Default System Properties in Oracle Identity Manage

Property Name Description Keyword Default Value
Access Policy Revoke If No Longer Applies Enhancement

Note: This property is not used in Oracle Identity Manager Release 2 (11.1.2), but has been retained only for backward compatibility.

Determines if the Revoke if no longer applies flag in access policy is applicable.

If the value is true, then this flag is applicable to child table data (entitlements) along with parent data. The user can determine if child data must be removed or retained when access policy no longer applies to user based on this flag.

If the value if false, then child table data (entitlements) are always removed after access policy is no longer applied.

XL.AccessPolicyRevokeIfNoLongerAppliesEnhancement FALSE
Allows access policy based provisioning of multiple instances of a resource Determines if multiple instances of a resource can be provisioned to multiple target resources.

When the value is false, provisioning multiple instances of resource object via access policy is not allowed.

When the value is true, provisioning multiple instances of resource object via access policy is allowed.

XL.AllowAPBasedMultipleAccountProvisioning false
Are challenge questions disabled in OIM Determines if challenge questions are enabled or disabled when a user logs in to Oracle Identity Manager for the first time.

When value is False, challenge questions are enabled.

When value is True, challenge questions are disabled.

This property is primarily used in the context of Oracle Adaptive Access Manager (OAAM) configuration. When the value is TRUE, the challenge questions are handled by OAAM.

OIM.DisableChallengeQuestions FALSE
CommonName generation plugin Determines the common name generation plugin to generate common name. XL.DefaultCommonNamePolicyImpl oracle.iam.ldapsync.impl.plugins.FirstNameLastNamePolicy
Compiler Path for Connectors Specifies the Java home depending on the application server.

Note: If the path of the JDK directory is not included in the System Path variable, then you must set the path of the JDK directory in the XL.CompilerPath system property. If this is not done, then an error is encountered during the adapter compilation stage of the process performed when you import an XML file by using the Deployment Manager.

XL.CompilerPath
Copy user password reset e-mail to manager Specifies whether the manager of the user whose password is being reset must be notified of this password reset. XL.NotifyPasswordGenerationToOther false
Data Collection Session ID Specifies the session ID of the current Oracle Identity Analytics (OIA) Data collection session. XL.DataCollectionSessionID dummy
Data Collection Status Specifies the status of the current OIA data collection session. XL.DataCollectionStatus FAILED
Default Date Format When creating reconciliation events by calling the APIs and date format is not passed as one of the arguments to the API, Oracle Identity Manager assumes that all the date field values are specified in Default Date Format. XL.DefaultDateFormat yyyy/mm/dd hh:mm:ss z
Default Policy for common name generation Determines the common name generation policy to be picked while generation of common name. XL.DefaultCommonNamePolicyImpl oracle.iam.identity.usermgmt.impl.plugins.FirstNameLastNamePolicy
Default policy for username generation Determines the username policy to use when generating a username. XL.DefaultUserNamePolicyImpl oracle.iam.identity.usermgmt.impl.plugins.DefaultComboPolicy
Default user name domain This property is used by the DefaultComboPolicy to generate a user name in e-mail format. XL.UserNameDomain oracle.com
Direct Provisioning vs. Request for Access Policy Conflicts By default, the value of this property is TRUE. If a user has multiple access policies and these policies provision a particular resource multiple times, and at least one policy specifies that the resource can be provisioned directly, then the resource is provisioned without creating a request.

Setting this property to FALSE specifies that conflicts are resolved by creating a request for the resource, which are not provisioned directly. If there are no conflicts, then resources are provisioned based on what is defined in the access policy.

XL.DirectProvision TRUE
Does user have to provide challenge information during registration If the value is TRUE, then users will have to provide challenge information during registration. PCQ.PROVIDE_DURING_SELFREG TRUE
Duplicate challenge responses allowed This property is used to indicate whether or not duplicate challenge responses are allowed. XL.IsDupResponsesAllowed FALSE
Email Server Name of the e-mail server.

Note: After modifying the Email Server system property value, you must restart the server for the change to take effect.

