	ENTITY_DISPLAY_NAME; ENTITY_TYPE	This property determines the attributes that will be displayed in the Sort By drop down in the catalog results tab.
Catalog Audit Data Collection	XL.CatalogAuditDataCollection	none	Determines if catalog auditing is enabled or disabled. The default value is `none`, which specifies that catalog auditing in disabled. To enable catalog auditing, set the value of this property to `catalog`.
Category count option can be 0, 1 or 2	CATALOG.CATEGORY_COUNT_OPTION	2	Determines what is displayed in the Category count block. If the value is 0, then Category Count block is deactivated. If the value is 1, then distinct categories across the system are displayed without respective category count. If the value is 2, then Categories with count are displayed. Note: It is recommended that the values be modified in cases they are observing poor Catalog Search performance.
Catalog Regex for special characters	Catalog.SpecialCharacterRegex	[^\w]	Enables text parsing and escaping of special characters when performing a catalog search by using some special characters. If you do not want any text parsing and escaping of special characters, then change the value of this property to `[^\w^\W]`.
Catalog search MAX result size. Default value is -1 which means return all	XL.CatalogSearchResultCap	-1	When the data is huge in the request catalog and you encounter any issue with the performance of the catalog, you can change the value of this system property and provide some reasonable values, such as 500. As a result, catalog search will not return more than the specified value. If the value is -1, then no result size limit is applied on the catalog search result.
Catalog Searchable UDF In Tags	CATALOG.SearchableUdfInTags	FALSE	If want to use searchable UDF in TAGS, then you can set the value of this property to TRUE. Then, you can run the scheduled task in recalculate tags mode and searchable UDF values will be part of the TAGS column. The same value can be used in keyword search.
Catalog Table Rows To Display Size	CatalogTableRowsToDisplaySize	10	This property is used to control the number of rows displayed in all tables found in all catalog-related pages. Note: The value of this system property must be less than or equal to 50.
CommonName generation plugin	XL.DefaultCommonNamePolicyImpl	oracle.iam.ldapsync.impl.plugins.FirstNameLastNamePolicy	Determines the common name generation plugin to generate common name.
Compiler Path for Connectors	XL.CompilerPath	JAVA_HOME	Specifies the Java home depending on the application server. Note: If the path of the JDK directory is not included in the System Path variable, then you must set the path of the JDK directory in the XL.CompilerPath system property. If this is not done, then an error is encountered during the adapter compilation stage of the process performed when you import an XML file by using the Deployment Manager.
Compute and Persist Min Age On Password Change	ComputePersistMinAgeOnPasswordChange	proactive	Password minimum age calculation has two modes, proactive and reactive mode. In proactive, where minimum age date is calculated at password change time, any subsequent change to the user's applicable password policy's minimum age property will not be honored until the next password change, where as with the reactive approach, policy changes will be applied immediately. To enable proactive or reactive approach, system property Compute Persist Min Age On Password Change is introduced.
Control allowing Request Data to Prepopulate Adapters	XL.AllowRequestDataToPrepopAdapter	FALSE	This property is used to control the order of preference for populating the process form data during provisioning. If this property is set to TRUE, pre-populate adapters data will take precedence over access policy or request data. That is access policy or request data will be overridden with pre-populate adapters data. If the property is set to FALSE, access policy or request data will have precedence over pre-populate adapters data.
Copy manager of user also for create user email notification	XL.NotifyUserCreateToOther	TRUE	Copies the user's manager in the email notification that is sent when a user is created.
Data Collection Session ID	XL.DataCollectionSessionID	dummy	Specifies the session ID of the current Oracle Identity Analytics (OIA) Data collection session.
Data Collection Status	XL.DataCollectionStatus	FINALIZED	Specifies the status of the current OIA data collection session.
DB Diagnostic Level for Data Truncate	OIM.DBDiagnosticLevelDataTrunc	NONE	This property controls the amount of diagnostic logging for Complete Nuke Cleanup operation. The values can be: NONE: No information is collected to debug the complete nuke cleanup operation. This is the default value. FINEST: Fine-grained information is collected to debug the complete nuke cleanup operation.
DB Diagnostic Level for Offline Data Purges	OIM.DBDiagnosticLevelOffPurge	NONE	This property controls the amount of diagnostic logging for Offline Data Purge operation. The values can be: NONE: No information is collected to debug the offline data purge operation. This is the default value. FINEST: Fine-grained information is collected to debug the offline data purge operation.
DB Diagnostic Level for OIM GDPR support	OIM.DBDiagnosticLevelGdprSupp	NONE	This property is used to enable or disable detailed logging in database. The values can be: NONE: Logging is disabled. This is the default value. FINEST: Logging is enabled.
DB Diagnostic Level for OIM Mview Legacy Data Migration	OIM.DBDiagnosticLevelMviewMig	NONE	This property defines the DB diagnostic level for OIG materialized view legacy data migration. The values can be: NONE: Logging is disabled. This is the default value. FINEST: Logging is enabled.
DB Diagnostic Level for MView creation for BIP report	OIM.DBDiagnosticLevelMviewBIP	NONE	This property defines the DB diagnostic level for Mview creation for BIP reports. The values can be: NONE: Logging is disabled. This is the default value. FINEST: Logging is enabled.
DB Diagnostic Level for Online Data Purge	OIM.DBDiagnosticLevelDataPurge	NONE	This property controls the amount of diagnostic logging and debugging required in PL/SQL layer during OIM Data Purge scheduled task operation. The values can be: NONE: No information is collected to debug the online data purge operation in PL/SQL layer. This is the default value. FINEST: Fine-grained information is collected to debug the online data purge operation in PL/SQL layer.
DB Diagnostic Level for Recon	OIM.DBDiagnosticLevelRecon	INFO	This property controls the amount of diagnostic logging and debugging required in PL/SQL layer during reconciliation operations. The values can be: INFO: Coarse-grained level information is collected to debug the reconciliation operation in PL/SQL layer. This is the default value. FINE: Fine-grained information is collected to debug the reconciliation operation in PL/SQL layer. FINEST: Fine-grained information along with data for collection variables used as input to Stored Program Units is collected to debug the reconciliation operation in PL/SQL layer. NONE: No information is collected to debug the reconciliation operation in PL/SQL layer.
