Security configuration parameters

Field / PropertyTypeDescription
user.admin String

Sets the default super user id. By default super user id is okmAdmin.

okmAdmin

default.user.role String

Sets the default general connection role.

Any user to successfully login in the screen needs to have default.user.role or default.admin.role, otherwise will get 403 error.

ROLE_USER

default.admin.role String

Sets the default administration connection role. This role will get users access to Administration tools.

Any user to successfully login in the screen need to have default.user.role or default.admin.role, otherwise will get 403 error.

ROLE_ADMIN

user.assign.document.creation Boolean

By default when a user creates a node, he is added to the node with full permissions. You can disable this behavior by setting this parameter to false. By default the parameters is set to true.

true

user.password.expiration Integer

Indicates the number of days to force user change their password, the 0 value indicates the feature is disabled.

0

user.password.reset Boolean

Sometimes the user loses or forgets their password. When this option is enabled, used in landing page have got the option to restart their password and be notified with a newer one by mail. By default this option is set to false.

false

system.antivir

String

Path to antivirus.

An antivirus can decrease perfomance, taking several seconds to analyze each document and consuming a lot of CPU resources.

security.access.manager

String

Sets security access manager determinate the way on how the security is evaluated. Default value is "simple".

Values:

  • simple.
  • recursive.
  • read_recursive.

simple

 Takes a look at Security configuration

security.search.evaluation

String

Sets the security search manager and determinates the way how the security is evaluated by search engine.

Values:

  • lucene.
  • am_more, am_window or am_limited.

 Take a look at Security configuration

security.extended.mask

Integer

Security evaluation can be extended to downloaded files, starts workflows, adds, removes or modifies property groups ( metadata ) or compact history. Default value is empty.

Values:

  • DOWNLOAD = 1024;
  • START_WORKFLOW = 2048;
  • COMPACT_HISTORY = 4096;
  • PROPERTY_GROUP = 8192;

For example to enable download and property groups you should put the mask 9216 ( 1024+8192 )

9216

 Take a look at Security configuration

security.live.change.node.limit

Integer

When security changes affect more than the values set in this property the security changes are applied as a background task.

100

 Take a look at Security configuration

system.login.lowercase

Boolean

By default is empty. In case connecting to AD ( Microsoft Active Directory ) must be set to "true", that force all users to be logged with lowercase user Id. The reason is OpenKM is case sensitive and Microsoft Active Directory not.

principal.adapter

String

OpenKM can handle user access using the Spring Security framework. OpenKM needs an available method for reading users and roles, so when users are stored in a database (as is the default), the class DatabasePrincipalAdapter does this job.

com.openkm.core.DatabasePrincipalAdapter

If you configure OpenKM to authenticate against an LDAP server, you need to configure another principal adapter like LdapPrincipalAdapter.

principal.identifier.validation

String

Sets a regular expression to validate on the creation of user names and roles names.

^[a-zA-Z0-9_]+$

This parameter only can be used in combination with "principal.adapter" parameter value "com.openkm.core.DatabasePrincipalAdapter".

browser.password.autocompletion

Boolean

By default it is true (allowed autocompletion). This paremeter allows to disable the autocompletion of the password in the login frame. This is a security messure in not trusted clients.

user.password.remember

Boolean

By default it is false. When it is enabled a checkbox appears in the login form where you can decide if you are going to be remembered or not. This means that you won't be asked for user and password next time you access OpenKM, unless you make a logout from File > Logout.

This configuration does not work with LDAP integration. Anyway, if yor OpenKM is configure with LDAP integration, take a look at LDAP troubleshooting which contains information about solving this incompatibility.

default.security.recursive.role

String

Set the role what is used to identify what users are able to set recursive security.

ROLE_SECURITY_RECURSIVE

default.task.manager.admin.role

String

Set the role what is used to identify what users are able to manage all the OpenKM task.

ROLE_TASK_MANAGER_ADMIN