Security configuration parameters
| Field / Property | Type | Description |
|---|---|---|
| user.admin | String |
Sets the default superuser ID. By default the superuser ID is okmAdmin. okmAdmin |
| default.user.role | String |
Sets the default general connection role. Any user who wants to successfully log in to the screen needs to have default.user.role or default.admin.role; otherwise they will get a 403 error. ROLE_USER |
| default.admin.role | String |
Sets the default administration connection role. This role will grant users access to administration tools. Any user who wants to successfully log in to the screen needs to have default.user.role or default.admin.role; otherwise they will get a 403 error. ROLE_ADMIN |
| user.assign.document.creation | Boolean |
By default when a user creates a node, they are added to the node with full permissions. You can disable this behavior by setting this parameter to false. By default the parameter is set to true. true |
| user.password.expiration | Integer |
Indicates the number of days to force users to change their password; a value of 0 indicates the feature is disabled. 0 |
| user.password.reset | Boolean |
Sometimes the user loses or forgets their password. When this option is enabled, users on the landing page have the option to reset their password and be notified with a new one by mail. By default this option is set to false. false |
|
system.antivir |
String |
Path to antivirus. An antivirus can decrease performance, taking several seconds to analyze each document and consuming a lot of CPU resources. |
|
security.access.manager |
String |
Sets the security access manager that determines how security is evaluated. The default value is "simple". Values:
simple Take a look at Security configuration |
|
security.search.evaluation |
String |
Sets the security search manager and determines how security is evaluated by the search engine. Values:
Take a look at Security configuration |
|
security.extended.mask |
Integer |
Security evaluation can be extended to downloaded files, starting workflows, adding, removing, or modifying property groups (metadata), or compacting history. Default value is empty. Values:
For example, to enable download and property groups, you should put the mask 9216 (1024+8192). 9216 Take a look at Security configuration |
|
security.live.change.node.limit |
Integer |
When security changes affect more nodes than the value set in this property, the security changes are applied as a background task. 100 Take a look at Security configuration |
|
system.login.lowercase |
Boolean |
By default it is empty. When connecting to AD (Microsoft Active Directory) it must be set to "true", which forces all users to log in with lowercase user IDs. The reason is OpenKM is case-sensitive and Microsoft Active Directory is not. |
|
principal.adapter |
String |
You must restart the OpenKM service after you change this parameter. OpenKM can handle user access using the Spring Security framework. OpenKM needs an available method for reading users and roles, so when users are stored in a database (as is the default), the class DatabasePrincipalAdapter does this job. com.openkm.plugin.principal.DatabasePrincipalAdapter If you configure OpenKM to authenticate against an LDAP server, you need to configure another principal adapter like LdapPrincipalAdapter. More information at: |
|
principal.identifier.validation |
String |
Sets a regular expression to validate the creation of user names and role names. ^[a-zA-Z0-9_]+$ Regular expression sample for Arabic: ^[\u0600-\u06FF]+$ This parameter can only be used in combination with the "principal.adapter" parameter value "com.openkm.plugin.principal.DatabasePrincipalAdapter". |
|
browser.password.autocompletion |
Boolean |
By default it is true (autocompletion allowed). This parameter allows disabling password autocompletion in the login frame. This is a security measure on untrusted clients. |
|
user.password.remember |
Boolean |
By default it is false. When it is enabled, a checkbox appears in the login form where you can decide whether you want to be remembered or not. This means that you won't be asked for a username and password the next time you access OpenKM, unless you log out from File > Logout. This configuration does not work with LDAP integration. However, if your OpenKM is configured with LDAP integration, take a look at LDAP troubleshooting which contains information about resolving this incompatibility. |
|
default.security.recursive.role |
String |
Sets the role that is used to identify which users are able to set recursive security. ROLE_SECURITY_RECURSIVE |
|
secure.file.delete |
Boolean |
Enables safe file deletion from the file system. The process ensures the document can be recovered later from the file system. false |
|
security.login.failed.attempts |
Integer |
Number of failed login attempts before the user will be locked. A value of 0 indicates unlimited failed attempts and the user will never be locked. 0 |
|
default.task.manager.admin.role |
String |
Sets the role that is used to identify which users are able to manage all OpenKM tasks. ROLE_TASK_MANAGER_ADMIN |