DB Diagnostic Level for Online Recon Exceptions Purge	OIM.DBDiagnosticLevelRecx	NONE	This property controls the amount of diagnostic logging and debugging required in PL/SQL layer during Recon Exceptions Purge operation. The values can be: INFO: Coarse-grained level information is collected to debug the Recon Exceptions Purge operation in PL/SQL layer. FINE: Fine-grained information is collected to debug the Recon Exceptions Purge operation in PL/SQL layer. FINEST: Fine-grained information along with data for collection variables used as input to Stored Program Units is collected to debug the Recon Exceptions Purge operation in PL/SQL layer. NONE: No information is collected to debug the Recon Exceptions Purge operation in PL/SQL layer. This is the default value.
Default Date Format	XL.DefaultDateFormat	yyyy/mm/dd hh:mm:ss z	When creating reconciliation events by calling the APIs and date format is not passed as one of the arguments to the API, Oracle Identity Manager assumes that all the date field values are specified in Default Date Format.
Default policy for username generation	XL.DefaultUserNamePolicyImpl	oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy	Determines the username policy to use when generating a username.
Default user name domain	XL.UserNameDomain	oracle.com	This property is used by the DefaultComboPolicy to generate a user name in e-mail format.
Disable Catalog Blank Search	CATALOG.DISABLE_BLANK_SEARCH	True	This property is used to enable or disable blank text search in Catalog. If the value is True, then blank text search is disabled. If the value is False, then blank text search is enabled. Note: Catalog search functionality can run slow depending upon the volume of data in the system. It is recommended to disable blank search functionality to improve search performance.
Disabling Default Search of UI pages	OIG.DisableDefaultTableSearches	FALSE	This property is used to enable or disable blank text search in the Users, Roles, Organizations, and Administration Roles page. If the value is TRUE, then blank text search is enabled. If the value is FALSE, then blank text search is disabled.
Display Certification or Attestation	OIM.ShowCertificationOrAttestation	attestation	This property has been superseded by the `Identity Auditor Features Enabled` system property, and attestation is no longer supported. Note: In this release, this property is not used as Attestation is not supported. This property is superceded by the `Identity Auditor Features Enabled` system property.
DM Global Search Result Size	DMGlobalSearchResultSize	100	This system property controls the number of records displayed for deployment manager global search result. If incorrect or non-numeric value is set, then default value is considered. Note: It is recommended that the value of this system property is less than 1000.
Does user have to provide challenge information during registration	PCQ.PROVIDE_DURING_SELFREG	TRUE	If the value is TRUE, then users will have to provide challenge information during registration.
Email Server	XL.MailServer	Email Server	Name of the e-mail server. Note: After modifying the Email Server system property value, you must restart the server for the change to take effect.
Email URL token expiration time (in days)	OIM_EMAIL_URL_EXPIRE_TIME	1	This system property determines the time until when the forgot password Email link is valid.
Email Validation Pattern	XL.EmailValidationPattern	[A-Za-z0-9\.\_\#\!\$\&\'\*\/\=\?\^\`\{\}\~\\|\%\+\-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}	This property contains the regular expression used to validate the email ID of a user.
Enable disabled resource instances when a user is enabled	XL.EnableDisabledResources	TRUE	If the value is TRUE, then the disabled resource instances are enabled when a user is enabled.
Enable email notification based password reset	OIM_ENABLE_EMAIL_SEC_FEAT	True	This property is used to enable Email notification for forgot password. If this property is set to False, then the feature is disabled.
Enable Exception Reports	XL.EnableExceptionReports	TRUE	This property is used to enable the exception reporting feature. Exception reporting is enabled only if the value is set to TRUE.
Enable User Login Validation	XL.ValidateWhiteSpace	FALSE	This property enforces the validation of the user login for special characters.
Evaluate LDAP Container Rules for Entity Modification	LDAPEvaluateContainerRulesForModify	FALSE	If the property value is TRUE, then the LDAP container rules defined in LDAPContainerRules.xml are evaluated for entity modification. However, if none of the rules match, then the default container is not returned. The original parent container of the entity is returned, which means that there is no change in the entity DN. If the property value is FALSE, then the LDAP container rules defined in LDAPContainerRules.xml are not evaluated. The entity DN does not change. Note: This property only applies to a modification scenario and not to the entity creation scenario.
ExecuteDymanicRoleMembershipOrchUsingAsync	XL.ExecuteDymanicRoleMembershipOrchUsingAsync	false	If the value of this property is set to true, then the role grant/revoke takes place asynchronously.
Force to set questions at startup	PCQ.FORCE_SET_QUES	False	When the user logs into the Oracle Identity Self Service or Oracle Identity System Administration for the first time, the user must set the default questions for resetting the password. Note: After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.
GTC Auto Import	XL.GTCAutoImport	true	Based on the value of this property, the DM xml that is generated while Generic Technology Connector (GTC) creation can be saved to a directory. The default value of this property is true. When the value of this property is set to "False", then while creating GTC, the DM xml (the xml that GTC creates and imports using Deployment Manager internally while GTC creation) created by the GTC framework is stored in the following directory: OIM_HOME/GTC/XMLOutput The naming convention followed for the DM xml is: GTCNAME_CURRENTDATE_ TIMESTAMP created using date format "yyyy-MM-dd-HH-mm-ss".xml For example: TRUSTEDCSV_2009-02-05-22-41-11.xml
IDMDF: Attachment FilePath	IDM.Diagnostics.IDMDFClient.Notifier.Attachment.File	/scratch/IDMDFAttachment	This property determines the path to store the attachment files.
IDMDF: Buffer size to hold context sensitive logs	IDM.Diagnostics.EventProcessing.ContextSensitiveLogsBufferSize	10000	This property determines the size of the buffer that holds detailed logs of the product.
IDMDF: Buffer size to hold failed records	IDM.Diagnostics.EventProcessing.FailedRecordBufferSize	1000	This property determines the size of the buffer that holds failed (functional/SLA) events.
IDMDF: Debug mode (true/false)	IDM.Diagnostics.Debug	False	This property determines if logs of IDMDF framework in a log file is saved. When set to TRUE, debug mode is enabled. When set to False, debug mode is disabled.
IDMDF: Default SLA	IDM.Diagnostics.DefaultSLA	300000	This property determines the size of the default SLA for events.
IDMDF: E-mail notification to	IDM.Diagnostics.Notification.Email.To	dummy.dummy@dummy.com	This property determines the email address to which notification is sent.