XL.MailServer Email Server
Email Validation Pattern This property contains the regular expression used to validate the email ID of a user. XL.EmailValidationPattern [A-Za-z0-9\.\_\#\!\$\&\’\*\/\=\?\^\`\{\}\~\|\%\+\-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}
Enable 9.x permission checking when searching organizations This property controls the display of organizations in the organization search performed by the user. When XL.EnableOrgPermissionCheck = false, all the organizations are displayed when the user searches for organizations. When XL.EnableOrgPermissionCheck = true or the property is removed, only the organizations assigned to the user performing the search are displayed. XL.EnableOrgPermissionCheck TRUE
Enable Exception Reports This property is used to enable the exception reporting feature. Exception reporting is enabled only if the value is set to TRUE. XL.EnableExceptionReports FALSE
Enable disabled resource instances when a user is enabled If the value is TRUE, then the disabled resource instances are enabled when a user is enabled. XL.EnableDisabledResources TRUE
Evaluate LDAP Container Rules for Entity Modification If the property value is TRUE, then the LDAP container rules defined in LDAPContainerRules.xml are evaluated for entity modification. However, if none of the rules match, then the default container is not returned. The original parent container of the entity is returned, which means that there is no change in the entity DN. For more information, see “Configuring LDAP Container Rules” in Oracle Fusion Middleware Developer’s Guide for Oracle Identity Manager.

If the property value is FALSE, then the LDAP container rules defined in LDAPContainerRules.xml are not evaluated. The entity DN does not change.

Note: This property only applies to a modification scenario and not to the entity creation scenario.

LDAPEvaluateContainerRulesForModify FALSE
FA Administrators Role Name IN LDAP Name of this role, usually “Administrators”, stored in the top of the user container in LDAP. This is the user who can login and manage SOA tasks lists.

Note: This property is not used in Oracle Identity Manager.

FA.AdministratorsRole Administrators
FA cookie-http-only flag turned on This property is seeded using the RoleCategorySeedMXBeanImplMBean by FA provisioning system. FA.CookieHTTPOnly false
Flag for new permissioning model This system property determines the data object permission model for inserting, updating, and deleting records in the Oracle Identity Manager database. Before inserting, updating, and deleting records into a database table, Oracle Identity Manager checks the roles assigned to the user who wants to insert, update, or delete records. The roles have data objects assigned to them along with details of permissions to insert, update, or delete a record.

For a user to insert, update, or delete records into the table, the user must have permissions for the all the roles assigned to him on that data object. If the user does not have insert, update, or delete permission on any one role, then the user is not allowed to insert, update, or delete records in the table corresponding to the data object. This applies when the value of this property is set to FALSE.

When the value is set to TRUE, the user must have insert, update, and delete permissions for any one of the roles assigned to the user on a particular data object. If any one permission is available to the user for a role, then the user can insert, update, or delete records in the table corresponding to the data object.

XL.NewPermissionModel False
Force Password Change at First Login This system property is not used in Oracle Identity Manager 11g Release 2 (11.1.2). Setting this property has no effect. XL.ForcePasswordChangeAtFirstLogin TRUE or FALSE

The default value for this property is FALSE if the user is created by self registration and TRUE if the user is created by any other method.

Force to set questions at startup When the user logs into the Oracle Identity Self Service or Oracle Identity System Administration for the first time, the user must set the default questions for resetting the password.

Note: After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.

PCQ.FORCE_SET_QUES False
GTC Auto Import Based on the value of this property, the DM xml that is generated while GTC creation can be saved to a directory.

The default value of this property is true.

When the value of this property is set to “False”, then while creating GTC, the DM xml (the xml that GTC creates and imports using Deployment Manager internally while GTC creation) created by the GTC framework is stored in the following directory:

OIM_HOME/GTC/XMLOutput

The naming convention followed for the DM xml is:

GTCNAME_CURRENTDATE_ TIMESTAMP created using date format “yyyy-MM-dd-HH-mm-ss”.xml

For example:

TRUSTEDCSV_2009-02-05-22-41-11.xml

XL.GTCAutoImport true
Homepage for Self Service console This property is used to set the page to be displayed after a user logs in to Oracle Identity Manager Self Service.

You can set one of the following as the value of this property:

  • my_access: Displays the My Access page
  • my_info: Displays the My Information page
  • home: Displays the Home page
  • catalog_home:Displays the Catalog page
  • none: Displays no page

Note: After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.

OIM.IdentityHomepage none
Indicates if referential integrity is enabled in target LDAP directory The value of this property is TRUE if referential integrity in target LDAP directory is turned on.

The value of this property is FALSE if referential integrity in target LDAP directory is turned off.

