Prepare for Production
The default OpenIAM contains data and configurations which are designed to help new users get started with OpenIAM. While these configuration reduce the number of initial getting started steps, they MUST be changed before going into production to ensure that you have a secure your installation.
Enable HTTPS
Configure HTTPS to ensure secure communication to the OpenIAM UI. Steps to configure HTTPS can be found at:
Update your password policy
Update your password policy to assign with corporate standards. Along with this, update:
- How passwords are to be distributed
- Update groovy in policy map of OPENIAM managed system to generate random password vs static
Update your authentication policy
Update your authentication policy to align with corporate standards. At a minimum consider enabling MFA for the Webconsole to improve security
Remove default users
There are number of default users, which should be removed using the webconsole. The include:
- Scott Nelson
- Hiring Manager
- Security Manager
- Help Desk
Replace system admin accounts
The out of the box deployment includes to system admin accounts:
- sys user (sysadmin)
- sys2 user (sysadmin2)
Admin rights should be granted to named users so that there is traceability across the system. As such, the Super Security Admin
role should be granted to the appropriate users. After access has been granted, login with super security admin rights and remove the above the two users.
Note: DO NOT remove the system
user. This user has no rights in OpenIAM and is used by internal processes.
Remove default entitlement objects
Remove roles
Remove the roles listed below:
- Help desk
- End User
- Security Admin
- Security Admin_IDM
Note: DO NOT REMOVE the Super security admin
and Global UAR Administrator
Remove default groups
Remove the groups listed below:
- Security group
- HR Group
Remove all organization objects
Remove all organization objects and replace them with a structure which represents your organization and requirements