IDMDF: E-mail notification from	IDM.Diagnostics.Notification.Email.From	dummy.dummy@dummy.com	This property determines the email address from which notification is sent.
IDMDF: Email Message Template Path	IDM.Diagnostics.IDMDFClient.Notifier.Email.MessageTemplatePath		This property determines the path of the email message template.
IDMDF: Enabled/Disabled By Sysadmin	IDM.Diagnostics.Enabled	false	This property is used by the system administrator to enable or disable IDMDF.
IDMDF: Flood Control Duration(In Days)	IDM.Diagnostics.EmailFloodControl.DurationInDays	1	This property indicates the retention period in days for Flood Control Max email. After the defined number of days, the Flood Control Max email counter is reset.
IDMDF: Flood Control Max Email	IDM.Diagnostics.EmailFloodControl.MaxEmail	2	This property determines the maximum number of notifications allowed per use case.
IDMDF: In-Memory Logging	IDM.Diagnostics.IDMDFClient.InMemoryLogging	false	This property determines if logs are stored in the memory.
IDMDF: Max failed event to execute concurrently	IDM.Diagnostics.EventProcessing.MaxConcurrent.FailedEvent	2	This property determines the number of threads to execute events concurrently and put it in the database.
IDMDF: Notification provider	IDM.Diagnostics.NotificationProvider	oracle.idm.diagnostics.notification.service.impl.IdmdfNotifier	This property determines the service used for sending notifications.
IDMDF : Notification template file name	IDM.Diagnostics.IDMDFClient.Notifier.Email.MessageTemplateName		This property determines the notification template file name.
IDMDF: IDMDF Rest service end-point	IDM.Diagnostics.IDMDFServiceEndPoint	http://localhost:14000/idmeventrecording	This property determines the URL where IDMDF services are deployed. Note: If the REST service is not working as expected, then check and if required update the local host name and port number configured in `IDMDF: IDMDF Rest service` end point. On a clustered environment, the `IDMDF: IDMDF Rest service` end point should be updated with host name and port number where OHS is running. In a single node configuration, this end point should be updated with host name and port number where OIG is running.
IDMDF: SMTP Server Name	IDM.Diagnostics.Email.Server.Host	localhost	This property represents the server responsible for sending email notification.
IDMDF: SLA template file	IDM.Diagnostics.IDMDFClient.Notifier.Sla.File	None	This property determines the file that contains the list of SLAs for defined use cases.
Identity Auditor Feature Set Availability	OIG.IsIdentityAuditorEnabled	FALSE	When the value of this property is TRUE, role lifecycle management, Segregation of Duties (SoD), and identity certification are enabled. Note: After modifying the value of this system property, you must restart Oracle Identity Governance server for the changes to take effect.
Inbox Task Tabs (none/all)	UI.INBOX.VIEW.TaskTabs	none	This property determines whether or not to show additional links, such as Initiated tasks, Reportees and Administrative tasks, in the Inbox. When set to all, the following links are displaied in the Inbox: My tasks,Initiated tasks, Reportees, Administrative tasks. When set to none, only the My tasks link is displayed in the Inbox.
Indicates if referential integrity is enabled in target LDAP directory	XL.IsReferentialIntegrityEnabledInLDAP	FALSE	The value of this property is TRUE if referential integrity in target LDAP directory is turned on. The value of this property is FALSE if referential integrity in target LDAP directory is turned off. To be able to modify an entity stored in LDAP, this prop must be set to TRUE.
Is DataProvider LDAP/DB	OIM.DataProvider	DB	Specifies the data provider, which is Oracle Identity Manager database. The default value is DB, which indicates that the database is the data provider.
Is disabled manager allowed	AllowDisabledManagers	FALSE	Specifies whether a user in the disabled state can be set as a manager for another user.
Is OIM Notifications disabled (true/false)	XL.DisableAllNotifications	false	This property is used to enable or disable all notifications in Oracle Identity Manager. When the value of this property is set to false, notifications are enabled. When the value of this property is true, notifications are disabled.
Is Self-Registration Allowed	XL.SelfRegistrationAllowed	TRUE	If the value is TRUE, then the users are allowed to self-register.
LDAP Reservation Plugin	XL.LDAPReservationPluginImpl	oracle.iam.identity.usermgmt.impl.plugins.reservation.ReservationInOID	This property determines the LDAP reservation plugin implementation to be picked up for reservation of user attributes.
Level of Role Auditing	XL.RoleAuditLevel	None	This property controls the amount of audit data collected when an operation is performed on a role, such as creation or modification. The supported levels are: None: No audit data is collected. Role: Creation, modification, and deletion of role is audited. Role Hierarchy: Changes made to the role inheritance is audited.
Login Validation Pattern	XL.LoginPattern	(^[A-z0-9@._-]{2,256}$)	This property contains the regular expression used to validate the login of a user when XL.ValidateWhiteSpace is set to true. If XL.LoginPattern is empty, then user login is validated against the default pattern. Note: It is recommended that the regular expression is developed and tested fully for specific validation requirements before using this system property.
Locale for dependent request justification created by server of a bulk request.	OIM.RequestJustificationLocale	en_US	The value of the property is a locale, the same locale will be used to translate request justification text for bulk requests. The format of locale is languageCode_CountryCode such as en_US, fr_FR. For details, refer Preparing to Install and Configure PRODUCT.
Notify other recipients with the password reset email if email of user is null	XL.NotifyPasswordGenerationToOther	TRUE	When the value of this property is TRUE, the email notification for reset password is sent to other recipients if the email ID of the user is not specified.
Number of records to be executed in a batch during Catalog Enrichment	XL.CatalogEnrichmentBatchSize	500	This property determines how many records must be processed in a batch by the catalog job during catalog enrichment.
Maximum number of records to be fetched from Catalog	Catalog.SearchResultCap	-1	This property determines how many records must be fetched from catalog when a search is performed. If the value is -1, then all records are fetched from catalog table. If the value is 10000, then only 10000 records are fetched from catalog. Note: It is recommended that you set the value to 10000 only if poor catalog search performance is experienced.
Max Result size for lookups	LOOKUP_MAX_RESULTSIZE	1000	This property determines how many records must be fetched from the lookup table when a search is performed. For example, if the value is set to 500, then only 500 records are fetched from the lookup table. If the value is set to 0, then there is no restriction on the number of records fetched from the lookup table.