XL.IsReferentialIntegrityEnabledInLDAP FALSE
Is Self-Registration Allowed If the value is TRUE, then the users are allowed to self-register. XL.SelfRegistrationAllowed TRUE
Is disabled manager allowed Specifies whether a user in the disabled state can be set as a manager for another user. AllowDisabledManagers FALSE
LDAP Reservation Plugin This property determines the LDAP reservation plugin implementation to be picked up for reservation of user attributes. XL.LDAPReservationPluginImpl oracle.iam.identity.usermgmt.impl.plugins.reservation.ReservationInOID
Maximum Number of Login Attempts Determines how many consecutive times the user can attempt to login to Oracle Identity Manager unsuccessfully before Oracle Identity Manager locks the user account.

Note: If the user account is locked, then it can be unlocked by any one of the following ways:

  • Resetting the password by using Forgot Password
  • Unlocking the user by the delegated administrator
  • Automatic unlocking after the expiry of the lock period, which is done using the Automatically Unlock User scheduled task that runs daily
XL.MaxLoginAttempts 10
Maximum Number of Password Reset Attempts Determines how many consecutive times the user can attempt to reset the password unsuccessfully before Oracle Identity Manager locks the user account.

Important: When the user account is locked, the user cannot unlock it. If this occurs, then contact the system administrator.

XL.MaxPasswordResetAttempts 3
Minimum length of challenge response This property is used to set the minimum length of answers to challenge questions. XL.ResponseMinLength 0
Number of Correct Answers This value represents how many questions the user must answer correctly to reset user password. PCQ.NO_OF_CORRECT_ANSWERS 3
Number of Questions Sets the number of questions that must be completed by a user who is using the Web Application to reset the user’s password. PCQ.NO_OF_QUES 3

Note: The value set for PCQ.NO_OF_QUES must not be less than the value set for PCQ.NO_OF_CORRECT_ANSWERS.

OIA integration status Specifies whether OIA is integrated with Oracle Identity Manager.

Set the value of this property to TRUE before you add role memberships in Oracle Identity Manager.

If you set the value of this property to FALSE, incremental role memberships into OIA will not work.

Note: You must do a full import of role memberships at least once after this property is enabled.

OIM.IsOIAIntegrationEnabled FALSE
Old Password Validator The property specifies the name of the plugin class to be used for verifying old passwords. OIM.OldPasswordValidator oracle.iam.identity.usermgmt.impl.ContainerLoginPasswordVerifier
Organization Delete/Disable Action If this property is set to TRUE, then users can disable/delete the organization even if the organization contains users and suborganizations.

If this property is FALSE, then users cannot disable/delete the organization if the organization contains users and suborganizations.

The default value is FALSE.

ORG.DisableDeleteActionEnabled FALSE
Pending Cancelled Tasks If this property is set to TRUE and tasks are configured to allow cancellation while they are pending, then these tasks are moved to Pending Cancelled (PX) status if the corresponding process instance is cancelled. If the property is set to FALSE, then tasks are moved to Cancelled (X) status when corresponding process instance is cancelled. Note that process instances are called by Oracle Identity Manager when the corresponding resource instances are revoked. XL.PendingCancelled true
Period to Delay User Delete This property is used to specify the time period before deleting a user. When this property is set and a user is deleted, the user’s state is changed to disabled and “automatically delete on date” is set to current date plus the delay period. XL.UserDeleteDelayPeriod 0
Property dictates whether database name will be displayed If the value is TRUE, then the database name is displayed on the Design Console. XL.TOOLBAR_DBNAME_DISPLAY TRUE
Proxy User Email Notification The corresponding PTY_VALUE is the e-mail definition name that is sent when a proxy user is created. User gets a notification e-mail when the user is made the proxy for some other user. XL.ProxyNotificationTemplate Notify Proxy User
Recon Batch Size This property is used to specify the batch size for reconciliation. You can specify 0 as the value for this to indicate that the reconciliation will not be performed in batches.

Note: You must restart Oracle Identity Manager server after setting this property.

OIM.ReconBatchSize 500
Record Read Limit Sets the maximum number of records that can be displayed in a query result set in the Oracle Identity System Administration. XL.READ_LIMIT 500
Request Notification Level This property indicates whether or not notification is sent to the requester and beneficiary when a request is created or the request status is changed.

When the value of this property is 0, then the notification feature is disabled. When the value is 1, then the notification feature is enabled.

RequestNotificationLevel 0
Reset with generated password If a user’s password is to be reset, then this property determines how the password is to be reset by the delegated administrator.

If this property is set to true, then the password is always automatically generated. If set to false, then an additional option of setting the password manually is provided.

XL.ResetWithGeneratedPwd TRUE
Retry Count for recon event This property determines the reconciliation retry count. The retry count value is picked up from the value of this property.

