Prepare for Production

The default OpenIAM contains data and configurations which are designed to help new users get started with OpenIAM. While these configuration reduce the number of initial getting started steps, they MUST be changed before going into production to ensure that you have a secure your installation.

Enable HTTPS

Configure HTTPS to ensure secure communication to the OpenIAM UI. Steps to configure HTTPS can be found at:

Update your password policy

Update your password policy to assign with corporate standards. Along with this, update:

  • How passwords are to be distributed
  • Change the Initial password type field from Static to Random

Update your authentication policy

Update your authentication policy to align with corporate standards. At a minimum consider enabling MFA for the Webconsole to improve security

Remove default users

There are number of default users, which should be removed using the webconsole. The include:

  • Scott Nelson
  • Hiring Manager
  • Security Manager
  • Help Desk

Replace system admin accounts

The out of the box deployment includes to system admin accounts:

  • sys user (sysadmin)
  • sys2 user (sysadmin2)

Admin rights should be granted to named users so that there is traceability across the system. As such, the Super Security Admin role should be granted to the appropriate users. After access has been granted, login with super security admin rights and remove the above the two users.

Note: DO NOT remove the system user. This user has no rights in OpenIAM and is used by internal processes.

Remove default entitlement objects

Remove roles

Remove the roles listed below:

  • Help desk
  • End User
  • Security Admin
  • Security Admin_IDM

Note: DO NOT REMOVE the Super security admin and Global UAR Administrator

Remove default groups

Remove the groups listed below:

  • Security group
  • HR Group

Remove all organization objects

Remove all organization objects and replace them with a structure which represents your organization and requirements