Midtier compression for Audit(UPA) data	OIM.AuditCompression	0	This property is used to configure user profile audit data compression. It can have the following values: 0: This is the default value. It determines that none of the columns in the UPA table are compressed. 1: This value determines that the SNAPSHOT column in the UPA table is compressed. 3: This value determines that the SNAPSHOT and DELTAS columns in the UPA table are compressed.
Midtier compression for Audit(UPA) data algo	OIM.AuditCompressionAlgo	GZIP	This property determines that GZIP is used as the compression algorithm. Only GZIP is supported in this release.
OIA integration status	OIM.IsOIAIntegrationEnabled	FALSE	Specifies whether OIA is integrated with Oracle Identity Manager. Set the value of this property to `TRUE` before you add role memberships in Oracle Identity Manager. If you set the value of this property to `FALSE,` incremental role memberships into OIA will not work. Note: You must do a full import of role memberships at least once after this property is enabled.
OIM Complex Password Policy compatible with Active Directory	OIM.ADPasswordPolicyCompatibilityEnabled	FALSE	On setting the value of this property to TRUE, the last rule (inclusion of user ID, first name, or last name in password) of the OIG complex password policy is replaced with the Active Directory (AD) password policy (inclusion of Display Name and User Login in password). This property is applicable to all complex password policies. Note: This system property is available only after you apply Oracle Identity Governance Bundle Patch 12.2.1.4.200624.
OIM No Password Propagation Support	NO_PASSWORD_PROPAGATION_SUPPORT	FALSE	This property determines if the No Password Propagation Support is enabled in Oracle Identity Governance. If this property is set to true, then the access policy based password provisioning is disabled. It is recommended not to change this property value directly as it changes the Oracle Identity Governance login behavior.
Old Password Validator	OIM.OldPasswordValidator	oracle.iam.identity.usermgmt.impl.ContainerLoginPasswordVerifier	The property specifies the name of the plugin class to be used for verifying old passwords.
OMSS Enabled	OMSS Enabled	false	When the value of this property is true, OMSS integration is enabled, and the OMSS links and tabs are displayed in Oracle Identity Self Service. Note: After modifying the value of this system property, you must restart Oracle Identity Manager server for the changes to take effect.
Period to Delay User Delete	XL.UserDeleteDelayPeriod	0	This property is used to specify the time period before deleting a user. When this property is set and a user is deleted, the user's state is changed to disabled and "automatically delete on date" is set to current date plus the delay period. If this property is not set, then the user is automatically deleted at the expiration of the end date by the Disable/Delete User After End Date scheduled job.
Proxy User Email Notification	XL.ProxyNotificationTemplate	Notify Proxy User	The corresponding PTY_VALUE is the e-mail definition name that is sent when a proxy user is created. User gets a notification e-mail when the user is made the proxy for some other user.
Recon Batch Size	OIM.ReconBatchSize	500	This property is used to specify the batch size for reconciliation. You can specify 0 as the value for this to indicate that the reconciliation will not be performed in batches. Note: You must restart Oracle Identity Manager server after setting this property.
Request Notification Level	RequestNotificationLevel	0	This property indicates whether or not notification is sent to the requester and beneficiary when a request is created or the request status is changed. This property can have the following values: 0: The notification feature is disabled. 1: Notifications are sent for every change in request status. 2: Notifications are sent for request creation and change of status to any of the Request End statuses. Request End statuses include Request Failed and other failure related statuses, Request Completed, Request Withdrawn, and Request Closed. 3: Email notifications are sent only on request completion. For request notification level 2, notifications are sent for request creation and change of status to any of the Request End statuses. Request End statuses include Request Failed and other failure related statuses, Request Completed, Request Withdrawn, and Request Closed.
Retry Count for recon event	Recon.RetryCount	5	This property determines the reconciliation retry count. The retry count value is picked up from the value of this property. If you specify a value that is greater than 0, then auto retry is configured. If you specify 0 as the value of this property, then auto retry is not configured.
Reset Password	SSO.RESETPASSWORDONTARGETBYPASSINGCONNECTOR	False	Set this value to true and import the Active Directory (AD) certificate into Oracle Identity Governance (OIG) to improve the performance of Reset Password in AD integration. This system property is available only after you apply Oracle Identity Governance Bundle Patch 12.2.1.4.210708. Note: For details, see Improving Reset Password Performance on AD Integration in Integration Guide for Oracle Identity Management Suite.
Search Stop Count	XL.IDADMIN_STOP_COUNT	300	This property determines the maximum number of records that are displayed in the advanced search result. If the search criteria specified returns more number of records than that value of this property, then the number of records displayed is limited to this value. In addition, a warning is displayed stating that the results exceed maximum counts and you must refine your search with additional attributes.
Segregation of Duties (SOD) Check Required	XL.SoDCheckRequired	FALSE	This property indicates whether or not Segregation of Duties (SoD) check is required.
Send email notification based on user locale	XL.SendEmailNotificationBasedOnUserLocale	false	This property determines whether an email notification is sent based on the receiver's (user/manager/assignee/requestor) locale when the value is set to true. If the value is set to false, then notification is sent in the server locale. Note: This system property has been deprecated in this release of Oracle Identity Manager.
Should send notifications in recon or not	Recon.SEND_NOTIFICATION	true	Determines if notification is sent to the user when the user login and password are generated in postprocess event handler for user creation via trusted source reconciliation. If the value is set to true, then notification is sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation. If the value is set to false, then notification is not sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.
Shows tasks assigned to group users with highest priority or least load only	XL.ShowTaskAssignedToGroupUserOnly	FALSE	If the value is TRUE, then the tasks are assigned to group users with highest priority or least load only when the assignment type is Group User With Least Load.
Specifies the LDAP container mapper plug-in to be used	LDAPContainerMapperPlugin	oracle.iam.ldapsync.impl.DefaultLDAPContainerMapper	When Oracle Identity Manager is installed with LDAP synchronization enabled, this plug-in determines in which container users and roles are to be created. Value of this system property indicates the default Oracle Identity Manager plug-in name used for computing the container values. If the default plug-in does not meet the requirement, then you can define your own plug-in to determine the container and specify the name of the plug-in in this system property.