If you specify a value that is greater than 0, then auto retry is configured. If you specify 0 as the value of this property, then auto retry is not configured.

Recon.RetryCount 5
Role SoD Check Topology Name This property is used to define the topology name which informs SIL (SoD Invocation Library) the SoD Engine to be used for performing SoD checks. The topology name is defined in the SILConfig.xml file and is a combination of an identity management system, target system and an SoD Engine.

Role SoD Check based on SIL is supported only if you are using OIA as the SoD engine. The default topology name set in the SILConfig.xml file if you are using OIA is sodoia.

If you set the value of this property to sodoia, then any request raised for roles will go through SoD Check with OIA. An SoD Check is performed only when a request for roles is raised and not in case of direct assignment.

If you want to use a topology name other than the default, then it must be defined in the SILConfig.xml file and registered with SIL. For details on registering new topology name with SIL, see “Using Segregation of Duties (SoD)” in Oracle Fusion Middleware Developer’s Guide for Oracle Identity Manager.

Note: This property is used only for non-FA role SoD check.

RoleSoDCheckTopologyName
Search Stop Count This property determines the maximum number of records that are displayed in the advanced search result. If the search criteria specified returns more number of records than that value of this property, then the number of records displayed is limited to this value. In addition, a warning is displayed stating that the results exceed maximum counts and you must refine your search with additional attributes. XL.IDADMIN_STOP_COUNT 300
Segregation of Duties (SOD) Check Required This property indicates whether or not Segregation of Duties (SoD) check is required. XL.SoDCheckRequired FALSE
Should send notifications in recon or not Determines if notification is sent to the user when the user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.

If the value is set to true, then notification is sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.

If the value is set to false, then notification is not sent when user login and password are generated in postprocess event handler for user creation via trusted source reconciliation.

Recon.SEND_NOTIFICATION true
Show left navigation taskflow panel in Self Service console? This property is used to specify whether the left pane, which is the primary navigation tool, must be displayed when a user is logged in to Oracle Identity Manager Self Service.

Set the value of this property to true to display the left pane. Otherwise, set the value of the property to false.

Note:

  • If you set the value of this property to false, then you must set the value of the Show toolbar navigation in Self Service console? property to true.
  • After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.
OIM.IdentityShowLeftNav true
Show toolbar navigation in Self Service console? This property is used to specify whether the links (in the upper-right-hand corner of the page) such as Accessibility, Help, and so on must be displayed to a user logged in to Oracle Identity Self Service.

Set the value of this property to true to display the links. Otherwise, set the value of the property to false.

Note:

  • If you set the value of this property to false, then you must set the value of the Show left navigation taskflow panel in Self Service console? property to true.
  • After modifying the value of this property, you must restart Oracle Identity Manager server for the changes to take effect.
OIM.IdentityShowToolbar false
Skin Family for OIM UI The ADF skin family for Oracle Identity Manager UI that the application uses at runtime. OIM.SkinFamily fusionFX
Skin Version for OIM UI The skin version, if any, for the skin family being used for Oracle Identity Manager UI.

If the skin has a version, then set trinidad-config.xml SKIN-VERSION to be the skin version of your skin. Otherwise, set the default value for this property if you want to select the skin marked to be the default for that skin family.

OIM.SkinVersion default
Specifies the LDAP container mapper plug-in to be used When Oracle Identity Manager is installed with LDAP synchronization enabled, this plug-in determines in which container users and roles are to be created. Value of this system property indicates the default Oracle Identity Manager plug-in name used for computing the container values. If the default plug-in does not meet the requirement, then you can define your own plug-in to determine the container and specify the name of the plug-in in this system property.

Note: For information about this plug-in, see “Developing LDAP Container Rules” in the Oracle Fusion Middleware Developer’s Guide for Oracle Identity Manager.

LDAPContainerMapperPlugin oracle.iam.ldapsync.impl.DefaultLDAPContainerMapper
URL for challenge questions modification When a user is locked, an automatic unlock occurs after a prescribed time period. This property defines that time period in seconds. Therefore, for example, if a user account is locked and the value of this property is 86400 seconds (one day), then the account is automatically unlocked after one day.

