Security configuration parameters

Field / PropertyTypeDescription
user.admin String

Sets the default superuser ID. By default the superuser ID is okmAdmin.

okmAdmin

default.user.role String

Sets the default general connection role.

Any user who wants to successfully log in to the screen needs to have default.user.role or default.admin.role; otherwise they will get a 403 error.

ROLE_USER

default.admin.role String

Sets the default administration connection role. This role will grant users access to administration tools.

Any user who wants to successfully log in to the screen needs to have default.user.role or default.admin.role; otherwise they will get a 403 error.

ROLE_ADMIN

user.assign.document.creation Boolean

By default when a user creates a node, they are added to the node with full permissions. You can disable this behavior by setting this parameter to false. By default the parameter is set to true.

true

user.password.expiration Integer

Indicates the number of days to force users to change their password; a value of 0 indicates the feature is disabled.

0

user.password.reset Boolean

Sometimes the user loses or forgets their password. When this option is enabled, users on the landing page have the option to reset their password and be notified with a new one by mail. By default this option is set to false.

false

system.antivir

String

Path to antivirus.

An antivirus can decrease performance, taking several seconds to analyze each document and consuming a lot of CPU resources.

security.access.manager

String

Sets the security access manager that determines how security is evaluated. The default value is "simple".

Values:

  • simple.
  • recursive.
  • read_recursive.

simple

 Take a look at Security configuration

security.search.evaluation

String

Sets the security search manager and determines how security is evaluated by the search engine.

Values:

  • lucene.
  • am_more, am_window or am_limited.

 Take a look at Security configuration

security.extended.mask

Integer

Security evaluation can be extended to downloaded files, starting workflows, adding, removing, or modifying property groups (metadata), or compacting history. Default value is empty.

Values:

  • DOWNLOAD = 1024;
  • START_WORKFLOW = 2048;
  • COMPACT_HISTORY = 4096;
  • PROPERTY_GROUP = 8192;

For example, to enable download and property groups, you should put the mask 9216 (1024+8192).

9216

 Take a look at Security configuration

security.live.change.node.limit

Integer

When security changes affect more nodes than the value set in this property, the security changes are applied as a background task.

100

 Take a look at Security configuration

system.login.lowercase

Boolean

By default it is empty. When connecting to AD (Microsoft Active Directory) it must be set to "true", which forces all users to log in with lowercase user IDs. The reason is OpenKM is case-sensitive and Microsoft Active Directory is not.

principal.adapter

String

You must restart the OpenKM service after you change this parameter.

OpenKM can handle user access using the Spring Security framework. OpenKM needs an available method for reading users and roles, so when users are stored in a database (as is the default), the class DatabasePrincipalAdapter does this job.

com.openkm.plugin.principal.DatabasePrincipalAdapter

If you configure OpenKM to authenticate against an LDAP server, you need to configure another principal adapter like LdapPrincipalAdapter.

principal.identifier.validation

String

Sets a regular expression to validate the creation of user names and role names.

^[a-zA-Z0-9_]+$

Regular expression sample for Arabic:

^[\u0600-\u06FF]+$

This parameter can only be used in combination with the "principal.adapter" parameter value "com.openkm.plugin.principal.DatabasePrincipalAdapter".

browser.password.autocompletion

Boolean

By default it is true (autocompletion allowed). This parameter allows disabling password autocompletion in the login frame. This is a security measure on untrusted clients.

user.password.remember

Boolean

By default it is false. When it is enabled, a checkbox appears in the login form where you can decide whether you want to be remembered or not. This means that you won't be asked for a username and password the next time you access OpenKM, unless you log out from File > Logout.

This configuration does not work with LDAP integration. However, if your OpenKM is configured with LDAP integration, take a look at LDAP troubleshooting which contains information about resolving this incompatibility.

default.security.recursive.role

String

Sets the role that is used to identify which users are able to set recursive security.

ROLE_SECURITY_RECURSIVE

secure.file.delete

Boolean

Enables safe file deletion from the file system. The process ensures the document can be recovered later from the file system.

false

security.login.failed.attempts

Integer

Number of failed login attempts before the user will be locked. A value of 0 indicates unlimited failed attempts and the user will never be locked.

0

default.task.manager.admin.role

String

Sets the role that is used to identify which users are able to manage all OpenKM tasks.

ROLE_TASK_MANAGER_ADMIN

 

Table of contents [ Hide Show ]