URL for challenge questions modification	OIM.ChallengeQuestionsModificationURL	NONE	When a user is locked, an automatic unlock occurs after a prescribed time period. This property defines that time period in seconds. Therefore, for example, if a user account is locked and the value of this property is 86400 seconds (one day), then the account is automatically unlocked after one day. The value of this property is the URL within OAAM that handles the challenge questions. For example: http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=registerQuestions
URL for change password	OIM.ChangePasswordURL	NONE	This property is used in combination with the property OIM.DisableChallengeQuestions. The value of this property is the URL within OAAM that handles the change password functionality. For example: http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=changePassword
User Attribute Reservation Enabled	XL.IsUsrAttribReservEnabled	TRUE	This property is used to enable user attribute reservation.
User Id reuse property.Requires dropping the index present on USR_LOGIN column	XL.UserIDReuse	FALSE	Determines whether a deleted user account can be reused. To reuse a deleted user account, assign this property a value of TRUE and drop the unique index for the USR_LOGIN column in the USR table and create a nonunique index. To prevent a user account from being reused, assign this property a value of FALSE. Note: It is imperative to de-provision all accounts associated with a deleted user, because if you create a new user with the same user name as that of the deleted user by setting the `XL.UserIDReuse` property to `true,` then the new user might get access to offline accounts of the deleted user that was not deleted as part of the de-provisioning process.
User Language	user.language	en	The user.language value is configured during installation for Locale handling at server side.
User profile audit data collection level	XL.UserProfileAuditDataCollection	Resource Form	This property controls the user profile data that is collected for audit purpose when an operation is performed on the user, such as creation, modification, or deletion of a user, role grants or revokes, and resource provisioning or deprovisioning. Depending upon the property value, such as Resource Form or None, the data is populated in the UPA table. The audit levels are specified as values of this property. The supported levels are: Process Task: Audits the entire user profile snapshot together with the resource lifecycle process. Resource Form: Audits user record, role membership, resource provisioned, and any form data associated to the resource. Resource: Audits the user record, role membership, and resource provisioning. Membership: Only audits the user record and role membership. Core: Only audits the user record. None: No audit is stored.
User Region	user.region	US	The user.region value is configured during installation for Locale handling at server side.
Whether or not email should be validated for uniqueness	OIM.EmailUniqueCheck	TRUE	This property is available in a deployment that has been upgraded from an earlier release of Oracle Identity Manager. If the value of this property is FALSE, then Email Uniqueness check is not performed by Oracle Identity Manager. If the value if TRUE, then Email Uniqueness check is performed by Oracle Identity Manager. Note: If this property is not present, then Email Uniqueness check is performed by Oracle Identity Manager.
Width of JGRAPH CELL	XL.GTCNexawebUIColumnWidth	155	This property controls the field length of GTC mapping attributes. Default value is 155, Maximum value is upto 255.
Workflows Enabled	Workflows Enabled	TRUE	This property determines whether SOA server is turned on or turned off. If the value of this property is TRUE, then SOA sever is turned on. If the value of this property is FALSE, then SOA server is turned off. Note: After setting the value of this system property, you must restart Oracle Identity Manager. Note: Toggling between enabling and disabling workflows is not supported.
Workflow Policies Enabled	Workflow Policies Enabled	TRUE	This property determines whether approval workflows is enabled or disabled in Oracle Identity Manager. Approval workflows is used to determine if operation requires approval or not, and if approval is required, then which workflow is to be invoked. If the value of this property is TRUE, then approval workflow is enabled. If the value of this property is FALSE, then approval workflow is disabled. For detailed information about approval workflow, see Managing Workflows.
XL.AlternativeReviewerIDForManager	XL.AlternativeReviewerIDForManager	xelsysadm	This property provides an alternative certification reviewer for users who do not have a manager or whose manager is disabled. If this property is set to NULL, or if the specified alternative reviewer is disabled or does not exist, then a warning message is logged and these users are omitted from user certifications-by-manager.
OIG.DefaultTaskReassignee	OIG.DefaultTaskReassignee	SYSTEM ADMINISTRATORS	This property defines the default task reassignee to reassign tasks to other assignees when the current assignee is disabled or deleted. By default, the value of the OIG.DefaultTaskReassignee system property is the SYSTEM ADMINISTRATORS role so that pending tasks can be reassigned to the SYSTEM ADMINISTRATORS role when a user is disabled or deleted. When the value of the OIG.DefaultTaskReassignee system property is a manager, Oracle Identity Governance finds the closest active manager from the hierarchy if the current target assignee is disabled. When the value of the OIG.DefaultTaskReassignee system property is a user, Oracle Identity Governance reassigns the task to the user. When the value of the OIG.DefaultTaskReassignee system property is a role, Oracle Identity Governance reassigns the task to the role. Here, the role name as the value of the OIG.DefaultTaskReassignee system property is case-sensitive. If Oracle Identity Governance cannot find any valid assignee, then the tasks are reassigned to the System Administrator. It is important to set the value of this property with an active user or role. For example: OIG.DefaultTaskReassignee=Manager OIG.DefaultTaskReassignee=User:user1 OIG.DefaultTaskReassignee=Role:role1
OIG.BeneficiaryManagerApprovalWorkflows	OIG.BeneficiaryManagerApprovalWorkflows	default/BeneficiaryManagerApproval!4.0	When the initial target assignee is disabled, Oracle Identity Governance looks for the closest manager of the beneficiary of the request with the approval workflow specified in this system property. You can specify multiple composites with the comma separator.
OIG.RequesterManagerApprovalWorkflows	OIG.RequesterManagerApprovalWorkflows	default/RequesterManagerApproval!4.0	When the initial target assignee is disabled, Oracle Identity Governance looks for the closest manager of the requester of the request with the approval workflow specified in this system property. You can specify multiple composites with the comma separator.