The value of this property is the URL within OAAM that handles the challenge questions. For example:

http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=registerQuestions

OIM.ChallengeQuestionsModificationURL NONE
URL for change password This property is used in combination with the property OIM.DisableChallengeQuestions. The value of this property is the URL within OAAM that handles the change password functionality. For example:

http://OAAM_HOST:OAAM_PORT/OAAM_SERVER/userPreferences.do?showView=changePassword

OIM.ChangePasswordURL NONE
Unlock Account Automatically After Time Period This property is used to automatically unlock user accounts after the specified time period. XL.UnlockAfter 86400 seconds, which is 1 day
Use Row Restriction Note: This property is for internal use by Oracle Identity Manager. You must not use this property. XL.UseRowRestriction FALSE
Use of Default Questions For customers who have customized their UI to allow end-users to set their own challenge questions, this property determines whether the user must select challenge questions from a predefined list in the Web Application, or if users are required to provide their own questions.

Note: Functionality that allows end-users to set their own challenge questions is not supported in the standard out-of-the-box user interface.

PCQ.USE_DEF_QUES TRUE
Use semicolon as delimiter in API parameters This property is used to specify whether or not semicolon should be used as a delimiter to the API input parameter values. Some APIs accepted string input values that are separated by semicolon. This has been changed to use a vertical bar “|” instead. To keep backward compatibility, this new property can be used to go back to using semicolons. The default value is FALSE signifying the usage of “|”. When set to TRUE, the input for those APIs are accepted with semicolon as separator. XL.UseSemiColonAsDelimiter FALSE
User Attribute Reservation Enabled This property is used to enable user attribute reservation. XL.IsUsrAttribReservEnabled TRUE
User Id reuse property.Requires dropping the index present on USR_LOGIN column Determines whether a deleted user account can be reused. To reuse a deleted user account, assign this property a value of TRUE and drop the unique index for the USR_LOGIN column in the USR table and create a nonunique index. To prevent a user account from being reused, assign this property a value of FALSE.

Note: It is imperative to de-provision all accounts associated with a deleted user, because if you create a new user with the same user name as that of the deleted user by setting the XL.UserIDReuse property totrue, then the new user might get access to offline accounts of the deleted user that was not deleted as part of the de-provisioning process.

XL.UserIDReuse FALSE
User Language The user.language value is configured during installation for Locale handling at server side. user.language en
User Region The user.region value is configured during installation for Locale handling at server side. user.region US
User Variant The user.variant value is configured during installation for locale handling at server side. user.variant
User profile audit data collection level This property controls the user profile data that is collected for audit purpose when an operation is performed on the user, such as creation, modification, or deletion of a user, role grants or revokes, and resource provisioning or deprovisioning. Depending upon the property value, such as Resource Form or None, the data is populated in the UPA table.

The audit levels are specified as values of this property. The supported levels are:

  • Process Task: Audits the entire user profile snapshot together with the resource lifecycle process.
  • Resource Form: Audits user record, role membership, resource provisioned, and any form data associated to the resource.
  • Resource: Audits the user record, role membership, and resource provisioning.
  • Membership: Only audits the user record and role membership.
  • Core: Only audits the user record.
  • None: No audit is stored.
XL.UserProfileAuditDataCollection Resource Form
Xellerate User resource provision mode This property determines whether provisioning of the Xellerate User resource to the user’s organization occurs in the database layer through stored procedure, or in the Java layer via Event Handlers.

Note: See Oracle Fusion Middleware Developer’s Guide for Oracle Identity Manager for information about Event Handlers.

This property has the following allowed values:

  • DB: Provisioning of the Xellerate User resource to the user’s organization occurs in the database layer through stored procedure. This in turn does not trigger any further process. Therefore, custom tasks associated with the Xellerate User provisioning process that is associated with the Xellerate User resource does take place.
  • Java: Provisioning of the Xellerate User resource to the user’s organization occurs in the database layer via Event Handlers. Custom tasks associated with the Xellerate User provisioning process that is associated with the Xellerate User resource takes place. This is applicable to the upgrade scenario, where you have your own tasks associated with provisioning processes in earlier releases of Oracle Identity Manager, and you want them to run even after 11g upgrade. In such scenario, set the value of this property value to JAVA.
XLUserResource.ProvisionMode DB
Whether or not email should be validated for uniqueness This property is available in an Oracle Identity Manager 11g Release 2 (11.1.2) deployment that has been upgraded from an earlier release of Oracle Identity Manager.

If the value of this property is FALSE, then Email Uniqueness check is not performed by Oracle Identity Manager.

If the value if TRUE, then Email Uniqueness check is performed by Oracle Identity Manager.

Note: If this property is not present, then Email Uniqueness check is performed by Oracle Identity Manager.

OIM.EmailUniqueCheck

Leave a Reply

Your email address will not be published. Required fields are marked *