18.2.2 Non-Default System Properties in Oracle Identity Governance

Oracle Identity Manager provides a set of system properties that are not present in the PTY table by default.

You can add these non-default system properties to the PTY table by using the Identity System Administration, and then use the properties to change some of the default settings in Oracle Identity Manager. For example, if you want to configure the number of times Oracle Identity Manager retries to get a connection when the JDBC connection fails, then you can configure the JDBC Connection Retry Attempts system property.

Table 18-2 lists and describes Non-Default system properties which you can add to the PTY table

Table 18-2 Non-Default System Properties

Property Name	Description	Keyword	Sample Value
OIM Database Query Retry Attempts	Number of times SQL queries to be retried for handling Oracle RAC failures. In the absence of this property in the PTY table, SQL queries for handling Oracle RAC failures are retried three times by default.	OIM.DBQueryRetryAttempts	5
OIM Database Query Retry Interval	Time in seconds after which each SQL retry takes place for Oracle RAC failures. In the absence of the property in the PTY table, SQL query occurs after every 7 seconds by default.	OIM.DBQueryRetryInterval	10 seconds
OIM Paging Limit	Default paging limit for search operations on user entity.	OIM.PagingLimit	300
JDBC Connection Retry Attempts	Number of times Oracle Identity Manager retries to get a connection when the JDBC connection fails. In the absence of this property in the PTY table, the JDBC connection is retried three times by default.	OIM.JDBCConnectionRetryAttempts	5 When the value is 0, it means no retry.
JDBC Connection Retry Interval	Time in seconds between each JDBC connection retry. In the absence of this property in the PTY table, each JDBC connection retry occurs at an interval of 7 seconds.	OIM.JDBCConnectionRetryInterval	10 seconds
Allowed Back URLs	This property is required if you want to setup any non-OIM/OAM URLs to be a valid backURL on the Track Self Registration Request page. Oracle Identity Manager validates the back URLs and redirect URLs against a list of URLs provided by this system property. The value of this property is a comma-separated list of URLs that Oracle Identity Manager allows for redirection.	XL.AllowedBackURLs	http://OIM_HOST:OIM_PORT/
Allowed Back URLs Mode	This system property determines the mode in which the XL.AllowedBackURLs system property works. It has the following possible values: Enforce: Ensure that the current URL is present in the white list specified as the value of XL.AllowedBackURLs. If not present, then change the back URL to the default URL, which is the sign-in page. Disable: Log all the white list validations. The default value is `Enforce`.	XL.AllowedBackURLsMode	Enforce
XL.AllowedOrigins	Allows users to set the whitelist for the CORS filter.	XL.AllowedOrigins	Apply the following guidelines for specifying the value: The URLs can be comma separated, for example http://www.example.com:14001 and https://www.test.com:14003. The URL can contain simple wildcard matching (for example http://.example.com:14000, http://.com:14001) with only a single '' character. '.example..com' will not work correctly. The pattern matching is very simple and only pertains to the domain part of the URL. No matching on scheme or port is supported (://example.com:14001 or http://example.com:). Only http and https schemes are supported. The matching goes from right to left. The '' will only match the text of domain after the period and before the next period. Patterns such as 'ampl.com' and '.partial.c' are not supported. A single '' will match anything and should be used for test/development only.
Service Account Encrypted Parameter Value	This system property is used to control the functionality of the following API: `tcITResourceInstanceOperationsBean.getITResourceInstanceParameters(long plITResourceInstanceKey)` By default, this API masks the value of encrypted fields. This makes your deployment more secure. Oracle recommends creating this property only if a legacy connector or an old custom code requires the legacy behavior of the above API. When the value is set to `False`, the encrypted parameter values are masked. When the value is set to `True`, the encrypted parameter values are returned by the above API.	ServiceAccount.API.EncryptedParamsValue	True/False
Service Account Parameters Value Store	This property is used to manage the storage of the parameter values of the IT resource parameters. When the property value is set to `False`, the parameter values are stored in the credential store. When the property value is set to `True`, the parameter values are stored in the database. The default and recommended value of this property is `False`, which makes the product more secure. This property will exist in an upgraded environment. Perform the steps related to IT resource security post upgrade. See 'Upgrade Service Account parameter security' in the Oracle Fusion Middleware Upgrading Oracle Identity and Access Management for more information..	ServiceAccount.ParamsValue.DBStore	True/False

18.3 Managing System Properties

Managing system properties involve searching and modifying system properties by using Identity System Administration, and purging the cache.

This section contains the following topics:

18.3.1 Searching for System Properties

Use the Configuration Properties section of the Identity System Administration to perform simple and advanced search for system properties..

Note:

The search is applicable to OIG Bundle Patch 12.2.1.4.220703 and releases earlier to July 22 Bundle Patch.

18.3.1.1 Performing a Simple Search for System Properties

To perform a simple search for system properties:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Configuration Properties.
In the left pane, enter a search criterion in the Search field for the system property that you want to search. You can include wildcard characters (*) in your search criterion.

If you search without any value or with wild card character * in the Search field, then all the system properties are displayed. You can filter your search by combining characters with the wildcard characters. For example, to search all system properties starting with p, you can enter p* in the Search field.
Click the icon next to the Search field. A list of all system properties that meet the search criterion is displayed.

The search results table displays the system property names and keywords. You can click a property name to open the details for the system property.

18.3.1.2 Performing an Advanced Search for System Properties

To perform an advanced search for system properties:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
In the left pane of the System Configuration section, click Advanced Search. The Properties: Advanced Search page is displayed.
In the list adjacent to the Property Name field, select a search condition.
In the Property Name field, enter a search criterion for the system property that you want to search. You can include wildcard characters (*) in your search criterion. Select the search conditions in the list adjacent to the fields. The search conditions include Begins with, Contains, Does not begin with, Does not contain, Does not end with, Does not equal, Ends with, Equals, Is not present, and Is present.
Click Search. The system properties that match the search criterion are displayed in the search results table.

The search result displays key, property name, keyword, value, allowed value, and date level for each system property.

18.3.2 Adding System Properties

To add a system property, perform the following steps:

Note:

This content applies only to OIG Bundle Patch 12.2.1.4.220703 and releases earlier to July 22 Bundle Patch.

Login to Oracle Identity System Administration.
Click Configuration Properties.
In the left pane of the System Configuration section, from the Actions menu, select Create. Alternatively, you can click the create icon on the toolbar.
The Create System Property page appears.
Provide values in the Name, Keyword, and Value fields.
Click Save.

18.3.3 Editing System Properties

The Edit option allows you to modify an existing system property by using the System Property Details page. If any system property is tagged with a set of allowed values, then you must specify a value from that set only.

You cannot modify the Property Name and Keyword fields of a system property created in a non-English locale. As a workaround, delete the existing system property and create a new one with the desired values.

In an English locale, non-ASCII characters are allowed in a system property name. When you modify the name of a system property to include non-ASCII characters, you must ensure the following if you want the changes to be translated into other languages:

To edit a System Property:

Note:

This content applies only to OIG Bundle Patch 12.2.1.4.220703 and releases earlier to July 22 Bundle Patch.

Search for the system property that you want to modify.
In the Property Name column of the search results table, click the system property that you want to modify. T
he System Property Details page is displayed.
Modify the values in the fields. Generally, you need to modify the Value field to change the functionality that the system property provides.
Click Save to save the changes made.

A message confirming that the system property has been modified is displayed.

18.3.4 Purging Cache

Whenever you make any change to a system property by using any method other than from the Identity System Administration, you must run purge cache utility to fetch the changes that are reflected in Oracle Identity Manager.

To clear the server cache:

Depending on the operating system being used, navigate to the following directory:
- For Microsoft Windows:
  
  OIM_HOME\server\bin\
- For UNIX:
  
  OIM_HOME/server/bin/
Run one of the following commands:
- For Microsoft Windows:
```
PurgeCache.bat CATEGORY_NAME
```
- For UNIX:
```
sh PurgeCache.sh CATEGORY_NAME
```
The CATEGORY_NAME name argument represents the Oracle Identity Manager category name that is to be purged, for example, FormDefinition.

To purge all the categories, pass a value of "All" to the PurgeCache utility. It is recommended to clear all the categories.
```
sh PurgeCache.sh All
```
Note:
- If Oracle Identity Governance is installed on IPv6 Linux host computer, then pass ipv6 as the last input argument to the PurgeCache.sh script, as shown:
```
sh PurgeCache.sh All ipv6
```
  On Windows environment, do not pass any parameter for IPv6 while running PurgeCache.bat.
- When you run the PurgeCache.sh utility in an IPv6 enabled setup, the following error is encountered:
```
Exception in thread "main" javax.security.auth.login.LoginException:
java.net.UnknownHostException: exampledomain.com: Name or service not known
```
  To workaround this issue:
  1. Open the PurgeCache.sh script in a text editor.
  2. Modify the following line:
    
    bash oimClientWrapper.sh $CLIENT_CLASS $1
    
    To:
    
    bash oimClientWrapper.sh $CLIENT_CLASS $*
  3. Save the file.

18.4 Configuring Oracle Identity Governance Components

You can configure various Oracle Identity Manager components, such as product options, URLs for challenge questions and change password, username generation, user ID reuse, and delayed delete interval, by setting the values of system properties.

This section describes how to configure the following functionalities in Oracle Identity Manager:

18.4.1 Configuring Product Options

Use the OIG.IsIdentityAuditorEnabled system property to enable or disable role lifecycle management, SoD, and identity certification.

You can configure the availability of some of the features in Oracle Identity Manager with the help of system properties. To do so:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Configuration Properties.
Enable role lifecycle management, Segregation of Duties (SoD), and identity certification. To do so:
1. Search for the Identity Auditor Feature Set Availability system property with keyword OIG.IsIdentityAuditorEnabled.
  
  The default value of this property is FALSE, which means that role lifecycle management, Segregation of Duties (SoD), and identity certification are disabled by default.
2. Modify the value of the property to TRUE.
3. Click Save.
Enable the integration with Oracle Identity Analytics (OIA). To do so:
1. Search for the OIA Integration Status system property with keyword OIM.IsOIAIntegrationEnabled.
  
  The default value of this property is FALSE, which means that integration with OIA is disabled by default.
2. Modify the value of the property to TRUE.
3. Click Save.
Restart Oracle Identity Manager.

You must restart Oracle Identity Manager after modifying the values of each of the Identity Auditor Feature Set Availability, OIA Integration Status, and OIA Integration Status system properties.

18.4.2 Configuring the URL for Challenge Questions

Use the OIM.ChallengeQuestionsModificationURL system property to configure the URL for challenge questions.

To configure the URL within Oracle Adaptive Access Manager (OAAM) that handles challenge questions:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
Search for the URL for challenge questions modification system property with keyword OIM.ChallengeQuestionsModificationURL.

The default value of this property is NONE.
Modify the value of the property to specify the URL within OAAM that handles the challenge questions. For example:
```
http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=registerQuestions
```
Click Save.

18.4.3 Configuring the URL for Change Password

Use the OIM.ChangePasswordURL system property to configure the URL for change password.

To configure the URL within OAAM that handles change password:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
Search for the URL for change password system property with keyword OIM.ChangePasswordURL.

The default value of this property is NONE.
Modify the value of the property to specify the URL within OAAM that handles the change password functionality. For example:
```
http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=changePassword
```
Click Save.

18.4.4 Enabling Challenge Questions

Use the OIM.DisableChallengeQuestions, PCQ.FORCE_SET_QUES, and PCQ.PROVIDE_DURING_SELFREG system properties to enable challenge questions.

To enable challenge questions in Oracle Identity Manager:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
Challenge questions in Oracle Identity Manager are controlled by a combination of three system properties. Search and specify values for the following system properties:
- Are challenge questions disabled in OIM: Determines whether challenge questions are enabled or disabled when a user logs in to Oracle Identity Manager for the first time. When value is False, challenge questions are enabled. When value is True, challenge questions are disabled.
  
  This property is primarily used in the context of OAAM configuration. When the value is TRUE, the challenge questions are handled by OAAM.
- Force to set questions at startup: Determines whether or not the user must set the default questions for resetting the password when the user logs into the Oracle Identity Self Service or Oracle Identity System Administration for the first time. When the value is FALSE, the user is not forced to set the default questions for resetting the password on first login. When the value is TRUE, the user must set the default questions for resetting the password on first login.
  
  After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.
- Does user have to provide challenge information during registration: Determines whether or not users must provide challenge information during registration. When the value is TRUE, user must provide challenge information during registration.
Save the system property values.

18.4.5 Configuring Username Generation

Use the XL.DefaultUserNamePolicyImpl, XL.UserNameDomain, and XL.DefaultCommonNamePolicyImpl system properties to configure username generation.

To configure username generation:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
Username generation in Oracle Identity Manager is controlled by a combination of three system properties. Search and specify values for the following system properties:
- Default policy for username generation: Determines the username policy to use when generating a username. The default value is oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy.
- Default user name domain: This property is used by the DefaultComboPolicy to generate a user name in e-mail format. The default value is oracle.com.
- CommonName generation plugin: Determines the common name generation plugin to generate common name. The default value is oracle.iam.ldapsync.impl.plugins.FirstNameLastNamePolicy.
Save the system property values.

18.4.6 Configuring User ID Reuse

Use the XL.UserIDReuse system property to configure the recycle of existing User IDs that are no longer being used.

To configure user ID reuse:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
Search for the User Id reuse property.Requires dropping the index present on USR_LOGIN column system property with keyword XL.UserIDReuse.

This property determines whether or not a deleted user account can be reused.
To reuse a deleted user account, modify the value of this property to TRUE, and drop the unique index for the USR_LOGIN column in the USR table and create a non unique index. To prevent a user account from being reused, assign this property a value of FALSE.

Note:

It is imperative to de-provision all accounts associated with a deleted user, because if you create a new user with the same user name as that of the deleted user by setting the XL.UserIDReuse property to TRUE, then the new user might get access to offline accounts of the deleted user that was not deleted as part of the de-provisioning process.
In addition to creating a non-unique index, create a unique functional index similar to the following:
```
DROP INDEX UDX_USR_LOGIN;
CREATE INDEX UDX_USR_LOGIN ON USR (USR_LOGIN);
```
This index prevents the existence of multiple active users with the same login name, while permitting the existence of multiple deleted users with that login name. Without this unique index, it is possible in race conditions to create two active users with the same login name, if they are both created at the same time.
Click Save.

18.4.7 Configuring Delayed Delete Interval

Use the XL.UserDeleteDelayPeriod system property to configure delayed delete interval.

To configure the delayed delete interval:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
Search for the Period to Delay User Delete system property with keyword XL.UserDeleteDelayPeriod.

This property is used to specify the time period before deleting a user.
If you set a value of this property and a user is deleted, then the user's state is changed to disabled and "automatically delete on date" is set to current date plus the delay period.
If you do not set a value of this property, then the user is automatically deleted at the expiration of the end date by the Disable/Delete User After End Date scheduled job.
Save the system property value.

18.5 Configuring the Access Request Catalog

Configuring the access request catalog includes configuring additional information of entities, search results, sort by attributes, and custom search.

This section describes about configuring access catalog in the following topics:

18.5.1 Configuring Additional Information

Use the CatalogAdditionalApplicationDetailsTaskFlow, CatalogAdditionalEntitlementDetailsTaskFlow, and CatalogAdditionalRoleDetailsTaskFlow system properties to configure the display of additional information of entities in the access request catalog.

To configure additional information displayed in the access catalog:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
Search one or more of the following system properties depending on the entity for which you want to display additional information, and specify values.
- Catalog Additional Application Details Task Flow: A custom task flow is to be displayed when an application is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
  
  Replace the default value with the path to your custom task flow.
- Catalog Additional Entitlement Details Task Flow: A custom task flow is to be displayed when an entitlement is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
  
  Replace the default value with the path to your custom task flow.
- Catalog Additional Role Details Task Flow: A custom task flow is to be displayed when a role item is selected from the catalog checkout page. The task flow page will display as a tab in the cart details section.
  
  Replace the default value with the path to your custom task flow.
Save the system properties.

18.5.2 Configuring Search Results

Use the CatalogTableRowsToDisplaySize, CATALOG.SearchableUdfInTags, and CatalogAdvancedSearchMaxApps system properties to configure search results in the access request catalog.

To configure the display of search results in the access request catalog:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
To change the number of rows displayed in the tables in the access catalog, search for the Catalog Table Rows To Display Size system property, and specify the number of rows as the value.
If want to use searchable UDF in TAGS, then search for the Catalog Searchable UDF In Tags system property, and set the value to TRUE. Then, you can run the scheduled task in recalculate tags mode and searchable UDF values will be part of the TAGS column. The same value can be used in keyword search.
To control the maximum number of applications that can be selected for entitlement search, search for the Catalog Advanced Search Maximum Applications system property, and specify the number of applications.
Save the system properties.

18.5.3 Configuring the Sort By Attributes

Use the CatalogSortAttributes system property to configure the attributes that you can use to sort the catalog search results.

To configure the attributes that you can use to sort the catalog search results:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
Search for the Catalog Attributes for Sorting Search Results system property.
Specify the attributes that you want to be displayed in the Sort By drop down in the catalog results as the value of this property in the following format:
```
ENTITY_DISPLAY_NAME; ENTITY_TYPE
```
Save the system property.

18.5.4 Configuring Custom Search

Use the CatalogAdvancedSearchTaskflow system property to customize catalog search.

To customize catalog search, for example add search fields and search operators:

In the left pane of Oracle Identity System Administration, under System Configuration, click Configuration Properties.
Search for the Catalog Advanced Search Taskflow system property.
Replace the value of this system property with the complete path to the custom taskflow that you created. See Customizing Catalog Search in Developing and Customizing Applications for Oracle Identity Governance for information about creating the custom taskflow.
Save the system property.

18.6 Configuring the Identity Provider

Configuring the Identity Provider includes configuring attribute reservation, common name generation, LDAP reservation, and referential integrity.

This section describes how to configure identity provider in the following topics:

18.6.1 Configuring Attribute Reservation

Use the XL.IsUsrAttribReservEnabled system property to configure attribute reservation.

To configure attribute reservation in Oracle Identity Manager:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Configuration Properties.
Search for the User Attribute Reservation Enabled system property with keyword XL.IsUsrAttribReservEnabled.

The default value of this TRUE, which means that user attribute reservation is enabled by default.
To disable user attribute reservation, modify the value of this property to FALSE.
Click Save.

18.6.2 Configuring Common Name Generation

Use the XL.DefaultCommonNamePolicyImpl system property to configure attribute reservation.

To configure attribute reservation in Oracle Identity Manager:

Login to Oracle Identity System Administration
In the left pane, under System Configuration, click Configuration Properties.
Search for the CommonName generation plugin system property with keyword XL.DefaultCommonNamePolicyImpl.

This property determines the common name generation plugin to generate common name. The default value is oracle.iam.ldapsync.impl.plugins.FirstNameLastNamePolicy.
Modify the value of this property to specify a different common name generation plugin.
Click Save.

18.6.3 Configuring LDAP Reservation

Use the XL.LDAPReservationPluginImpl system property to configure LDAP reservation.

To configure LDAP reservation in Oracle Identity Manager:

Login to Oracle Identity System Administration
In the left pane, under System Configuration, click Configuration Properties.
Search for the LDAP Reservation Plugin system property with keyword XL.LDAPReservationPluginImpl.

This property determines the LDAP reservation plugin implementation to be picked up for reservation of user attributes.
Modify the value of this property to specify a different LDAP reservation plugin implementation for reservation of user attributes.
Click Save.

18.6.4 Configuring Referential Integrity

Use the XL.IsReferentialIntegrityEnabledInLDAP system property to configure referential integrity.

To configure referential integrity in Oracle Identity Manager:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Configuration Properties.
Search for the Indicates if referential integrity is enabled in target LDAP directory system property with keyword XL.IsReferentialIntegrityEnabledInLDAP.

The default value of this property is FALSE, which means that referential integrity in the target LDAP directory is disabled.
To enable referential integrity in target the LDAP directory, modify the value of this property to TRUE.
Click Save.