From b042282a6ca9baf9ce19e2671de7727a0779d40a Mon Sep 17 00:00:00 2001 From: Tapasweni Pathak Date: Tue, 18 Jun 2019 04:02:53 +0530 Subject: [PATCH] Fix few docs tickets ref https://github.com/mattermost/docs/pull/2732#issuecomment-502707886. --- source/administration/config-settings.rst | 4842 ++++++++++----------- 1 file changed, 2403 insertions(+), 2439 deletions(-) diff --git a/source/administration/config-settings.rst b/source/administration/config-settings.rst index 695ce37f4600..c1d4f393fc84 100644 --- a/source/administration/config-settings.rst +++ b/source/administration/config-settings.rst @@ -1,9 +1,6 @@ Configuration Settings ====================== -.. note:: - The order of the configuration settings below are reflective of a reorganization of the System Console in v5.12 released on June 16th, 2019. To view the configuration settings based on the organization of the System Console in versions prior to v5.12, please see this `documentation `_. - Mattermost configuration settings are maintained in the configuration file ``config.json``, located in the ``mattermost/config`` directory. You can modify the configuration file using the System Console, or by using a text editor to modify it directly. The default location of ``config.json`` is in the ``mattermost/config`` directory. Mattermost must have write permissions to ``config.json``, otherwise changes made in the System Console will have no effect. @@ -29,68 +26,12 @@ For any setting that is not set in ``config.json`` or in environment variables, :local: :backlinks: entry -About +General ------- -Settings for managing the edition and license for Mattermost Enterprise Edition. - -Edition and License -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Edition -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -View the edition of the Mattermost deployment. - -License -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -View subscription details including the number of users and expiry date of your Mattermost License. - -License Key -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Upload or remove license files. For more information on Mattermost Licensing, please see our `frequently asked questions about licensing `_. - -Reporting ---------- -View statistics for your overall deployment and specific teams as well as access server logs. - -Site Statistics -~~~~~~~~~~~~~~~~~~~~~~~~~ -View statistics on active users, teams, channels, sessions, webhooks, and connections. - -Team Statistics -~~~~~~~~~~~~~~~~~~~~~~~~~ -View statistics per team on number of active users, as well as public and private channels. - -Server Logs -~~~~~~~~~~~~~~~~~~~~~~~~~ -View logging of server-side events. - -User Management ---------------- -Settings for managing users, user access, and permissions. - -Users -~~~~~~~~~~~~~~~~~~~~~~~~~ -View and manage active and inactive users. - -Groups -~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20* - -Groups offers admins a way to manage default teams and channels by linking AD/LDAP groups to Mattermost groups. See `Groups documentation `__ for more details. +General settings for server configuration, language defaults, user and team management, privacy, compliance reporting and logs. -Permissions +Configuration ~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E10 and higher* - -Advanced permissions offers Admins a way to restrict actions in Mattermost to authorized users only. See `permissions documentation `__ for more details. - -Environment ------------ -Settings for configuring the network environment in which Mattermost is deployed. - -Web Server -~~~~~~~~~~~~~~~~~~~~~~~~~ -Changing properties in this section will require a server restart before taking effect. Site URL ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -105,12 +46,10 @@ If Site URL is not set, the following features will operate incorrectly: - email notifications will contain broken links, and email batching will not work - authentication via OAuth 2.0, including GitLab, Google and Office 365, will fail - plugins may not work as expected - -Changes to this setting require a server restart before taking effect. -+-------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SiteURL": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"SiteURL": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------+ Listen Address ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -121,8 +60,6 @@ If you choose a port of a lower level (called "system ports" or "well-known port On Linux you can use: ``sudo setcap cap_net_bind_service=+ep ./bin/mattermost`` to allow Mattermost to bind to well-known ports. -Changes to this setting require a server restart before taking effect. - +-------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"ListenAddress": ":8065"`` with string input | +-------------------------------------------------------------------------------------------+ @@ -133,8 +70,6 @@ Forward port 80 to 443 **False**: When using a proxy such as NGINX in front of Mattermost this setting is unnecessary and should be set to `false`. -Changes to this setting require a server restart before taking effect. - +-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"Forward80To443": false`` with options ``true`` and ``false`` for above settings respectively. | +-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -146,8 +81,6 @@ Connection Security **TLS**: Encrypts the communication between Mattermost and your server. See `documentation `__ for more details. -Changes to this setting require a server restart before taking effect. - +---------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"ConnectionSecurity": ""`` with options ``""`` and ``TLS`` for the above settings respectively | +---------------------------------------------------------------------------------------------------------------------------------------------+ @@ -156,8 +89,6 @@ TLS Certificate File ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The path to the certificate file to use for TLS connection security. -Changes to this setting require a server restart before taking effect. - +------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"TLSCertFile": ""`` with string input | +------------------------------------------------------------------------------------+ @@ -166,8 +97,6 @@ TLS Key File ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The path to the TLS key file to use for TLS connection security. -Changes to this setting require a server restart before taking effect. - +-----------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"TLSKeyFile": ""`` with string input | +-----------------------------------------------------------------------------------+ @@ -178,8 +107,6 @@ Use Let's Encrypt **False**: Manual certificate specification based on the **TLS Certificate File** and **TLS Key File** specified above. -Changes to this setting require a server restart before taking effect. - +-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"UseLetsEncrypt": false`` with options ``true`` and ``false`` for above settings respectively. | +-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -191,8 +118,6 @@ Let's Encrypt Certificate Cache File ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The path to the file where certificates and other data about the Let's Encrypt service will be stored. -Changes to this setting require a server restart before taking effect. - +-----------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache"`` with string input. | +-----------------------------------------------------------------------------------------------------------------------------------+ @@ -201,8 +126,6 @@ Read Timeout ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Maximum time allowed from when the connection is accepted to when the request body is fully read. -Changes to this setting require a server restart before taking effect. - +-------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"ReadTimeout": 300`` with string input | +-------------------------------------------------------------------------------------+ @@ -211,8 +134,6 @@ Write Timeout ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If using HTTP (insecure), this is the maximum time allowed from the end of reading the request headers until the response is written. If using HTTPS, it is the total time from when the connection is accepted until the response is written. -Changes to this setting require a server restart before taking effect. - +--------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"WriteTimeout": 300`` with string input | +--------------------------------------------------------------------------------------+ @@ -229,9 +150,7 @@ Set to false to disable all version 3 endpoints of the REST API. Integrations th Webserver Mode ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -gzip compression applies to the HTML, CSS, Javascript, and other static content files that make up the Mattermost web client. It is recommended to enable gzip to improve performance unless your environment has specific restrictions, such as a web proxy that distributes gzip files poorly. - -Changes to this setting require a server restart before taking effect. +gzip compression applies to the HTML, CSS, Javascript, and other static content files that make up the Mattermost web client. It is recommended to enable gzip to improve performance unless your environment has specific restrictions, such as a web proxy that distributes gzip files poorly. This setting requires a server restart to take effect. **gzip**: The Mattermost server will serve static files compressed with gzip to improve performance. @@ -239,46 +158,29 @@ Changes to this setting require a server restart before taking effect. **Disabled**: The Mattermost server will not serve static files. -Changes to this setting require a server restart before taking effect. - +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"WebserverMode": "gzip"`` with options ``gzip``, ``uncompressed`` and ``disabled`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Insecure Outgoing Connections -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Outgoing HTTPS requests can accept unverified, self-signed certificates. For example, outgoing webhooks to a server with a self-signed TLS certificate, using any domain, will be allowed. - -**False**: Only secure HTTPS requests are allowed. - -Security note: Enabling this feature makes these connections susceptible to man-in-the-middle attacks. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableInsecureOutgoingConnections": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - Reload Configuration from Disk ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ *Available in Enterprise Edition E20* This button resets the configuration settings by reloading the settings from the disk. The server will still need to be restarted if a setting requiring server restart was changed. -The workflow for failover without downing the server is to change the database line in the config.json file, click **Reload Configuration from Disk** then click **Recycle Database Connections** in the **Advanced > Database section**. +The workflow for failover without downing the server is to change the database line in the config.json file, click **Reload Configuration from Disk** then click **Recycle Database Connections** in the Advanced > Database section. Purge All Caches ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This button purges all the in-memory caches for sessions, accounts and channels. Deployments using High Availability will attempt to purge all the servers in the cluster. Purging the caches may adversely impact performance. -Database -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Changes to properties in this section will require a server restart before taking effect. +________ +Localization +~~~~~~~~~~~~~~~~~~~~~~~~~ Default Server Language ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Default language for system messages and logs. - -Changes to this setting require a server restart before taking effect. +Default language for system messages and logs. Changing this will require a server restart before taking effect. +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"DefaultServerLocale": "en"`` with options ``de``, ``en``, ``es``, ``fr``, ``it``, ``ja``, ``ko``, ``nl``, ``pl``, ``pt-br``, ``ro``, ``ru``, ``tr``, ``zh_CN`` and ``zh_TW`` | @@ -292,706 +194,432 @@ Default language for newly created users and pages where the user hasn't logged | This feature's ``config.json`` setting is ``"DefaultClientLocale": "en"`` with options ``de``, ``en``, ``es``, ``fr``, ``it``, ``ja``, ``ko``, ``nl``, ``pl``, ``pt-br``, ``ro``, ``ru``, ``tr``, ``zh_CN`` and ``zh_TW`` | +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Driver Name +Available Languages ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This setting can only be changed from ``config.json`` file, it cannot be changed from the System Console user interface. +Sets which languages are available for users in **Account Settings** > **Display** > **Languages**. Leave the field blank to add new languages automatically by default, or add new languages using the dropdown menu manually as they become available. If you're manually adding new languages, the **Default Client Language** must be added before saving the setting. -``mysql``: enables driver to MySQL database. +.. note:: + Servers which upgraded to v3.1 need to manually set this field blank to have new languages added by default. -``postgres``: enables driver to PostgreSQL database. ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AvailableLocales": ""`` with options ``""``, ``de``, ``en``, ``es``, ``fr``, ``it``, ``ja``, ``ko``, ``nl``, ``pl``, ``pt-br``, ``ro``, ``ru``, ``tr``, ``zh_CN`` and ``zh_TW`` | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"DriverName": "mysql"`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ -Data Source +Users and Teams +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable Account Creation ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This is the connection string to the master database. When **DriverName** is set to ``postgres``, use a connection string in the form ``postgres://mmuser:password@localhost:5432/mattermost_test?sslmode=disable&connect_timeout=10``. This setting can only be changed from ``config.json`` file. +**True**: Ability to create new accounts is enabled via inviting new members or sharing the team invite link. -.. note:: - To enable SSL, add ``&tls=true`` to your database connection string if your SQL driver supports it. Add ``&tls=skip-verify`` if you use self-signed certificates. +**False**: Ability to create accounts is disabled. The **Create Account** button displays an error when trying to signup via an email invite or team invite link. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"DataSource": ""`` with string input. | +| This feature's ``config.json`` setting is ``"EnableUserCreation": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Maximum Idle Connections +Enable Account Deactivation ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Maximum number of idle connections held open to the database. +**True**: Ability for users to deactivate their own account from **Account Settings > Advanced**. If a user deactivates their own account, they will get an email notification confirming they were deactivated. + +**False**: Ability for users to deactivate their own account is disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MaxIdleConns": 10`` with whole number input. | +| This feature's ``config.json`` setting is ``"EnableUserDeactivation": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Maximum Open Connections +Enable Team Creation ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Maximum number of open connections held open to the database. - -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MaxOpenConns": 10`` with whole number input. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +*This permission has been migrated to the database and changing the config.json value no longer takes effect after upgrading to v4.9, released on April 16th, 2018. This permission can be modified using the System Console user interface.* -Query Timeout -^^^^^^^^^^^^^^^^^ -The number of seconds to wait for a response from the database after opening a connection and sending the query. Errors that you see in the UI or in the logs as a result of a query timeout can vary depending on the type of query. +**True**: Ability to create a new team is enabled for all users. -+-------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"QueryTimeout": 30`` with whole number input. | -+-------------------------------------------------------------------------------------------------------------------------+ +**False**: Only System Administrators can create teams from the team selection page. The **Create A New Team** button is hidden in the main menu UI. -Maximum Connection Lifetime -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Maximum lifetime for a connection to the database, in milliseconds. Use this setting to configure the maximum amount of time a connection to the database may be reused. Defaults to an hour (3,600,000 milliseconds). ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableTeamCreation": true`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+-------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ConnMaxLifetimeMilliseconds": 3600000`` with whole number input. | -+-------------------------------------------------------------------------------------------------------------------------+ +Max Users Per Team +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Maximum number of users per team, excluding inactive users. -Minimum Hashtag Length -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Minimum number of characters in a hashtag. This must be greater than or equal to 2. MySQL databases must be configured to support searching strings shorter than three characters, see `documentation `_. -+-------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MinimumHashtagLength": 3`` with whole number input. | -+-------------------------------------------------------------------------------------------------------------------------+ +The **Max Users Per Team** refers to the size of the "team site" which is workspace a "team of people" inhabits. A team of people is considered a small organization where people work closely together towards a specific shared goal and share the same etiquette. In the physical world, a team of people could typically be seated around a single table to have a meal and discuss their project. -At Rest Encrypt Key -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -A 32-character key for encrypting and decrypting sensitive fields in the database. You can generate your own cryptographically random alphanumeric string, or you can go to **System Console > Environment > Database** and click **Regenerate**, which displays the value until you click **Save**. +The default maximum of 50 people, is at the extreme high end of a single team of people. At this point organizations are more often "multiple teams of people" and investments in explicitly defining etiquette, such as `channel organization `__ or turning on `policy features `__ in Enterprise Edition, are often used to scale the high levels of productivity found in a team of people using Mattermost to multiple teams of people. -When using High Availability, the salt must be identical in each instance of Mattermost. +In terms of technical performance, `with appropriate hardware, Mattermost can easily scale to hundreds and even thousands of users `__, and provided the administrator believes the appropriate etiquette is in place, they should feel free to increase the default value. -+------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AtRestEncryptKey": ""`` with string input. | -+------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"MaxUsersPerTeam": 50`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Trace +Max Channels Per Team ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Executing SQL statements are written to the log for development. -**False**: SQL statements are not written to the log. +Maximum number of channels per team, including both active and deleted channels. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Trace": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"MaxChannelsPerTeam": 2000`` with whole number input.                                                                    | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Recycle Database Connections +Max Notifications Per Channel ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E20* -This button reconnects to the database listed in the configuration settings. All old connections are closed after 20s. - -The workflow for failover without downing the server is to change the database line in the config.json file, click **Reload Configuration from Disk** in the **Environment > Database** section, then click **Recycle Database Connections**. +Maximum total number of users in a channel before @all, @here, and @channel no longer send notifications to maximize performance. -Elasticsearch -~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20* +If you want to increase this value, the recommendation is to increase it a little at a time and monitor system health with `performance monitoring metrics `__. We also recommend only increasing this value if large channels have restricted permissions for who can post to the channel (for instance, a read-only Town Square channel). -Changes to properties in this section will require a server restart before taking effect. ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"MaxNotificationsPerChannel": 1000`` with whole number input.                                                                    | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Elasticsearch Indexing -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True:** indexing of new posts occurs automatically. Search queries will use database search until "Enable Elasticsearch for search queries" is enabled. `Learn more about Elasticsearch in our documentation `__. +Show @channel and @all confirmation dialog +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**False:** Elasticsearch indexing is disabled and new posts are not indexed. If indexing is disabled and re-enabled after an index is created, it is recommended to purge and rebuild the index to ensure complete search results. +**True**: Users will be prompted to confirm when posting @channel and @all in channels with over five members. -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableIndexing": false`` with options ``true`` and ``false`` for above settings respectively. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**False**: No confirmation is required. -Server Connection Address -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The address of the Elasticsearch server. `Learn more about Elasticsearch in our documentation `__. ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableConfirmNotificationsToChannel": true`` with options ``true`` and ``false`` for above settings respectively.              | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ConnectionUrl": ""`` with string input. | -+------------------------------------------------------------------------------------------------------------------------+ +Restrict account creation to specified email domains +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Teams and user accounts can only be created by a verified email from this list of comma-separated domains (e.g. "corp.mattermost.com, mattermost.org"). -Server Username -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The username to authenticate to the Elasticsearch server. +This setting only affects email login. -+-------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Username": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictCreationToDomains": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Server Password -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The password to authenticate to the Elasticsearch server. +Restrict Team Names +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+-------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Password": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------+ +*Removed in November 16th, 2016 release* -Enable Cluster Sniffing -^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Sniffing finds and connects to all data nodes in your cluster automatically. +**True**: Newly created team names cannot contain the following restricted words: www, web, admin, support, notify, test, demo, mail, team, channel, internal, localhost, dockerhost, stag, post, cluster, api, oauth. -**False**: Sniffing is disabled. +**False**: Newly created team names are not restricted. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Sniff": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"RestrictTeamNames": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Bulk Indexing -^^^^^^^^^^^^^^^^^^^^^^^^ -This button starts a bulk index of all existing posts in the database. If the indexing process is cancelled the index and search results will be incomplete. +Enable users to open Direct Message channels with +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Purge Indexes -^^^^^^^^^^^^^^^^^^^^^^^^ -This button purges the entire Elasticsearch index. Typically only used if the index has corrupted and search is not behaving as expected. After purging the index a new index can be created with the **Bulk Index** button. +**Any user on the Mattermost server**: The Direct Messages "More" menu has the option to open a Direct Message channel with any user on the server. -Enable Elasticsearch for search queries -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Elasticsearch will be used for all search queries using the latest index. Search results may be incomplete until a bulk index of the existing post database is finished. +**Any member of the team**: The Direct Messages "More" menu only has the option to open a Direct Message channel with users on the current team, and CTRL/CMD+K channel switcher only lists users on the current team. If a user belongs to multiple teams, direct messages will still be received regardless of what team they are currently on. -**False**: Database search is used for search queries. +This setting only affects the UI, not permissions on the server. For instance, a Direct Message channel can be created with anyone on the server regardless of this setting. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableSearching": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"RestrictDirectMessage": "any"`` with options ``any`` and ``team`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Elasticsearch for autocomplete queries -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Elasticsearch will be used for all autocompletion queries on users and channels using the latest index. Autocompletion results may be incomplete until a bulk index of the existing users and channels database is finished. - -**False**: Database autocomplete is used. +Allow Team Administrators to edit others posts +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*This permission is stored in the database and can be modified using the System Console user interface.* -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableAutocomplete": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**True**: Team Administrators and System Administrators can edit other users' posts. -File Storage -~~~~~~~~~~~~~~~~~~~~~~~~~ -Mattermost currently supports storing files on the local filesystem and Amazon S3 or S3 compatible containers. +**False**: Only System Administrators can edit other users' posts. .. note:: - We have tested Mattermost with `Minio `__ and `Digital Ocean Spaces `_ products but not all S3 compatible containers on the market. If you are looking to use other S3 compatible containers we advise completing your own testing. +This setting is only available for Team Edition servers. Enterprise Edition servers can use `Advanced Permissions `__ to configure this permission. -File Storage System + +Enable Team Directory ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Removed in May 16th, 2016 release* -+-------------------------+---------------------+ -| ``config.json`` setting | ``DriverName`` | -+-------------------------+---------------------+ -| Allowed Values | ``local`` (default) | -| | ``amazons3`` | -+-------------------------+---------------------+ +**True**: Teams that are configured to appear in the team directory will appear on the system main page. Teams can configure this setting from **Team Settings > Include this team in the Team Directory**. -This selects which file storage system is used, Local File System or Amazon S3. +**False**: Team directory on the system main page is disabled. -**Local File System**: Files and images are stored in the specified local file directory. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableTeamListing": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**Amazon S3**: Files and images are stored on Amazon S3 based on the provided access key, bucket and region fields. The ``amazons3`` driver is compatible with Minio (Beta) and Digital Ocean Spaces based on the provided access key, bucket and region fields. +Teammate Name Display +^^^^^^^^^^^^^^^^^^^^^ +Specifies how names are displayed in the user interface. -Local Storage Directory -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The local directory to which files are written when the File Storage System is set to ``local``. This is relative to the directory Mattermost is installed to and defaults to ``./data`` When File Storage System is set to S3 this setting has no effect. +**Show username**: Displays the user's username. -+-------------------------+--------------------------------------------------------------------------------------+ -| ``config.json`` setting | ``Directory`` | -+-------------------------+--------------------------------------------------------------------------------------+ -| Allowed Values | Any directory writeable by the user Mattermost is running as. Default is ``./data/`` | -+-------------------------+--------------------------------------------------------------------------------------+ +**Show nickname if one exists**: Displays the user's nickname. If the user does not have a nickname, their full name is displayed. If the user does not have a full name, their username is displayed. -Maximum File Size -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Maximum file size for message attachments entered in megabytes in the System Console UI. Converted to bytes in ``config.json`` at 1048576 bytes per megabyte. +**Show first and last name**: Displays the user's full name. If the user does not have a full name, their username is displayed. Recommended when using SAML or LDAP if first name and last name attributes are configured. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MaxFileSize": 52428800`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++-------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"TeammateNameDisplay": "username"`` with options ``username``, ``nickname_full_name``, and ``full_name``. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------+ -.. warning:: Verify server memory can support your setting choice. Large file sizes increase the risk of server crashes and failed uploads due to network disruptions. +________ -Amazon S3 Bucket -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The name of the bucket for your S3 compatible object storage instance. +Policy +~~~~~~~~~~~~~~~~~~~~~~~~~ +*Removed in June 16, 2018 release* -+-------------------------+---------------------------------------------+ -| ``config.json`` setting | ``AmazonS3Bucket`` | -+-------------------------+---------------------------------------------+ -| Allowed Values | A string with the S3-compatible bucket name | -+-------------------------+---------------------------------------------+ +Permission policy settings are available in Enterprise Edition E10 and E20. In v5.0 and later, these settings are found in the `Advanced Permissions `__ page instead of configuration settings. -Amazon S3 Region +Enable sending team invites from ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -AWS region you selected when creating your S3 bucket. If no region is set, Mattermost attempts to get the appropriate region from AWS, or sets it to 'us-east-1' if none found. For Minio or Digital Ocean Spaces leave this setting empty. -+-------------------------+---------------------------------------------+ -| ``config.json`` setting | ``AmazonS3Region`` | -+-------------------------+---------------------------------------------+ -| Allowed Values | A string with the S3-compatible bucket name | -+-------------------------+---------------------------------------------+ +*Removed in June 16, 2018 release* -Amazon S3 Access Key ID -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This is required for access unless you are using an `Amazon S3 IAM Role `__ with Amazon S3. Your EC2 administrator can supply you with the access key ID. +Set policy on who can invite others to a team using the **Send Email Invite**, **Get Team Invite Link**, and **Add Members to Team** options on the main menu. If **Get Team Invite Link** is used to share a link, you can expire the invite code from **Team Settings > Invite Code** after the desired users have joined the team. Options include: -+-------------------------+---------------------------------------------------------------------+ -| ``config.json`` setting | ``AmazonS3AccessKeyId`` | -+-------------------------+---------------------------------------------------------------------+ -| Allowed Values | A string with the access key for the S3-compatible storage instance | -+-------------------------+---------------------------------------------------------------------+ +**All team members**: Allows any team member to invite others using an email invitation, team invite link or by adding members to the team directly. -Amazon S3 Endpoint -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Hostname of your S3-compatible instance. Defaults to "s3.amazonaws.com". +**Team and System Admins**: Hides the email invitation, team invite link, and the add members to team buttons in the Main Menu from users who are not Team Admins or System Admins. -.. note:: - For Digital Ocean Spaces, the hostname should be set to ````.digitaloceanspaces.com, where ```` is the abbreviation for the region you chose when setting up the Space. It can be ``nyc3``, ``ams3``, or ``sgp1``. +**System Admins**: Hides the email invitation, team invite link, and add members to team buttons in the Main Menu from users who are not System Admins. -+-------------------------+------------------------------------------------------------------+ -| ``config.json`` setting | ``AmazonS3Endpoint`` | -+-------------------------+------------------------------------------------------------------+ -| Allowed Values | A string with the hostname of the S3-compatible storage instance | -+-------------------------+------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictTeamInvite": "all"`` with options ``all``, ``team_admin`` and ``system_admin`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Amazon S3 Secret Access Key +Enable public channel creation for ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The secret access key associated with your Amazon S3 Access Key ID. -+-------------------------+----------------------------------------------------------------------------+ -| ``config.json`` setting | ``AmazonS3SecretAccessKey`` | -+-------------------------+----------------------------------------------------------------------------+ -| Allowed Values | A string with the secret access key for the S3-compatible storage instance | -+-------------------------+----------------------------------------------------------------------------+ +*Removed in June 16, 2018 release* -Enable Secure Amazon S3 Connections -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Restrict the permission level required to create public channels. -**True**: Enables only secure Amazon S3 Connections. +**All team members**: Allow all team members to create public channels. -**False**: Allows insecure connections to Amazon S3. +**Team Admins and System Admins**: Restrict creating public channels to Team Admins and System Admins. -+-------------------------+--------------------------------------------+ -| ``config.json`` setting | ``AmazonS3SSL`` | -+-------------------------+--------------------------------------------+ -| Allowed Values | ``true`` or ``false``, default is ``true`` | -+-------------------------+--------------------------------------------+ +**System Admins**: Restrict creating public channels to System Admins. -Enable Server-Side Encryption for Amazon S3 ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictPublicChannelCreation": "all"`` with options ``all``, ``team_admin`` and ``system_admin`` for above settings respectively. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Enable public channel renaming for ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E20* -**True**: Encrypts files in Amazon S3 using server-side encryption with `Amazon S3-managed keys `__. +*Removed in June 16, 2018 release* -**False**: Doesn't encrypt files in Amazon S3. +Restrict the permission level required to rename and set the header or purpose for public channels. -.. note:: - Server-Side Encryption only works with Amazon S3 +**All channel members**: Allow all channel members to rename public channels. -+-------------------------+---------------------------------------------+ -| ``config.json`` setting | ``AmazonS3SS3`` | -+-------------------------+---------------------------------------------+ -| Allowed Values | ``true`` or ``false``, default is ``false`` | -+-------------------------+---------------------------------------------+ +**Channel Admins, Team Admins, and System Admins**: Restrict renaming public channels to Channel Admins, Team Admins, and System Admins who are members of the channel. -Enable Amazon S3 Debugging -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: When true, log additional debugging information to the system logs. Typically set to `false` in production. +**Team Admins and System Admins**: Restrict renaming public channels to Team Admins and System Admins who are members of the channel. -**False**: No Amazon S3 debugging information is included in the system logs. +**System Admins**: Restrict renaming public channels to System Admins who are members of the channel. -+-------------------------+---------------------------------------------+ -| ``config.json`` setting | ``AmazonS3Trace`` | -+-------------------------+---------------------------------------------+ -| Allowed Values | ``true`` or ``false``, default is ``false`` | -+-------------------------+---------------------------------------------+ ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictPublicChannelManagement": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Test Connection -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Ensures that the user can access the server and that the settings are valid. +Enable public channel deletion for +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Image Proxy -~~~~~~~~~~~~~~~~~~~~~~~~~ +*Removed in June 16, 2018 release* -Enable Image Proxy -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Restrict the permission level required to delete public channels. Deleted channels can be recovered from the database using a `command line tool `__. -When true, enables an image proxy for loading external images. The image proxy is used by the Mattermost apps to prevent them from connecting directly to remote servers. This anonymizes their connections and prevents them from accessing insecure content. +**All channel members**: Allow all channel members to delete public channels. -See the :doc:`documentation ` to learn more. +**Channel Admins, Team Admins, and System Admins**: Restrict deleting public channels to Channel Admins, Team Admins, and System Admins who are members of the channel. -+---------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Enable": true`` with options ``true`` and ``false``. | -+---------------------------------------------------------------------------------------------------------------------+ +**Team Admins and System Admins**: Restrict deleting public channels to Team Admins and System Admins who are members of the channel. -Image Proxy Type -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**System Admins**: Restrict deleting public channels to System Admins who are members of the channel. -The type of image proxy used by Mattermost. There are two options: ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictPublicChannelDeletion": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**local**: The Mattermost server itself acts as the image proxy. This is the default option. +Enable private channel creation for +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**atmos/camo**: An external `atmos/camo `_ image proxy is used. +*Removed in June 16, 2018 release* -See the `documentation `_ to learn more. +Restrict the permission level required to create private channels. -+-----------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ImageProxyType": "local"``, with options ``local`` and ``atmos/camo`` for above settings respectively. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------+ +**All team members**: Allow all team members to create private channels. -Remote Image Proxy URL -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**Team Admins and System Admins**: Restrict creating private channels to Team Admins and System Admins. -The URL of the ``atmos/camo`` proxy. This setting is not needed when using the local image proxy. +**System Admins**: Restrict creating private channels to System Admins. -+---------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RemoteImageProxyURL": ""`` with string input. | -+---------------------------------------------------------------------------------------------------------------------+ ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictPrivateChannelCreation": "all"`` with options ``all``, ``team_admin`` and ``system_admin`` for above settings respectively. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Remote Image Proxy Options +Enable private channel renaming for ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The URL signing key passed to an ``atmos/camo`` image proxy. This setting is not needed when using the local image proxy. - -See the `documentation `_ to learn more. +*Removed in June 16, 2018 release* -+---------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RemoteImageProxyOptions": ""`` with string input. | -+---------------------------------------------------------------------------------------------------------------------+ +Restrict the permission level required to rename and set the header or purpose for private channels. -SMTP -~~~~~~~~~~~~~~ +**All channel members**: Allow all channel members to rename private channels. -SMTP Server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Location of SMTP email server. +**Channel Admins, Team Admins, and System Admins**: Restrict renaming private channels to Channel Admins, Team Admins, and System Admins who are members of the private channel. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SMTPServer": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**Team Admins and System Admins**: Restrict renaming private channels to Team Admins and System Admins who are members of the private channel. -SMTP Server Port -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Port of SMTP email server. +**System Admins**: Restrict renaming private channels to System Admins who are members of the private channel. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SMTPPort": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictPrivateChannelManagement": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable SMTP Authentication +Enable managing of private channel members for ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: SMTP username and password are used for authenticating to the SMTP server. - -**False**: Mattermost doesn't attempt to authenticate to the SMTP server. +*Removed in June 16, 2018 release* -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableSMTPAuth": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Set policy on who can add and remove members from private channels. -SMTP Server Username -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The username for authenticating to the SMTP server. +**All team members**: Allow all team members to add and remove members. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SMTPUsername": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**Team Admins, Channel Admins, and System Admins**: Allow only Team Admins, Channel Admins, and System Admins to add and remove members. -SMTP Server Password -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The password associated with the SMTP username. +**Team Admins, and System Admins**: Allow only Team Admins and System Admins to add and remove members. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SMTPPassword": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**System Admins**: Allow only System Admins to add and remove members. -.. _email-tls: ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictPrivateChannelManageMembers": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Connection Security +Enable private channel deletion for ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -``None``: Send email over an unsecure connection. -``TLS``: Communication between Mattermost and your email server is encrypted. +*Removed in June 16, 2018 release* -``STARTTLS``: Attempts to upgrade an existing insecure connection to a secure connection using TLS. +Restrict the permission level required to delete private channels. Deleted channels can be recovered from the database using a `command line tool `__. -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ConnectionSecurity": ""`` with options ``""``, ``TLS`` and ``STARTTLS`` for above settings respectively. | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**All channel members**: Allow all channel members to delete private channels. -Skip Server Certificate Verification -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**Channel Admins, Team Admins, and System Admins**: Restrict deleting private channels to Channel Admins, Team Admins, and System Admins who are members of the private channel. -**True**: Mattermost will not verify the email server certificate. +**Team Admins and System Admins**: Restrict deleting private channels to Team Admins and System Admins who are members of the private channel. -**False**: Mattermost will verify the email server certificate. +**System Admins**: Restrict deleting private channels to System Admins who are members of the private channel. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SkipServerCertificateVerification": false`` with options ``false` and ``true`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictPrivateChannelDeletion": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Security Alerts +Allow which users to delete messages ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Enable System Admins to be notified by email if a relevant security fix alert is announced. Requires email to be enabled. To learn more about this feature, see :doc:`telemetry`. - -**False**: Security alerts are disabled. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableSecurityFixAlert": true`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Push Notification Server -~~~~~~~~~~~~~~~~~~~~~~~~~ -Enable Push Notifications -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Your Mattermost server sends mobile push notifications to the server specified in **PushNotificationServer**. - -**False**: Mobile push notifications are disabled. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SendPushNotifications": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Push Notification Server -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Location of Mattermost Push Notification Service (MPNS), which re-sends push notifications from Mattermost to services like Apple Push Notification Service (APNS) and Google Cloud Messaging (GCM). +*Removed in June 16, 2018 release* -To confirm push notifications are working, connect to the `Mattermost iOS App on iTunes `__ or the `Mattermost Android App on Google Play `__: +Restrict the permission level required to delete messages. Team Admins, Channel Admins, and System Admins can delete messages only in channels where they are members. Messages can be deleted anytime. -- For Enterprise Edition, enter ``https://push.mattermost.com`` for the push notification server hosted in the United States. If you prefer to use a push notification server hosted in Germany, enter ``https://hpns-de.mattermost.com/`` -- For Team Edition, enter ``https://push-test.mattermost.com`` +**Message authors can delete their own messages, and Administrators can delete any message**: Allow authors to delete their own messages, and allow Team Admins, Channel Admins, and System Admins to delete any message. -Please review full documentation on `push Notifications and mobile applications `__ including guidance on compiling your own mobile apps and MPNS before deploying to production. +**Team Admins and System Admins**: Allow only Team Admins and System Admins to delete messages. -.. note:: - The ``https://push-test.mattermost.com`` provided for testing push notifications prior to compiling your own service please make sure `to read about its limitations `_. +**System Admins**: Allow only System Admins to delete messages. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PushNotificationServer": "https://push-test.mattermost.com"`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictPostDelete": "all"`` with options ``all``, ``team_admin`` and ``system_admin`` for above settings respectively. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Max Notifications Per Channel +Allow users to edit their messages ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Maximum total number of users in a channel before @all, @here, and @channel no longer send notifications to maximize performance. - -If you want to increase this value, the recommendation is to increase it a little at a time and monitor system health with `performance monitoring metrics `__. We also recommend only increasing this value if large channels have restricted permissions for who can post to the channel (for instance, a read-only Town Square channel). - -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MaxNotificationsPerChannel": 1000`` with whole number input.                                                                    | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -**Troubleshooting Push Notifications** - -To confirm push notifications are working: - -1. Go to **System Console > Notifications > Mobile Push > Send Push Notifications** and select **Use TPNS connection to send notifications to iOS and Android apps**. -2. Set **Push Notification Server** to *https://push.mattermost.com* if using Enterprise Edition. If using Team Edition, set the value to *https://push-test.mattermost.com*. -3. To confirm push notifications are working, connect to the `Mattermost iOS App on iTunes `__ or the `Mattermost Android App on Google Play `__ and log in to your team site. -4. Close the app on your device, and close any other connections to your team site. -5. Wait 5 minutes and have another team member send you a direct message, which should trigger a push notification to the Mattermost app on your mobile device. -6. You should receive a push notification on your device alerting you of the direct message. - -If you did not receive an alert: - -1. Set **System Console > General > Logging > File Log Level** to *DEBUG* (make sure to set this back to *INFO* after troubleshooting to save disk space). -2. Repeat the above steps. -3. Go to **System Console > Logs** and copy the log output into a file. -4. For Enterprise Edition customers, `submit a support request with the file attached `__. For Team Edition users, please start a thread in the `Troubleshooting forum `__ for peer-to-peer support. +*Removed in June 16, 2018 release* -.. _high-availability: +Set the time limit that users have to edit their messages after posting. -High Availability -~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20* +**Any time**: Allow users to edit their messages at any time after posting. -Changes to properties in this section will require a server restart before taking effect. +**Never**: Do not allow users to edit their messages. -When High Availability mode is enabled, the System Console is set to read-only and settings can only be changed by editing the configuration file directly. However, for testing and validating a High Availability setup, you can set *ReadOnlyConfig* to ``false``, which allows changes made in the System Console to be saved back to the configuration file. +**{n} seconds after posting**: Users can edit their messages within the specified time limit after posting. The time limit is applied using the config.json setting ``"PostEditTimeLimit"`` described below. -To learn more about configuring High Availability, see `High Availability Cluster `_. ++------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AllowEditPost": "always"`` with options ``always``, ``never``, and ``time_limit`` for above settings respectively. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable High Availability Mode +Post edit time limit ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: The Mattermost Server will attempt inter-node communication with the other servers in the cluster that have the same Cluster Name. This sets the System Console to read-only mode to keep the servers ``config.json`` files in sync. - -**False**: Mattermost high availability is disabled. - -+-----------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false``. | -+-----------------------------------------------------------------------------------------------------+ - -Cluster Name -^^^^^^^^^^^^ -The cluster to join by name. Only nodes with the same cluster name will join together. This is to support Blue-Green deployments or staging pointing to the same database. - -+------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ClusterName": ""`` with string input. | -+------------------------------------------------------------------------------------+ - -Override Hostname -^^^^^^^^^^^^^^^^^ -If blank, Mattermost attempts to get the Hostname from the OS or use the IP Address. You can override the hostname of this server with this property. It is not recommended to override the Hostname unless needed. This property can also be set to a specific IP Address if needed. Also see `cluster discovery `_ for more details. - -+-----------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"OverrideHostname": ""`` with string input. | -+-----------------------------------------------------------------------------------------+ - -Use IP Address -^^^^^^^^^^^^^^ -**True**: The cluster attempts to communicate using the IP Address. - -**False**: The cluster attempts to communicate using the hostname. - -+---------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"UseIpAddress": true`` with options ``true`` and ``false``. | -+---------------------------------------------------------------------------------------------------------+ - -Use Experimental Gossip -^^^^^^^^^^^^^^^^^^^^^^^ -**True**: The server attempts to communicate via the gossip protocol over the gossip port. - -**False**: The server attempts to communicate over the streaming port. - -Changes to this setting require a server restart before taking effect. - -Note that the gossip port and gossip protocol are used to determine cluster health even when this setting is ``false``. - -+-------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"UseExperimentalGossip": false`` with options ``true`` and ``false``. | -+-------------------------------------------------------------------------------------------------------------------+ -Read Only Config -^^^^^^^^^^^^^^^^ -**True**: Changes made to settings in the System Console are ignored. - -**False**: Changes made to settings in the System Console are written to ``config.json``. - -When running in production it is recommended to set this to true. - -+-----------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ReadOnlyConfig": true`` with options ``true`` and ``false``. | -+-----------------------------------------------------------------------------------------------------------+ - -Gossip Port -^^^^^^^^^^^ -The port used for the gossip protocol. Both UDP and TCP should be allowed on this port. - -+-------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"GossipPort": 8074`` with whole number input. | -+-------------------------------------------------------------------------------------------+ - -Streaming Port -^^^^^^^^^^^^^^ -The port used for streaming data between servers. - -**True**: Log files are written to files specified in **FileLocation**. - -+----------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"StreamingPort": 8075`` with whole number input. | -+----------------------------------------------------------------------------------------------+ - -Inter-Node Listen Address -^^^^^^^^^^^^^^^^^^^^^^^^^ -*Deprecated. Not used in version 4.0 and later* - -The address the Mattermost Server will listen on for inter-node communication. When setting up your network you should secure the listen address so that only machines in the cluster have access to that port. This can be done in different ways, for example, using IPsec, security groups, or routing tables. - -Changes to this setting require a server restart before taking effect. - -+----------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableFile": true`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------+ - -Output console logs as JSON -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Typically set to true in production. When true, logged events are written in a machine readable JSON format. Otherwise they are printed as plain text. - -+-----------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"InterNodeListenAddress": ":8075"`` with string input. | -+-----------------------------------------------------------------------------------------------------+ - -Inter-Node URLs -^^^^^^^^^^^^^^^ -*Deprecated. Not used in version 4.0 and later* - -A list of all the machines in the cluster, separated by commas, for example, ``["http://10.10.10.2", "http://10.10.10.4"]``. It is recommended to use the internal IP addresses so all the traffic can be secured. - -Changes to this setting require a server restart before taking effect. +When post editing is permitted, setting ``"PostEditTimeLimit": -1`` allows editing anytime, or setting ``"PostEditTimeLimit"`` to a positive integer restricts editing time in seconds. If post editing is disabled, this setting does not apply. -+--------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"InterNodeUrls": []`` with string input. | -+--------------------------------------------------------------------------------------+ ++--------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"PostEditTimeLimit": -1`` with whole number input. | ++--------------------------------------------------------------------------------------------------+ -Rate Limiting +Privacy ~~~~~~~~~~~~~~~~~~~~~~~~~ -Changes to properties in this section will require a server restart before taking effect. +Settings to configure the name and email privacy of users on your system. -Enable Rate Limiting +Show Email Address ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: APIs are throttled at the rate specified by **PerSec**. +**True**: Show email address of all users. -**False**: APIs are not throttled. +**False**: Hide email address of users from other users in the user interface, including Team Admins. This is designed for managing teams where users choose to keep their contact information private. System Administrators will still be able to see email addresses in the UI. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"ShowEmailAddress": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Maximum Queries per Second +Show Full Name ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Throttle API at this number of requests per second if rate limiting is enabled. - -The location of the log files. If blank, they are stored in the ``./logs`` directory. The path that you set must exist and Mattermost must have write permissions in it. +**True**: Show full name of all users. -Changes to this setting require a server restart before taking effect. +**False**: hide full name of users from other users including Team Admins. This is designed for managing teams where users choose to keep their contact information private. System Administrators will still be able to see full names in the UI. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PerSec": 10`` with whole number input. | +| This feature's ``config.json`` setting is ``"ShowFullName": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Maximum Burst Size -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Typically set to true in production. When true, logged events are written in a machine readable JSON format. Otherwise they are printed as plain text. +________ -Maximum number of requests allowed beyond the per second query limit. +Compliance +~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E20* -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MaxBurst": 100`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Settings used to enable and configure Mattermost compliance reports. -Memory Store Size +Enable Compliance Reporting ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Compliance reporting is enabled in Mattermost. -Maximum number of user sessions connected to the system as determined by **VaryByRemoteAddr** and **VaryByHeader** variables. - -Typically set to the number of users in the system. +**False**: Compliance reporting is disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MemoryStoreSize": 10000`` with whole number input. | +| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Vary rate limit by remote address +Compliance Report Directory ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Rate limit API access by IP address. Recommended to set to ``true`` if you're using a proxy. - -**False**: Rate limiting does not vary by IP address. +Sets the directory where compliance reports are written. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"VaryByRemoteAddr": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"Directory": "./data/"`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Vary rate limit by user +Enable Daily Report ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Rate limit API access by user authentication token. Recommended to set to ``true`` if you're using a proxy. - -**False**: Rate limiting does not vary by user authentication token. - -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"VaryByUser": false`` with options ``true`` and ``false`` for above settings respectively. | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**True**: Mattermost generates a daily compliance report. -Vary rate limit by HTTP header -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Vary rate limiting by HTTP header field specified (e.g. when configuring Ngnix set to "X-Real-IP", when configuring AmazonELB set to "X-Forwarded-For"). Recommended to be set if you're using a proxy. +**False**: Daily reports are not generated. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"VaryByHeader": ""`` with string input. | +| This feature's ``config.json`` setting is ``"EnableDaily": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ + Logging ~~~~~~~~~~~~~~~~~~~~~~~~~ Output logs to console @@ -1024,32 +652,30 @@ Level of detail at which log events are written to the console when **EnableCons | This feature's ``config.json`` setting is ``"ConsoleLevel": "DEBUG"`` with options ``DEBUG``, ``ERROR`` and ``INFO`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Output console logs as JSON +Output logs to file ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Typically set to true in production. When true, logged events are written in a machine readable JSON format. Otherwise they are printed as plain text. +Typically set to true in production. When true, logged events are written to the ``mattermost.log`` file in the directory specified by the **FileLocation** setting. The logs are archived to a file in the same directory, and given a name with a datestamp and serial number. For example, ``mattermost.2017-03-31.001``. -**True**: Logged events are written in a machine readable JSON format. +Changing this setting requires a server restart before taking effect. -**False**: Logged events are written in plaint text. +**True**: Log files are written to files specified in **FileLocation**. -Changes to this setting require a server restart before taking effect. +**False**: Log files are not written. +----------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ConsoleJson": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"EnableFile": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------+ -Output logs to file +Output console logs as JSON ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Typically set to true in production. When true, logged events are written to the ``mattermost.log`` file in the directory specified by the **FileLocation** setting. The logs are archived to a file in the same directory, and given a name with a datestamp and serial number. For example, ``mattermost.2017-03-31.001``. - -**True**: Log files are written to files specified in **FileLocation**. +Typically set to true in production. When true, logged events are written in a machine readable JSON format. Otherwise they are printed as plain text. Changing this setting requires a server restart before taking effect. -**False**: Log files are not written. +**True**: Logged events are written in a machine readable JSON format. -Changes to this setting require a server restart before taking effect. +**False**: Logged events are written in plaint text. +----------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableFile": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"ConsoleJson": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------+ File Log Level @@ -1066,30 +692,28 @@ Level of detail at which log events are written to log files when **EnableFile** | This feature's ``config.json`` setting is ``"FileLevel": "INFO"`` with options ``DEBUG``, ``ERROR`` and ``INFO`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +File Log Directory +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The location of the log files. If blank, they are stored in the ``./logs`` directory. The path that you set must exist and Mattermost must have write permissions in it. + +Changing this setting requires a server restart before taking effect. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"FileLocation": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + Output file logs as JSON ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Typically set to true in production. When true, logged events are written in a machine readable JSON format. Otherwise they are printed as plain text. +Typically set to true in production. When true, logged events are written in a machine readable JSON format. Otherwise they are printed as plain text. Changing this setting requires a server restart before taking effect. **True**: Logged events are written in a machine readable JSON format. **False**: Logged events are written in plain text. -Changes to this setting require a server restart before taking effect. - +----------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"FileJson": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------+ -File Log Directory -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The location of the log files. If blank, they are stored in the ``./logs`` directory. The path that you set must exist and Mattermost must have write permissions in it. - -Changes to this setting require a server restart before taking effect. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"FileLocation": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - Enable Webhook Debugging ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -1112,826 +736,721 @@ Enable Diagnostics and Error Reporting | This feature's ``config.json`` setting is ``"EnableDiagnostics": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Session Lengths -~~~~~~~~~~~~~~~~~~~~~~~~~ -User sessions are cleared when a user tries to log in. Additionally, a job runs every 24 hours to clear sessions from the sessions database table. - -Session length for email and AD/LDAP authentication (days) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set the number of days from the last time a user entered their credentials to the expiry of the user's session on email and AD/LDAP authentication. - -After changing this setting, the new session length will take effect after the next time the user enters their credentials. +________ -+--------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SessionLengthWebInDays" : 180`` with whole number input. | -+--------------------------------------------------------------------------------------------------------------+ +Advanced Permissions +------------------------------- +*Available in Enterprise Edition E10 and higher* -Session length for mobile apps (days) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set the number of days from the last time a user entered their credentials to the expiry of the user's session on mobile apps. +Advanced permissions offers Admins a way to restrict actions in Mattermost to authorized users only. See `permissions documentation `__ for more details. -After changing this setting, the new session length will take effect after the next time the user enters their credentials. +________ -+-------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SessionLengthMobileInDays" : 180`` with whole number input. | -+-------------------------------------------------------------------------------------------------------------+ +Authentication +------------------------------- +Authentication settings to enable account creation and sign in with email, GitLab, Google or Office 365 OAuth, AD/LDAP, or SAML. -Session length for SSO authentication (days) +Email Authentication +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable account creation with email ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set the number of days from the last time a user entered their credentials to the expiry of the user's session. If the authentication method is SAML or GitLab, the user may automatically be logged back in to Mattermost if they are already logged in to SAML or GitLab. -After changing this setting, the setting will take effect after the next time the user enters their credentials. +**True**: Allow team creation and account signup using email and password. + +**False**: Email signup is disabled. This limits signup to single sign-on services like OAuth or AD/LDAP. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SessionLengthSSOInDays" : 30`` with whole number input. | +| This feature's ``config.json`` setting is ``"EnableSignUpWithEmail": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Session Cache (minutes) +Enable sign-in with email ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set the number of minutes to cache a session in memory. + +**True**: Mattermost allows account creation using email and password. + +**False**: Sign in with email is disabled and does not appear on the login screen. Use this value when you want to limit sign up to a single sign-on service like AD/LDAP, SAML or GitLab. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SessionCacheInMinutes" : 10`` with whole number input. | +| This feature's ``config.json`` setting is ``"EnableSignInWithEmail": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Session Idle Timeout (minutes) +Enable sign-in with username ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The number of minutes from the last time a user was active on the system to the expiry of the user's session. Once expired, the user will need to log in to continue. Minimum is 5 minutes, and 0 is unlimited. -Applies to the desktop app and browsers. For mobile apps, use an EMM provider to lock the app when not in use. In High Availability mode, enable IP hash load balancing for reliable timeout measurement. +**True**: Mattermost allows users with email login to sign in using their username and password. This setting does not affect AD/LDAP login. -+-----------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SessionIdleTimeoutInMinutes" : 43200`` with whole number input. | -+-----------------------------------------------------------------------------------------------------------------+ +**False**: Sign in with username is disabled and does not appear on the login screen. -Performance Monitoring -~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20* ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``EnableSignInWithUsername": true`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Changes to properties in this section require a server restart before taking effect. +________ -Enable Performance Monitoring -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost enables performance monitoring collection and profiling. Please see `documentation `__ to learn more about configuring performance monitoring for Mattermost. +OAuth 2.0 +~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E10 and higher* -**False**: Mattermost performance monitoring is disabled. +Settings to configure OAuth login for account creation and login. -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Select OAuth 2.0 service provider: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Choose whether OAuth can be used for account creation and login. Options include: -Listen Address -^^^^^^^^^^^^^^^^^^ -The address the Mattermost server will listen on to expose performance metrics. + - **Do not allow sign-in via an OAuth 2.0 provider** + - **GitLab** (see `GitLab Settings `__ for more detail) + - **Google Apps** (see `Google Settings `__ for more detail) + - **Office 365 (Beta)** (see `Office 365 Settings `__ for more detail) -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"InterNodeListenAddress": ":8067"`` with string input. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +This feature's setting does not appear in ``config.json``. -Developer -~~~~~~~~~~~~~~~~~~~~~~~~~ +________ -Enable Testing Commands +GitLab +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable authentication with GitLab ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: `/test` slash command is enabled to load test accounts and test data. - -**False**: `/test` slash command is disabled. +**True**: Allow team creation and account signup using GitLab OAuth. To configure, input the **Secret** and **Id** credentials. -Changes to this setting require a server restart before taking effect. +**False**: GitLab OAuth cannot be used for team creation or account signup. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableTesting": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Developer Mode -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Javascript errors are shown in a purple bar at the top of the user interface. Not recommended for use in production. +**Note**: For Enterprise, GitLab settigs can be found under **OAuth 2.0** -**False**: Users are not alerted to Javascript errors. +Application ID +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Obtain this value by logging into your GitLab account. Go to Profile Settings > Applications > New Application, enter a Name, then enter Redirect URLs ``https:///login/gitlab/complete`` (example: ``https://example.com:8065/login/gitlab/complete`` and ``https:///signup/gitlab/complete``. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableDeveloper": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"Id": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Allow untrusted internal connections to +Application Secret Key ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This setting limits the ability for the Mattermost server to make untrusted requests within its local network. A request is considered "untrusted" when it's made on behalf of a client. The following features make untrusted requests and are affected by this setting: - -- Integrations using webhooks, slash commands or message actions. This prevents them from requesting endpoints within the local network. -- Link previews. When a link to a local network address is posted in a chat message, this prevents a link preview from being displayed. -- The `local image proxy `_. If the local image proxy is enabled, images located on the local network cannot be used by integrations or posted in chat messages. - -Requests that can only be configured by admins are considered trusted and will not be affected by this setting. Trusted URLs include ones used for OAuth login or for sending push notifications. - -.. warning:: - This setting is intended to prevent users located outside your local network from using the Mattermost server to request confidential data from inside your network. Care should be used when configuring this setting to prevent unintended access to your local network. - -Some examples of when you may want to modify this setting include: - -- When installing a plugin that includes its own images, such as `Matterpoll `__, you will need to add the Mattermost server's domain name to this list. -- When running a bot or webhook-based integration on your local network, you will need to add the hostname of the bot/integration to this list. -- If your network is configured in such a way that publicly accessible webpages or images are accessed by the Mattermost server using their internal IP address, the hostnames for those servers must be added to this list. - -This setting is a whitelist of local network addresses that can be requested by the Mattermost server. It is configured as a whitespace separated list of hostnames, IP addresses and CIDR ranges that can be accessed such as ``webhooks.internal.example.com 127.0.0.1 10.0.16.0/28``. Since v5.9 the public IP of the Mattermost application server itself is also considered a reserved IP. - -IP address and domain name rules are applied before host resolution. CIDR rules are applied after host resolution. For example, if the domain "webhooks.internal.example.com" resolves to the IP address 10.0.16.20, a webhook with the URL "https://webhooks.internal.example.com/webhook" can be whitelisted using ``webhooks.internal.example.com`` or ``10.0.16.16/28``, but not ``10.0.16.20``. +Obtain this value by logging into your GitLab account. Go to Profile Settings > Applications > New Application, enter a Name, then enter Redirect URLs ``https:///login/gitlab/complete`` (example: ``https://example.com:8065/login/gitlab/complete`` and ``https:///signup/gitlab/complete``. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AllowedUntrustedInternalConnections": ""`` with string input. | +| This feature's ``config.json`` setting is ``"Secret": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Site Configuration -------------------- -Settings for customizing your Mattermost deployment. - -Customization -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Site Name +User API Endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Name of service shown in login screens and UI. Maximum 30 characters. +Enter ``https:///api/v3/user`` (example: ``https://example.com:3000/api/v3/user``). Use HTTP or HTTPS depending on how your server is configured. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SiteName": "Mattermost"`` with string input. | +| This feature's ``config.json`` setting is ``"UserApiEndpoint": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Site Description +Auth Endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Description of service shown in login screens and UI. When not specified, "All team communication in one place, searchable and accessible anywhere" is displayed. +Enter ``https:///oauth/authorize`` (example: ``https://example.com:3000/oauth/authorize``). Use HTTP or HTTPS depending on how your server is configured. -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"CustomDescriptionText": ""`` with string input. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AuthEndpoint": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Custom Branding +Token Endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -*This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. In previous versions, this feature is available in Enterprise Edition E10 and higher.* - -**True**: Enables custom branding to show a JPG image some custom text on the server login page. - -**False**: Custom branding is disabled. +Enter ``https:///oauth/token`` (example: ``https://example.com:3000/oauth/token``). Use HTTP or HTTPS depending on how your server is configured. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableCustomBrand": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"TokenEndpoint": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Custom Brand Image -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +________ -Custom JPG image is displayed on left side of server login page. Recommended maximum image size is less than 2 MB because image will be loaded for every user who logs in. +Google +~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E20* -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This features has no ``config.json`` setting and must be set in the System Console user interface. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Enable authentication with Google by selecting ``Google Apps`` from **OAuth 2.0 > Select OAuth 2.0 service provider** -Custom Brand Text -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Allow team creation and account signup using Google OAuth. To configure, input the **Client ID** and **Client Secret** credentials. See `Documentation `__ for more detail. -Custom text will be shown below custom brand image on left side of server login page. Maximum 500 characters allowed. You can format this text using the same `Markdown formatting codes `__ as using in Mattermost messages. +**False**: Google OAuth cannot be used for team creation or account signup. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"CustomBrandText": ""`` with string input. | +| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Help link +Client ID ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configurable link to a Help page your organization may provide to end users. By default, links to Mattermost help documentation hosted on `docs.mattermost.com `__. +Obtain this value by registering Mattermost as an application in your Google account. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"HelpLink": "https://about.mattermost.com/default-help/"`` with string input. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Id": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Support Email +Client Secret ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set an email for feedback or support requests. - -So you don't miss messages, please make sure to change this value to an email your system administrator receives, example: `support@yourcompany.com`. This address is displayed on email notifications and during the Getting Started tutorial for end users to ask support questions. +Obtain this value by registering Mattermost as an application in your Google account. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SupportEmail":"feedback@mattermost.com"`` with string input. | +| This feature's ``config.json`` setting is ``"Secret": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Terms of Service link +User API Endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configurable link to Terms of Service your organization may provide to end users. By default, links to a Terms of Service page hosted on about.mattermost.com. If changing the link to a different Terms of Service, make sure to include the "Mattermost Conditions of Use" notice to end users that must also be shown to users from the "Terms of Service" link. +It is recommended to use `https://www.googleapis.com/plus/v1/people/me` as the User API Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"TermsOfServiceLink": "https://about.mattermost.com/default-terms/"`` with string input. | +| This feature's ``config.json`` setting is ``"UserApiEndpoint": "https://www.googleapis.com/plus/v1/people/me"`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Privacy Policy link +Auth Endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configurable link to Privacy Policy your organization may provide to end users. By default, links to a Privacy Policy page hosted on about.mattermost.com. +It is recommended to use `https://accounts.google.com/o/oauth2/v2/auth` as the Auth Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PrivacyPolicyLink": "https://about.mattermost.com/default-privacy-policy/"`` with string input. | +| This feature's ``config.json`` setting is ``"AuthEndpoint": "https://accounts.google.com/o/oauth2/v2/auth"`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -About link +Token Endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configurable link to an About page describing your organization may provide to end users. By default, links to an About page hosted on about.mattermost.com. +It is recommended to use `https://www.googleapis.com/oauth2/v4/token` as the Token Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AboutLink": "https://about.mattermost.com/default-about/"`` with string input. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"TokenEndpoint": "https://www.googleapis.com/oauth2/v4/token"`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Report a Problem link -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set the link for the support website. +________ -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ReportAProblemLink": "https://about.mattermost.com/default-report-a-problem/"`` with string input. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Office 365 +~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E20* -Mattermost Apps Download Page Link -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configurable link to a download page for Mattermost Apps. When a link is present, an option to "Download Apps" will be added in the Main Menu so users can find the download page. Leave this field blank to hide the option from the Main Menu. Defaults to a page on about.mattermost.com where users can download the iOS, Android, and Desktop clients. If you are using an `Enterprise App Store `__ for your mobile apps, change this link to point to a customized download page where users can find the correct apps. +.. note:: + In line with Microsoft ADFS guidance we recommend `configuring intranet forms-based authentication for devices that do not support WIA `_. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AppDownloadLink": "https://about.mattermost.com/downloads/"`` with string input. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Android App Download Link -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configurable link to download the Android app. When a link is present, users who access the site on a mobile web browser will be prompted with a page giving them the option to download the app. Leave this field blank to prevent the page from appearing. If you are using an `Enterprise App Store `__ for your mobile apps, change this link to point to the correct app. +Enable authentication with Office 365 by selecting ``Office 365 (Beta)`` from **OAuth 2.0 > Select OAuth 2.0 service provider** -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AndroidAppDownloadLink": "https://about.mattermost.com/mattermost-android-app/"`` with string input. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**True**: Allow team creation and account signup using Office 365 OAuth. To configure, input the **Application ID** and **Application Secret Password** credentials. See `Documentation `__ for more detail. -iOS App Download Link -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configurable link to download the iOS app. When a link is present, users who access the site on a mobile web browser will be prompted with a page giving them the option to download the app. Leave this field blank to prevent the page from appearing. If you are using an `Enterprise App Store `__ for your mobile apps, change this link to point to the correct app. +**False**: Office 365 OAuth cannot be used for team creation or account signup. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"IosAppDownloadLink": "https://about.mattermost.com/mattermost-ios-app/"`` with string input. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Localization -~~~~~~~~~~~~~~~~~~~~~~~~~ -Default Server Language +Application ID ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Default language for system messages and logs. - -Changes to this setting require a server restart before taking effect. +Obtain this value by registering Mattermost as an application in your Microsoft or Office account. -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"DefaultServerLocale": "en"`` with options ``de``, ``en``, ``es``, ``fr``, ``it``, ``ja``, ``ko``, ``nl``, ``pl``, ``pt-br``, ``ro``, ``ru``, ``tr``, ``zh_CN`` and ``zh_TW`` | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Id": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Default Client Language +Application Secret Password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Default language for newly created users and pages where the user hasn't logged in. +Obtain this value by registering Mattermost as an application in your Microsoft or Office account. -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"DefaultClientLocale": "en"`` with options ``de``, ``en``, ``es``, ``fr``, ``it``, ``ja``, ``ko``, ``nl``, ``pl``, ``pt-br``, ``ro``, ``ru``, ``tr``, ``zh_CN`` and ``zh_TW`` | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Secret": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Available Languages +User API Endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Sets which languages are available for users in **Account Settings** > **Display** > **Languages**. Leave the field blank to add new languages automatically by default, or add new languages using the dropdown menu manually as they become available. If you're manually adding new languages, the **Default Client Language** must be added before saving the setting. +It is recommended to use `https://graph.microsoft.com/v1.0/me` as the User API Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. -.. note:: - Servers which upgraded to v3.1 need to manually set this field blank to have new languages added by default. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"UserApiEndpoint": "https://graph.microsoft.com/v1.0/me"`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AvailableLocales": ""`` with options ``""``, ``de``, ``en``, ``es``, ``fr``, ``it``, ``ja``, ``ko``, ``nl``, ``pl``, ``pt-br``, ``ro``, ``ru``, ``tr``, ``zh_CN`` and ``zh_TW`` | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Auth Endpoint +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +It is recommended to use `https://accounts.google.com/o/oauth2/v2/auth` as the Auth Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. -Users and Teams -~~~~~~~~~~~~~~~~~~~~~~~~~ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AuthEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Max Users Per Team +Token Endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Maximum number of users per team, excluding inactive users. +It is recommended to use `https://login.microsoftonline.com/common/oauth2/v2.0/token` as the Token Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"TokenEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token"`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ -The **Max Users Per Team** refers to the size of the "team site" which is workspace a "team of people" inhabits. A team of people is considered a small organization where people work closely together towards a specific shared goal and share the same etiquette. In the physical world, a team of people could typically be seated around a single table to have a meal and discuss their project. +AD/LDAP +~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E10 and higher* -The default maximum of 50 people, is at the extreme high end of a single team of people. At this point organizations are more often "multiple teams of people" and investments in explicitly defining etiquette, such as `channel organization `__ or turning on `policy features `__ in Enterprise Edition, are often used to scale the high levels of productivity found in a team of people using Mattermost to multiple teams of people. +Enable sign-in with AD/LDAP +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Mattermost allows login using AD/LDAP or Active Directory. -In terms of technical performance, `with appropriate hardware, Mattermost can easily scale to hundreds and even thousands of users `__, and provided the administrator believes the appropriate etiquette is in place, they should feel free to increase the default value. +**False**: Login with AD/LDAP is disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MaxUsersPerTeam": 50`` with whole number input. | +| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Max Channels Per Team +Enable Synchronization with AD/LDAP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Mattermost periodically synchronizes users from AD/LDAP. -Maximum number of channels per team, including both active and deleted channels. +**False**: AD/LDAP synchronization is disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MaxChannelsPerTeam": 2000`` with whole number input.                                                                    | +| This feature's ``config.json`` setting is ``"EnableSync": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable users to open Direct Message channels with +AD/LDAP Server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The domain or IP address of the AD/LDAP server. -**Any user on the Mattermost server**: The Direct Messages "More" menu has the option to open a Direct Message channel with any user on the server. - -**Any member of the team**: The Direct Messages "More" menu only has the option to open a Direct Message channel with users on the current team, and CTRL/CMD+K channel switcher only lists users on the current team. If a user belongs to multiple teams, direct messages will still be received regardless of what team they are currently on. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LdapServer": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -This setting only affects the UI, not permissions on the server. For instance, a Direct Message channel can be created with anyone on the server regardless of this setting. +AD/LDAP Port +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The port Mattermost will use to connect to the AD/LDAP server. Default is 389. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictDirectMessage": "any"`` with options ``any`` and ``team`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"LdapPort": 389`` with numerical input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Allow Team Administrators to edit others posts +Connection Security ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*This permission is stored in the database and can be modified using the System Console user interface.* +The type of connection security Mattermost uses to connect to AD/LDAP. -**True**: Team Administrators and System Administrators can edit other users' posts. +**None**: No encryption, Mattermost will not attempt to establish an encrypted connection to the AD/LDAP server. -**False**: Only System Administrators can edit other users' posts. +**TLS**: Encrypts the communication between Mattermost and your server using TLS. -.. note:: - This setting is only available for Team Edition servers. Enterprise Edition servers can use `Advanced Permissions `__ to configure this permission. +**STARTTLS**: Takes an existing insecure connection and attempts to upgrade it to a secure connection using TLS. + +If the "No encryption" option is selected it is highly recommended that the AD/LDAP connection is secured outside of Mattermost, for example, by adding a stunnel proxy. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ConnectionSecurity": ""`` with options ``""``, ``TLS`` and ``STARTTLS`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Team Directory +Skip Certificate Verification ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in May 16th, 2016 release* +(Optional) The attribute in the AD/LDAP server that will be used to populate the nickname of users in Mattermost. -**True**: Teams that are configured to appear in the team directory will appear on the system main page. Teams can configure this setting from **Team Settings > Include this team in the Team Directory**. +**True**: Skips the certificate verification step for TLS or STARTTLS connections. Not recommended for production environments where TLS is required. For testing only. -**False**: Team directory on the system main page is disabled. +**False**: Mattermost does not skip certificate verification. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableTeamListing": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"SkipCertificateVerification": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Teammate Name Display -^^^^^^^^^^^^^^^^^^^^^ -Specifies how names are displayed in the user interface. - -**Show username**: Displays the user's username. - -**Show nickname if one exists**: Displays the user's nickname. If the user does not have a nickname, their full name is displayed. If the user does not have a full name, their username is displayed. - -**Show first and last name**: Displays the user's full name. If the user does not have a full name, their username is displayed. Recommended when using SAML or LDAP if first name and last name attributes are configured. +Base DN +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The **Base Distinguished Name** of the location where Mattermost should start its search for users in the AD/LDAP tree. -+-------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"TeammateNameDisplay": "username"`` with options ``username``, ``nickname_full_name``, and ``full_name``. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"BaseDN": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Show Email Address +Bind Username ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Show email address of all users. - -**False**: Hide email address of users from other users in the user interface, including Team Admins. This is designed for managing teams where users choose to keep their contact information private. System Administrators will still be able to see email addresses in the UI. +The username used to perform the AD/LDAP search. This should be an account created specifically for use with Mattermost Its permissions should be limited to read-only access to the portion of the AD/LDAP tree specified in the **Base DN** field. When using Active Directory, **Bind Username** should specify domain in ``DOMAIN/username`` format. This field is required, and anonymous bind is not currently supported. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ShowEmailAddress": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"BindUsername": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Show Full Name +Bind Password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Show full name of all users. - -**False**: hide full name of users from other users including Team Admins. This is designed for managing teams where users choose to keep their contact information private. System Administrators will still be able to see full names in the UI. +Password of the user given in **Bind Username**. Anonymous bind is not currently supported. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ShowFullName": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"BindPassword": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Notifications -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Show @channel and @all confirmation dialog +User Filter ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) Enter an AD/LDAP Filter to use when searching for user objects (accepts `general syntax `__). Only the users selected by the query will be able to access Mattermost. -**True**: Users will be prompted to confirm when posting @channel and @all in channels with over five members. - -**False**: No confirmation is required. +Sample filters for Active Directory: -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableConfirmNotificationsToChannel": true`` with options ``true`` and ``false`` for above settings respectively.              | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +- To filter out disabled users: ``(&(objectCategory=Person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))`` +- To filter out by group membership, determine the distinguishedName of your group, then use the group membership general syntax format as your filter. -Enable Email Notifications -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Enables sending of email notifications. + * For example, if the security group distinguishedName is ``CN=group1,OU=groups,DC=example,DC=com``, then the user filter to use is: ``(memberOf=CN=group1,OU=groups,DC=example,DC=com)``. Note that the user must explicitly belong to this group for the filter to apply. -**False**: Disables email notifications for developers who may want to skip email setup for faster development. To remove the **Preview Mode: Email notifications have not been configured** banner, also set **Enable Preview Mode Banner** to ``false``. +This filter uses the permissions of the **Bind Username** account to execute the search. Administrators should make sure to use a specially created account for Bind Username with read-only access to the portion of the AD/LDAP tree specified in the **Base DN** field. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SendEmailNotifications": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"UserFilter": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -.. _email-preview-mode-banner-config: +Group Filter +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) Enter an AD/LDAP Filter to use when searching for group objects (accepts `general syntax `__). Only the groups selected by the query will be able accessible to Mattermost. -Enable Preview Mode Banner -^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Preview Mode banner is displayed to all users when ``"SendEmailNotifications": false`` so users are aware that email notifications are disabled. +This filter is defaulted to ```(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))``` when blank. -**False**: Preview Mode banner is not displayed to users. +.. note:: + This filter is used only when AD/LDAP Group Sync is enabled. See `AD/LDAP Group Sync documentation `_ for more information on enabling and configuring AD/LDAP Group Sync (*Available in Enterprise Edition E20 and higher*). +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnablePreviewModeBanner": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"GroupFilter": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Email Batching +Group Display Name Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Users can select how often to receive email notifications, and multiple notifications within that timeframe will be combined into a single email. Batching will occur at a default interval of 15 minutes, configurable in **Account Settings** > **Notifications**. +(Required) Enter an AD/LDAP Group Display name attribute used to populate Mattermost Group names. .. note:: - Email batching cannot be enabled unless the `SiteURL `__ is configured. Email batching in `High Availability mode `__ is planned but not yet supported. - -**False**: If email notifications are enabled in Account Settings, emails will be sent individually for every mention or direct message received. + This attribute is used only when AD/LDAP Group Sync is enabled. See `AD/LDAP Group Sync documentation `_ for more information on enabling and configuring AD/LDAP Group Sync (*Available in Enterprise Edition E20 and higher*). +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableEmailBatching": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"GroupDisplayNameAttribute": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Email Notification Contents +Group Id Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E20* - -**Send full message contents**: Sender name and channel are included in email notifications. +(Required) Enter an AD/LDAP Group ID attribute to use as a unique identifier for Groups. This should be an AD/LDAP value that does not change. -**Send generic description with only sender name**: The team name and name of the person who sent the message, with no information about channel name or message contents, is included in email notifications. Typically used for compliance reasons if Mattermost contains confidential information and policy dictates it cannot be stored in email. +.. note:: + This attribute is used only when AD/LDAP Group Sync is enabled. See `AD/LDAP Group Sync documentation `_ for more information on enabling and configuring AD/LDAP Group Sync (*Available in Enterprise Edition E20 and higher*). -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EmailNotificationContentsType": "full"`` with options ``full`` and ``generic`` for above settings respectively. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"GroupIdAttribute": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Notification Display Name +First Name Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Name displayed on email account used when sending notification emails from Mattermost system. +(Optional) The attribute in the AD/LDAP server used to populate the first name of users in Mattermost. When set, users cannot edit their first name, since it is synchronized with the LDAP server. When left blank, users can set their first name in Account Settings. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"FeedbackName": ""`` with string input. | +| This feature's ``config.json`` setting is ``"FirstNameAttribute": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Notification From Address +Last Name Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Address displayed on email account used when sending notification emails from Mattermost system. - -So you don't miss messages, please make sure to change this value to an email your system administrator receives, example: `admin@yourcompany.com`. +(Optional) The attribute in the AD/LDAP server used to populate the last name of users in Mattermost. When set, users cannot edit their last name, since it is synchronized with the LDAP server. When left blank, users can set their last name in Account Settings. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"FeedbackEmail": ""`` with string input. | +| This feature's ``config.json`` setting is ``"LastNameAttribute": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Notification Reply-To Address +Nickname Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Email address used in the Reply-To header when sending notification emails from Mattermost. +(Optional) The attribute in the AD/LDAP server used to populate the nickname of users in Mattermost. When set, users cannot edit their nickname, since it is synchronized with the LDAP server. When left blank, users can set their nickname in Account Settings. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ReplyToAddress": ""`` with string input. | +| This feature's ``config.json`` setting is ``"NicknameAttribute": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Notification Footer Mailing Address +Position Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Organization name and mailing address displayed in the footer of email notifications from Mattermost, such as "© ABC Corporation, 565 Knight Way, Palo Alto, California, 94305, USA". If the field is left empty, the organization name and mailing address will not be displayed. +(Optional) The attribute in the AD/LDAP server used to populate the position field in Mattermost. When set, users cannot edit their position, since it is synchronized with the LDAP server. When left blank, users can set their position in Account Settings. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"FeedbackOrganization": ""`` with string input. | +| This feature's ``config.json`` setting is ``"PositionAttribute": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Push Notification Contents +Email Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**Send generic description with only sender name**: Push notifications include only the name of the person who sent the message but no information about channel name or message text. - -**Send generic description with user and channel names**: Push notifications include names of users and channels but no specific details from the message text. - -**Send full message snippet**: Selecting "Send full message snippet" sends excerpts from messages triggering notifications with specifics and may include confidential information sent in messages. If your Push Notification Service is outside your firewall, it is HIGHLY RECOMMENDED this option only be used with an "https" protocol to encrypt the connection. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PushNotificationContents": "generic"`` with options ``generic_no_channel``, ``generic`` and ``full`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Announcement Banner -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Enable Announcement Banner -^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Enable an announcement banner across all teams. The banner is displayed at the top of the screen and is the entire width of the screen. By default, users can dismiss the banner until you either change the text of the banner or until you re-enable the banner after it has been disabled. You can prevent users from dismissing the banner, and you can control the text color and the background color. +The attribute in the AD/LDAP server used to populate the email address field in Mattermost. -**True**: Enable the announcement banner. The banner is displayed only if ``BannerText`` has a value. +Email notifications will be sent to this email address, and this email address may be viewable by other Mattermost users depending on privacy settings choosen by the System Admin. -**False**: Disable the announcement banner. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EmailAttribute": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+-----------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableBanner": false`` with options ``true`` and ``false``. | -+-----------------------------------------------------------------------------------------------------------+ +Username Attribute +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The attribute in the AD/LDAP server used to populate the username field in Mattermost. This may be the same as the Login ID Attribute. -Banner Text -^^^^^^^^^^^ +This attribute will be used within the Mattermost user interface to identify and mention users. For example, if a Username Attribute is set to **john.smith** a user typing ``@john`` will see ``@john.smith`` in their auto-complete options and posting a message with ``@john.smith`` will send a notification to that user that they've been mentioned. -The text of the announcement banner. +The **Username Attribute** may be set to the same value used to sign-in to the system, called a **Login ID Attribute**, or it can be mapped to a different value. -+------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"BannerText": ""`` with string input. | -+------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"UsernameAttribute": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Banner Color -^^^^^^^^^^^^ +ID Attribute +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The attribute in the AD/LDAP server used as a unique identifier in Mattermost. It should be an AD/LDAP attribute with a value that does not change. -The background color of the announcement banner. +If a user's ID Attribute changes, it will create a new Mattermost account unassociated with their old one. -+---------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``""BannerColor": "#f2a93b"`` with string input. | -+---------------------------------------------------------------------------------------------+ +If you need to change this field after users have already logged in, use the `mattermost ldap idmigrate `__ CLI tool. -Banner Text Color -^^^^^^^^^^^^^^^^^ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"IdAttribute": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -The color of the text in the announcement banner. +Login ID Attribute +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The attribute in the AD/LDAP server used to log in to Mattermost. Normally this attribute is the same as the "Username Attribute" field above. -+-------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``""BannerTextColor": "#333333"`` with string input. | -+-------------------------------------------------------------------------------------------------+ +If your team typically uses domain\username to log in to other services with AD/LDAP, you may enter domain\username in this field to maintain consistency between sites. -Allow Banner Dismissal -^^^^^^^^^^^^^^^^^^^^^^ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginIdAttribute": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**True**: Users can dismiss the banner until the next time they log in or the banner is updated. +Login Field Name +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +The placeholder text that appears in the login field on the login page. Typically this would be whatever name is used to refer to AD/LDAP credentials in your company, so it is recognizable to your users. Defaults to **AD/LDAP Username**. -**False**: The banner is permanently visible until it is turned off by the System Admin. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginFieldName": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+-------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``""AllowBannerDismissal": true`` with options ``true`` and ``false``. | -+-------------------------------------------------------------------------------------------------------------------+ +Synchronization Interval (minutes) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Set how often Mattermost accounts synchronize attributes with AD/LDAP, in minutes. When synchronizing, Mattermost queries AD/LDAP for relevant account information and updates Mattermost accounts based on changes to attributes (first name, last name, and nickname). When accounts are disabled in AD/LDAP users are made inactive in Mattermost, and their active sessions are revoked once Mattermost synchronizes attributes. To synchronize immediately after disabling an account, use the "AD/LDAP Synchronize Now" button. -Emoji -~~~~~~~~~~~~~~~~~~~~~~~~~ -Enable Emoji Picker -^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Enables an emoji picker that allows users to select emoji to add as reactions or use in messages. Enabling the emoji picker with a large number of custom emoji may slow down performance. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"SyncIntervalMinutes": 60`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**False**: Emoji picker is disabled. +Maximum Page Size +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The maximum number of users the Mattermost server will request from the AD/LDAP server at one time. Use this setting if your AD/LDAP server limits the number of users that can be requested at once. 0 is unlimited. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableCustomEmoji": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"MaxPageSize": 0`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Custom Emoji -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Enables a Custom Emoji option in the Main Menu, where users can go to create customized emoji. - -**False**: Custom emojis are disabled. +Query Timeout (seconds) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The timeout value for queries to the AD/LDAP server. Increase this value if you are getting timeout errors caused by a slow AD/LDAP server. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableCustomEmoji": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"QueryTimeout": 60`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Restrict Custom Emoji Creation -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*This permission has been migrated to the database and changing the config.json value no longer takes effect after upgrading to v4.9, released on April 16th, 2018. This permission can be modified using the System Console user interface.* +AD/LDAP Test +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This button can be used to test the connection to the AD/LDAP server. If the test is successful, it shows a confirmation message and if there is a problem with the configuration settings it will show an error message. -*Available in Enterprise Edition E10 and higher* +AD/LDAP Synchronize Now +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This button causes AD/LDAP synchronization to occur as soon as it is pressed. Use it whenever you have made a change in the AD/LDAP server you want to take effect immediately. After using the button, the next AD/LDAP synchronization will occur after the time specified by the Synchronization Interval. -**Allow everyone to create custom emoji**: Allows everyone to create custom emoji from the **Main Menu** > **Custom Emoji**. +You can monitor the status of the synchronization job in the table below this button. -**Allow System and Team Admins to create custom emoji**: The Custom Emoji option is hidden from the Main Menu for users who are not System or Team Admins. +.. note:: + If synchronization **Status** displays as ``Pending`` and does not complete, make sure that the **Enable Synchronization with AD/LDAP** setting is set to ``true``. -**Only allow System Admins to create custom emoji**: The Custom Emoji option is hidden from the Main Menu for users who are not System Admins. +.. figure:: ../images/ldap-sync-table.png -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictCustomEmojiCreation": "all"`` with options ``all``, ``admin`` and ``system_admin`` for above settings respectively. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ -Posts +.. _saml-enterprise: + +SAML ~~~~~~~~~~~~~~~~~~~~~~~~~ -Enable Link Previews -^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Enables users to display a preview of website content below the message, if available. When true, website previews can be enabled from Account Settings > Display > Website Link Previews. +*Available in Enterprise Edition E20* -**False**: Website link previews are disabled. +.. note:: + In line with Microsoft ADFS guidance we recommend `configuring intranet forms-based authentication for devices that do not support WIA `_. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableLinkPreviews": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Custom URL Schemes -^^^^^^^^^^^^^^^^^^^^^^^^^ -A list of URL schemes that are used for autolinking in message text. ``http``, ``https``, ``ftp``, ``tel`` and ``mailto`` always create links. +Enable Login With SAML +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Mattermost allows login using SAML. Please see `documentation `__ to learn more about configuring SAML for Mattermost. + +**False**: Login with SAML is disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"CustomUrlSchemes": []`` which takes an array of URL schemes such as ``["git", "smtp"]`. | +| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Google API Key +Enable Synchronizing SAML Accounts With AD/LDAP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Mattermost offers the ability to embed YouTube videos from URLs shared by end users. Set this key and add YouTube Data API v3 as a service to your key to enable the display of titles for embedded YouTube video previews. Without the key, YouTube previews will still be created based on hyperlinks appearing in messages or comments but they will not show the video title. If Google detects the number of views is exceedingly high, they may throttle embed access. Should this occur, you can remove the throttle by registering for a Google Developer Key and entering it in this field following these instructions: https://www.youtube.com/watch?v=Im69kzhpR3I. Your Google Developer Key is used in client-side Javascript. +**True**: Mattermost periodically synchronizes SAML user attributes, including user deactivation and removal, with AD/LDAP. Enable and configure synchronization settings at Authentication > AD/LDAP. See `documentation `__ to learn more. -Using a Google API Key allows Mattermost to detect when a video is no longer available and display the post with a *Video not found* label. +**False**: Synchronization of SAML accounts with AD/LDAP is disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"GoogleDeveloperKey": ""`` with string input. | +| This feature's ``config.json`` setting is ``"EnableSyncWithLdap": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -File Sharing and Downloads -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Allow File Sharing +Override SAML Bind Data with AD/LDAP Information ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -When false, disables file sharing on the server. All file and image uploads on messages are forbidden across clients and devices, including mobile. - -+---------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableFileAttachments": true`` with options ``true`` and ``false``. | -+---------------------------------------------------------------------------------------------------------------------+ +**True**: Mattermost overrides the SAML ID attribute with the AD/LDAP ID attribute if configured or overrides the SAML Email attribute with the AD/LDAP Email attribute if SAML ID attribute is not present. See `documentation `__ to learn more. -Allow File Uploads on Mobile -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E20* +**False**: Mattermost uses the email attribute to bind users to SAML. -When false, disables file uploads on mobile apps. All file and image uploads on messages are forbidden across clients and devices, including mobile. +.. note:: + Moving from true to false will prevent the override from happening. To prevent the disabling of user accounts, SAML IDs must match the LDAP IDs when this feature is enabled. This setting should be set to false unless LDAP sync is enabled. -+---------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableMobileUpload": true`` with options ``true`` and ``false``. | -+---------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableSyncWithLdapIncludeAuth": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Allow File Downloads on Mobile +SAML SSO URL ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E20* - -When false, disables file downloads on mobile apps. Users can still download files from a mobile web browser. +The URL where Mattermost sends a SAML request to start login sequence. -+---------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableMobileDownload": true`` with options ``true`` and ``false``. | -+---------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"IdpURL": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Public Links -~~~~~~~~~~~~~~~~~~~~~~~~~ -Enable Public File Links +Identity Provider Issuer URL ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Allow users to generate public links to files and images for sharing outside the Mattermost system with a public URL. - -**False**: The Get Public Link option is hidden from the image preview user interface. - -**Note:** When switched to **False**, anyone who tries to visit a previously generated public link will receive an error message saying public links have been disabled. When switched back to **True**, old public links will work again unless the **Public Link Salt** has been regenerated. +The issuer URL for the Identity Provider you use for SAML requests. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnablePublicLink": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"IdpDescriptorUrl": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Public Link Salt +Identity Provider Public Certificate ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -32-character salt added to the URL of public links when public links are enabled. Click **Regenerate** in the System Console to create a new salt, which will invalidate all existing public links. +The public authentication certificate issued by your Identity Provider. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PublicLinkSalt": ""`` with string input. | +| This feature's ``config.json`` setting is ``"IdpCertificateFile": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Authentication ---------------- -Authentication settings to enable account creation and sign in with email, GitLab, Google or Office 365 OAuth, AD/LDAP, or SAML. - -Signup -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Enable Account Creation +Verify Signature ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Ability to create new accounts is enabled via inviting new members or sharing the team invite link. +**True**: Mattermost verifies that the signature sent from the SAML Response matches the Service Provider Login URL. -**False**: Ability to create accounts is disabled. The **Create Account** button displays an error when trying to signup via an email invite or team invite link. +**False**: Not recommended for production environments. For testing only. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableUserCreation": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"Verify": true`` with options ``true`` and ``false``. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Restrict account creation to specified email domains +Service Provider Login URL ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Teams and user accounts can only be created by a verified email from this list of comma-separated domains (e.g. "corp.mattermost.com, mattermost.org"). - -This setting only affects email login. +Enter ``https:///login/sso/saml`` (example: ``https://example.com/login/sso/saml``). Make sure you use HTTP or HTTPS in your URL depending on your server configuration. This field is also known as the Assertion Consumer Service URL. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictCreationToDomains": ""`` with string input. | +| This feature's ``config.json`` setting is ``"AssertionConsumerServiceURL": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Open Server +Enable Encryption ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Users can sign up to the server from the root page without an invite. +**True**: Mattermost will decrypt SAML Assertions encrypted with your Service Provider Public Certificate. -**False**: Users can only sign up to the server if they receive an invite. +**False**: Not recommended for production environments. For testing only. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableOpenServer": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"Encrypt": true`` with options ``true`` and ``false``. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Email Invitations +Service Provider Private Key ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -**True**: Users can invite others to the Mattermost system by email. - -**False**: Email invitations are disabled. +The private key used to decrypt SAML Assertions from the Identity Provider. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"EnableEmailInvitations": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"PrivateKeyFile": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Invalidate pending email invites -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This button invalidates active email invitations that have not been accepted by the user. By default email invitations expire after 48 hours. - -Enable Team Creation +Service Provider Public Certificate ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*This permission has been migrated to the database and changing the config.json value no longer takes effect after upgrading to v4.9, released on April 16th, 2018. This permission can be modified using the System Console user interface.* - -**True**: Ability to create a new team is enabled for all users. - -**False**: Only System Administrators can create teams from the team selection page. The **Create A New Team** button is hidden in the main menu UI. +The certificate file used to generate the signature on a SAML request to the Identity Provider for a service provider initiated SAML login, when Mattermost is the Service Provider. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableTeamCreation": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"PublicCertificateFile": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Email -~~~~~~~~~~~~~~~~~~~~~~~~~ - -Enable account creation with email +Email Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The attribute in the SAML Assertion that will be used to populate the email addresses of users in Mattermost. -**True**: Allow team creation and account signup using email and password. - -**False**: Email signup is disabled. This limits signup to single sign-on services like OAuth or AD/LDAP. +Email notifications will be sent to this email address, and this email address may be viewable by other Mattermost users depending on privacy settings choosen by the System Admin. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableSignUpWithEmail": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"EmailAttribute": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Require Email Verification +Username Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Require email verification after account creation prior to allowing login. - -**False**: Users do not need to verify their email address prior to login. Developers may set this field to false so skip sending verification emails for faster development. +The attribute in the SAML Assertion that will be used to populate the username field in Mattermost user interface. This attribute will be used within the Mattermost user interface to identify and mention users. For example, if a Username Attribute is set to **john.smith** a user typing ``@john`` will see ``@john.smith`` in their auto-complete options and posting a message with ``@john.smith`` will send a notification to that user that they've been mentioned. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RequireEmailVerification": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"UsernameAttribute": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable sign-in with email +Id Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -**True**: Mattermost allows account creation using email and password. - -**False**: Sign in with email is disabled and does not appear on the login screen. Use this value when you want to limit sign up to a single sign-on service like AD/LDAP, SAML or GitLab. +(Optional) The attribute in the SAML Assertion used to bind users from SAML to users in Mattermost. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableSignInWithEmail": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"IdAttribute": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable sign-in with username +First Name Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) The attribute in the SAML Assertion that will be used to populate the first name of users in Mattermost. -**True**: Mattermost allows users with email login to sign in using their username and password. This setting does not affect AD/LDAP login. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"FirstNameAttribute": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**False**: Sign in with username is disabled and does not appear on the login screen. +Last Name Attribute +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) The attribute in the SAML Assertion that will be used to populate the last name of users in Mattermost. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``EnableSignInWithUsername": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"LastNameAttribute": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Password -~~~~~~~~~~~~~~~~~~~~~~~~~ -Minimum Password Length +Nickname Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) The attribute in the SAML Assertion that will be used to populate the nickname of users in Mattermost. -*This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. In previous versions, this feature is available in Enterprise Edition E10 and higher.* ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"NicknameAttribute": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Minimum number of characters required for a valid password. Must be a whole number greater than or equal to 5 and less than or equal to 64. +Position Attribute +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) The attribute in the SAML Assertion that will be used to populate the position field for users in Mattermost (typically used to describe a person's job title or role at the company). -+----------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MinimumLength": 10”`` with whole number input. | -+----------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"PositionAttribute": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Password Requirements +Preferred Language Attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) The attribute in the SAML Assertion that will be used to populate the language of users in Mattermost. -*This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. In previous versions, this feature is available in Enterprise Edition E10 and higher.* - -Set the required character types to be included in a valid password. Defaults to allow any characters unless otherwise specified by the checkboxes. The error messasage previewed in the System Console will appear on the account creation page if a user enters an invalid password. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LocaleAttribute": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -- **At least one lowercase letter**: Select this checkbox if a valid password must contain at least one lowercase letter. -- **At least one uppercase letter**: Select this checkbox if a valid password must contain at least one uppercase letter. -- **At least one number**: Select this checkbox if a valid password must contain at least one number. -- **At least one symbol**: Select this checkbox if a valid password must contain at least one symbol. Valid symbols include: ``!"#$%&'()*+,-./:;<=>?@[]^_`|~`` +Login Button Text +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) The text that appears in the login button on the login page. Defaults to ``SAML``. -This feature's ``config.json`` settings are, respectively: ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonText": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -.. list-table:: - :widths: 80 +Scoping IDP Provider Id +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Allows an authenticated user to skip the initial login page of their federated Azure AD server, and only require a password to log in. - * - ``"Lowercase": true`` with options ``true`` and ``false`` - * - ``"Number": true`` with options ``true`` and ``false`` - * - ``"Uppercase": true`` with options ``true`` and ``false`` - * - ``"Symbol": true`` with options ``true`` and ``false`` ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ScopingIDPProviderId": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Maximum Login Attempts -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Failed login attempts allowed before a user is locked out and required to reset their password via email. +Scoping IDP Name +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Adds the name associated with a user's Scoping Identity Provider ID. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MaximumLoginAttempts": 10`` with whole number input. | +| This feature's ``config.json`` setting is ``"ScopingIDPName": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ + + MFA ~~~~~~~~~~~~~~~~~~~~~~~~~ Configure security settings for multi-factor authentication. @@ -1964,664 +1483,598 @@ Enforce Multi-factor Authentication | This feature's ``config.json`` setting is ``"EnforceMultifactorAuthentication": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -AD/LDAP -~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E10 and higher* +________ -Enable sign-in with AD/LDAP + +Security +-------------------------------- +Configure security settings for account creation, login, public links and connection requests. + +Sign Up +~~~~~~~~~~~~~~~~~~~~~~~~~ +Require Email Verification ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost allows login using AD/LDAP or Active Directory. +**True**: Require email verification after account creation prior to allowing login. -**False**: Login with AD/LDAP is disabled. +**False**: Users do not need to verify their email address prior to login. Developers may set this field to false so skip sending verification emails for faster development. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"RequireEmailVerification": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Synchronization with AD/LDAP +Enable Open Server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost periodically synchronizes users from AD/LDAP. +**True**: Users can sign up to the server from the root page without an invite. -**False**: AD/LDAP synchronization is disabled. +**False**: Users can only sign up to the server if they receive an invite. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableSync": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"EnableOpenServer": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -AD/LDAP Server +Enable Email Invitations ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The domain or IP address of the AD/LDAP server. + +**True**: Users can invite others to the Mattermost system by email. + +**False**: Email invitations are disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LdapServer": ""`` with string input. | +| This feature’s ``config.json`` setting is ``"EnableEmailInvitations": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -AD/LDAP Port +________ + +Password +~~~~~~~~~~~~~~~~~~~~~~~~~ +Minimum Password Length ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The port Mattermost will use to connect to the AD/LDAP server. Default is 389. + +*This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. In previous versions, this feature is available in Enterprise Edition E10 and higher.* + +Minimum number of characters required for a valid password. Must be a whole number greater than or equal to 5 and less than or equal to 64. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LdapPort": 389`` with numerical input. | +| This feature's ``config.json`` setting is ``"MinimumLength": 5"`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Connection Security +Password Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The type of connection security Mattermost uses to connect to AD/LDAP. -**None**: No encryption, Mattermost will not attempt to establish an encrypted connection to the AD/LDAP server. +*This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. In previous versions, this feature is available in Enterprise Edition E10 and higher.* -**TLS**: Encrypts the communication between Mattermost and your server using TLS. +Set the required character types to be included in a valid password. Defaults to allow any characters unless otherwise specified by the checkboxes. The error messasage previewed in the System Console will appear on the account creation page if a user enters an invalid password. -**STARTTLS**: Takes an existing insecure connection and attempts to upgrade it to a secure connection using TLS. +- **At least one lowercase letter**: Select this checkbox if a valid password must contain at least one lowercase letter. +- **At least one uppercase letter**: Select this checkbox if a valid password must contain at least one uppercase letter. +- **At least one number**: Select this checkbox if a valid password must contain at least one number. +- **At least one symbol**: Select this checkbox if a valid password must contain at least one symbol. Valid symbols include: ``!"#$%&'()*+,-./:;<=>?@[]^_`|~`` -If the "No encryption" option is selected it is highly recommended that the AD/LDAP connection is secured outside of Mattermost, for example, by adding a stunnel proxy. +This feature's ``config.json`` settings are, respectively: + +.. list-table:: + :widths: 80 + + * - ``"Lowercase": false`` with options ``true`` and ``false`` + * - ``"Number": false`` with options ``true`` and ``false`` + * - ``"Uppercase": false`` with options ``true`` and ``false`` + * - ``"Symbol": false`` with options ``true`` and ``false`` + +Maximum Login Attempts +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Failed login attempts allowed before a user is locked out and required to reset their password via email. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ConnectionSecurity": ""`` with options ``""``, ``TLS`` and ``STARTTLS`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"MaximumLoginAttempts": 10`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Skip Certificate Verification +________ + +Public Links +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable Public File Links ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the AD/LDAP server that will be used to populate the nickname of users in Mattermost. +**True**: Allow users to generate public links to files and images for sharing outside the Mattermost system with a public URL. -**True**: Skips the certificate verification step for TLS or STARTTLS connections. Not recommended for production environments where TLS is required. For testing only. +**False**: The Get Public Link option is hidden from the image preview user interface. -**False**: Mattermost does not skip certificate verification. +**Note:** When switched to **False**, anyone who tries to visit a previously generated public link will receive an error message saying public links have been disabled. When switched back to **True**, old public links will work again unless the **Public Link Salt** has been regenerated. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SkipCertificateVerification": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"EnablePublicLink": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Base DN +Public Link Salt ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The **Base Distinguished Name** of the location where Mattermost should start its search for users in the AD/LDAP tree. +32-character salt added to the URL of public links when public links are enabled. Click **Regenerate** in the System Console to create a new salt, which will invalidate all existing public links. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"BaseDN": ""`` with string input. | +| This feature's ``config.json`` setting is ``"PublicLinkSalt": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Bind Username +_________ + +Sessions +~~~~~~~~~~~~~~~~~~~~~~~~~ +User sessions are cleared when a user tries to log in. Additionally, a job runs every 24 hours to clear sessions from the sessions database table. + +Session length for email and AD/LDAP authentication (days) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The username used to perform the AD/LDAP search. This should be an account created specifically for use with Mattermost Its permissions should be limited to read-only access to the portion of the AD/LDAP tree specified in the **Base DN** field. When using Active Directory, **Bind Username** should specify domain in ``DOMAIN/username`` format. This field is required, and anonymous bind is not currently supported. +Set the number of days from the last time a user entered their credentials to the expiry of the user's session on email and AD/LDAP authentication. + +After changing this setting, the new session length will take effect after the next time the user enters their credentials. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"BindUsername": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SessionLengthWebInDays" : 180`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Bind Password +Session length for mobile apps (days) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Password of the user given in **Bind Username**. Anonymous bind is not currently supported. +Set the number of days from the last time a user entered their credentials to the expiry of the user's session on mobile apps. + +After changing this setting, the new session length will take effect after the next time the user enters their credentials. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"BindPassword": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SessionLengthMobileInDays" : 180`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -User Filter +Session length for GitLab SSO authentication (days) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) Enter an AD/LDAP Filter to use when searching for user objects (accepts `general syntax `__). Only the users selected by the query will be able to access Mattermost. - -Sample filters for Active Directory: - -- To filter out disabled users: ``(&(objectCategory=Person)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))`` -- To filter out by group membership, determine the distinguishedName of your group, then use the group membership general syntax format as your filter. +Set the number of days from the last time a user entered their credentials to the expiry of the user's session. If the authentication method is SAML or GitLab, the user may automatically be logged back in to Mattermost if they are already logged in to SAML or GitLab. - * For example, if the security group distinguishedName is ``CN=group1,OU=groups,DC=example,DC=com``, then the user filter to use is: ``(memberOf=CN=group1,OU=groups,DC=example,DC=com)``. Note that the user must explicitly belong to this group for the filter to apply. +After changing this setting, the setting will take effect after the next time the user enters their credentials. -This filter uses the permissions of the **Bind Username** account to execute the search. Administrators should make sure to use a specially created account for Bind Username with read-only access to the portion of the AD/LDAP tree specified in the **Base DN** field. +If the authentication method is SAML, this defines the SAML session length. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"UserFilter": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SessionLengthSSOInDays" : 30`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Group Filter +Session length for SSO authentication (days) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) Enter an AD/LDAP Filter to use when searching for group objects (accepts `general syntax `__). Only the groups selected by the query will be able accessible to Mattermost. -This filter is defaulted to ```(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))``` when blank. +This setting defines the session length for SSO authentication, such as GitLab and SAML. -.. note:: - This filter is used only when AD/LDAP Group Sync is enabled. See `AD/LDAP Group Sync documentation `_ for more information on enabling and configuring AD/LDAP Group Sync (*Available in Enterprise Edition E20 and higher*). +Set the number of days from the last time a user entered their credentials to the expiry of the user's session. If the authentication method is SAML or GitLab, the user may automatically be logged back in to Mattermost if they are already logged in to SAML or GitLab. + +After changing this setting, the setting will take effect after the next time the user enters their credentials. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"GroupFilter": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SessionLengthSSOInDays" : 30`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Group Display Name Attribute +Session Cache (minutes) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Required) Enter an AD/LDAP Group Display name attribute used to populate Mattermost Group names. - -.. note:: - This attribute is used only when AD/LDAP Group Sync is enabled. See `AD/LDAP Group Sync documentation `_ for more information on enabling and configuring AD/LDAP Group Sync (*Available in Enterprise Edition E20 and higher*). +Set the number of minutes to cache a session in memory. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"GroupDisplayNameAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SessionCacheInMinutes" : 10`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Group Id Attribute +Session Idle Timeout (minutes) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Required) Enter an AD/LDAP Group ID attribute to use as a unique identifier for Groups. This should be an AD/LDAP value that does not change. +The number of minutes from the last time a user was active on the system to the expiry of the user's session. Once expired, the user will need to log in to continue. Minimum is 5 minutes, and 0 is unlimited. -.. note:: - This attribute is used only when AD/LDAP Group Sync is enabled. See `AD/LDAP Group Sync documentation `_ for more information on enabling and configuring AD/LDAP Group Sync (*Available in Enterprise Edition E20 and higher*). +Applies to the desktop app and browsers. For mobile apps, use an EMM provider to lock the app when not in use. In High Availability mode, enable IP hash load balancing for reliable timeout measurement. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"GroupIdAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SessionIdleTimeoutInMinutes" : 43200`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -First Name Attribute -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the AD/LDAP server used to populate the first name of users in Mattermost. When set, users cannot edit their first name, since it is synchronized with the LDAP server. When left blank, users can set their first name in Account Settings. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"FirstNameAttribute": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ -Last Name Attribute +Connections +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable cross-origin requests from ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the AD/LDAP server used to populate the last name of users in Mattermost. When set, users cannot edit their last name, since it is synchronized with the LDAP server. When left blank, users can set their last name in Account Settings. +Enable HTTP cross-origin requests from specific domains separated by spaces. Type ``*`` to allow CORS from any domain or leave it blank to disable it. +.. note:: + Please make sure you have entered your Site URL before enabling this setting to prevent losing access to the System Console after saving. If you experience lost access to the System Console after changing this setting, you can set your `Site URL `__ through the ``config.json`` file. + +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LastNameAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"AllowCorsFrom": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Nickname Attribute +CORS Exposed Headers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the AD/LDAP server used to populate the nickname of users in Mattermost. When set, users cannot edit their nickname, since it is synchronized with the LDAP server. When left blank, users can set their nickname in Account Settings. +Whitelist of headers that will be accessible to the requester. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"NicknameAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"CorsExposedHeaders": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Position Attribute +CORS Allow Credentials ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the AD/LDAP server used to populate the position field in Mattermost. When set, users cannot edit their position, since it is synchronized with the LDAP server. When left blank, users can set their position in Account Settings. +**True**: Requests that pass validation will include the ``Access-Control-Allow-Credentials`` header. + +**False**: Requests won't include the ``Access-Control-Allow-Credentials`` header. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PositionAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"CorsAllowCredentials": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Email Attribute +CORS Debug ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The attribute in the AD/LDAP server used to populate the email address field in Mattermost. +**True**: Prints messages to the logs to help when developing an integration that uses CORS. These messages will include the structured key value pair ``"source":"cors"``. -Email notifications will be sent to this email address, and this email address may be viewable by other Mattermost users depending on privacy settings chosen by the System Admin. +**False**: Debug messages not printed to the logs. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EmailAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"CorsDebug": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Username Attribute +Enable Insecure Outgoing Connections ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The attribute in the AD/LDAP server used to populate the username field in Mattermost. This may be the same as the Login ID Attribute. +**True**: Outgoing HTTPS requests can accept unverified, self-signed certificates. For example, outgoing webhooks to a server with a self-signed TLS certificate, using any domain, will be allowed. -This attribute will be used within the Mattermost user interface to identify and mention users. For example, if a Username Attribute is set to **john.smith** a user typing ``@john`` will see ``@john.smith`` in their auto-complete options and posting a message with ``@john.smith`` will send a notification to that user that they've been mentioned. +**False**: Only secure HTTPS requests are allowed. -The **Username Attribute** may be set to the same value used to sign-in to the system, called a **Login ID Attribute**, or it can be mapped to a different value. +Security note: Enabling this feature makes these connections susceptible to man-in-the-middle attacks. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"UsernameAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"EnableInsecureOutgoingConnections": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -ID Attribute -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The attribute in the AD/LDAP server used as a unique identifier in Mattermost. It should be an AD/LDAP attribute with a value that does not change. +________ -If a user's ID Attribute changes, it will create a new Mattermost account unassociated with their old one. +Notifications +-------------------------------- +Settings to configure email and mobile push notifications. -If you need to change this field after users have already logged in, use the `mattermost ldap idmigrate `__ CLI tool. +Email +~~~~~~~~~~~~~~~~~~~~~~~~~ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"IdAttribute": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +.. _email-notification-config: -Login ID Attribute +Enable Email Notifications ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The attribute in the AD/LDAP server used to log in to Mattermost. Normally this attribute is the same as the "Username Attribute" field above. +**True**: Enables sending of email notifications. -If your team typically uses domain\username to log in to other services with AD/LDAP, you may enter domain\username in this field to maintain consistency between sites. +**False**: Disables email notifications for developers who may want to skip email setup for faster development. To remove the **Preview Mode: Email notifications have not been configured** banner, also set **Enable Preview Mode Banner** to ``false``. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginIdAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SendEmailNotifications": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Login Field Name -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The placeholder text that appears in the login field on the login page. Typically this would be whatever name is used to refer to AD/LDAP credentials in your company, so it is recognizable to your users. Defaults to **AD/LDAP Username**. +.. _email-preview-mode-banner-config: -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginFieldName": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Enable Preview Mode Banner +^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Preview Mode banner is displayed to all users when ``"SendEmailNotifications": false`` so users are aware that email notifications are disabled. -Synchronization Interval (minutes) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set how often Mattermost accounts synchronize attributes with AD/LDAP, in minutes. When synchronizing, Mattermost queries AD/LDAP for relevant account information and updates Mattermost accounts based on changes to attributes (first name, last name, and nickname). When accounts are disabled in AD/LDAP users are made inactive in Mattermost, and their active sessions are revoked once Mattermost synchronizes attributes. To synchronize immediately after disabling an account, use the "AD/LDAP Synchronize Now" button. +**False**: Preview Mode banner is not displayed to users. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SyncIntervalMinutes": 60`` with whole number input. | +| This feature's ``config.json`` setting is ``"EnablePreviewModeBanner": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Maximum Page Size +Enable Email Batching ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The maximum number of users the Mattermost server will request from the AD/LDAP server at one time. Use this setting if your AD/LDAP server limits the number of users that can be requested at once. 0 is unlimited. +**True**: Users can select how often to receive email notifications, and multiple notifications within that timeframe will be combined into a single email. Batching will occur at a default interval of 15 minutes, configurable in **Account Settings** > **Notifications**. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MaxPageSize": 0`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +.. note:: + Email batching cannot be enabled unless the `SiteURL `__ is configured. Email batching in `High Availability mode `__ is planned but not yet supported. -Query Timeout (seconds) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The timeout value for queries to the AD/LDAP server. Increase this value if you are getting timeout errors caused by a slow AD/LDAP server. +**False**: If email notifications are enabled in Account Settings, emails will be sent individually for every mention or direct message received. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"QueryTimeout": 60`` with whole number input. | +| This feature's ``config.json`` setting is ``"EnableEmailBatching": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -AD/LDAP Test -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This button can be used to test the connection to the AD/LDAP server. If the test is successful, it shows a confirmation message and if there is a problem with the configuration settings it will show an error message. - -AD/LDAP Synchronize Now +Enable Notification Contents ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This button causes AD/LDAP synchronization to occur as soon as it is pressed. Use it whenever you have made a change in the AD/LDAP server you want to take effect immediately. After using the button, the next AD/LDAP synchronization will occur after the time specified by the Synchronization Interval. - -You can monitor the status of the synchronization job in the table below this button. - -.. note:: - If synchronization **Status** displays as ``Pending`` and does not complete, make sure that the **Enable Synchronization with AD/LDAP** setting is set to ``true``. - -.. figure:: ../images/ldap-sync-table.png - -.. _saml-enterprise: - -SAML -~~~~~~~~~~~~~~~~~~~~~~~~~ *Available in Enterprise Edition E20* -.. note:: - In line with Microsoft ADFS guidance we recommend `configuring intranet forms-based authentication for devices that do not support WIA `_. +**Send full message contents**: Sender name and channel are included in email notifications. +**Send generic description with only sender name**: The team name and name of the person who sent the message, with no information about channel name or message contents, is included in email notifications. Typically used for compliance reasons if Mattermost contains confidential information and policy dictates it cannot be stored in email. -Enable Login With SAML -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost allows login using SAML. Please see `documentation `__ to learn more about configuring SAML for Mattermost. ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EmailNotificationContentsType": "full"`` with options ``full`` and ``generic`` for above settings respectively. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**False**: Login with SAML is disabled. +Notification Display Name +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Name displayed on email account used when sending notification emails from Mattermost system. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"FeedbackName": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Synchronizing SAML Accounts With AD/LDAP +Notification From Address ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost periodically synchronizes SAML user attributes, including user deactivation and removal, with AD/LDAP. Enable and configure synchronization settings at **Authentication > AD/LDAP**. See `documentation `__ to learn more. +Address displayed on email account used when sending notification emails from Mattermost system. -**False**: Synchronization of SAML accounts with AD/LDAP is disabled. +So you don't miss messages, please make sure to change this value to an email your system administrator receives, example: `admin@yourcompany.com`. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableSyncWithLdap": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"FeedbackEmail": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Override SAML Bind Data with AD/LDAP Information +Notification Reply-To Address ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost overrides the SAML ID attribute with the AD/LDAP ID attribute if configured or overrides the SAML Email attribute with the AD/LDAP Email attribute if SAML ID attribute is not present. See `documentation `__ to learn more. - -**False**: Mattermost uses the email attribute to bind users to SAML. - -.. note:: - Moving from true to false will prevent the override from happening. To prevent the disabling of user accounts, SAML IDs must match the LDAP IDs when this feature is enabled. This setting should be set to false unless LDAP sync is enabled. +Email address used in the Reply-To header when sending notification emails from Mattermost. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableSyncWithLdapIncludeAuth": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"ReplyToAddress": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -SAML SSO URL +Notification Footer Mailing Address ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The URL where Mattermost sends a SAML request to start login sequence. +Organization name and mailing address displayed in the footer of email notifications from Mattermost, such as "© ABC Corporation, 565 Knight Way, Palo Alto, California, 94305, USA". If the field is left empty, the organization name and mailing address will not be displayed. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"IdpURL": ""`` with string input. | +| This feature's ``config.json`` setting is ``"FeedbackOrganization": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Identity Provider Issuer URL +SMTP Server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The issuer URL for the Identity Provider you use for SAML requests. +Location of SMTP email server. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"IdpDescriptorUrl": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SMTPServer": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Identity Provider Public Certificate +SMTP Server Port ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The public authentication certificate issued by your Identity Provider. +Port of SMTP email server. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"IdpCertificateFile": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SMTPPort": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Verify Signature +Enable SMTP Authentication ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost verifies that the signature sent from the SAML Response matches the Service Provider Login URL. -**False**: Not recommended for production environments. For testing only. +**True**: SMTP username and password are used for authenticating to the SMTP server. + +**False**: Mattermost doesn't attempt to authenticate to the SMTP server. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Verify": true`` with options ``true`` and ``false``. | +| This feature's ``config.json`` setting is ``"EnableSMTPAuth": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Service Provider Login URL +SMTP Server Username ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Enter ``https:///login/sso/saml`` (example: ``https://example.com/login/sso/saml``). Make sure you use HTTP or HTTPS in your URL depending on your server configuration. This field is also known as the Assertion Consumer Service URL. +The username for authenticating to the SMTP server. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AssertionConsumerServiceURL": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SMTPUsername": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Encryption +SMTP Server Password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost will decrypt SAML Assertions encrypted with your Service Provider Public Certificate. - -**False**: Not recommended for production environments. For testing only. +The password associated with the SMTP username. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Encrypt": true`` with options ``true`` and ``false``. | +| This feature's ``config.json`` setting is ``"SMTPPassword": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Service Provider Private Key +.. _email-tls: + +Connection Security ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The private key used to decrypt SAML Assertions from the Identity Provider. +``None``: Send email over an unsecure connection. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PrivateKeyFile": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +``TLS``: Communication between Mattermost and your email server is encrypted. -Service Provider Public Certificate -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The certificate file used to generate the signature on a SAML request to the Identity Provider for a service provider initiated SAML login, when Mattermost is the Service Provider. +``STARTTLS``: Attempts to upgrade an existing insecure connection to a secure connection using TLS. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PublicCertificateFile": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ConnectionSecurity": ""`` with options ``""``, ``TLS`` and ``STARTTLS`` for above settings respectively. | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Email Attribute +Skip Server Certificate Verification ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The attribute in the SAML Assertion that will be used to populate the email addresses of users in Mattermost. -Email notifications will be sent to this email address, and this email address may be viewable by other Mattermost users depending on privacy settings choosen by the System Admin. +**True**: Mattermost will not verify the email server certificate. + +**False**: Mattermost will verify the email server certificate. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EmailAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SkipServerCertificateVerification": false`` with options ``false` and ``true`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Username Attribute +Enable Security Alerts ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The attribute in the SAML Assertion that will be used to populate the username field in Mattermost user interface. This attribute will be used within the Mattermost user interface to identify and mention users. For example, if a Username Attribute is set to **john.smith** a user typing ``@john`` will see ``@john.smith`` in their auto-complete options and posting a message with ``@john.smith`` will send a notification to that user that they've been mentioned. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"UsernameAttribute": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**True**: Enable System Admins to be notified by email if a relevant security fix alert is announced. Requires email to be enabled. To learn more about this feature, see :doc:`telemetry`. -Id Attribute -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the SAML Assertion used to bind users from SAML to users in Mattermost. +**False**: Security alerts are disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"IdAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"EnableSecurityFixAlert": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -First Name Attribute +________ + +Mobile Push +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable Push Notifications ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the SAML Assertion that will be used to populate the first name of users in Mattermost. +**True**: Your Mattermost server sends mobile push notifications to the server specified in **PushNotificationServer**. + +**False**: Mobile push notifications are disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"FirstNameAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"SendPushNotifications": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Last Name Attribute +Push Notification Server ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the SAML Assertion that will be used to populate the last name of users in Mattermost. +Location of Mattermost Push Notification Service (MPNS), which re-sends push notifications from Mattermost to services like Apple Push Notification Service (APNS) and Google Cloud Messaging (GCM). -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LastNameAttribute": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Nickname Attribute -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the SAML Assertion that will be used to populate the nickname of users in Mattermost. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"NicknameAttribute": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +To confirm push notifications are working, connect to the `Mattermost iOS App on iTunes `__ or the `Mattermost Android App on Google Play `__: -Position Attribute -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the SAML Assertion that will be used to populate the position field for users in Mattermost (typically used to describe a person's job title or role at the company). +- For Enterprise Edition, enter ``https://push.mattermost.com`` for the push notification server hosted in the United States. If you prefer to use a push notification server hosted in Germany, enter ``https://hpns-de.mattermost.com/`` +- For Team Edition, enter ``https://push-test.mattermost.com`` -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PositionAttribute": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Please review full documentation on `push Notifications and mobile applications `__ including guidance on compiling your own mobile apps and MPNS before deploying to production. -Preferred Language Attribute -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The attribute in the SAML Assertion that will be used to populate the language of users in Mattermost. +.. note:: + The ``https://push-test.mattermost.com`` provided for testing push notifications prior to compiling your own service please make sure `to read about its limitations `_. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LocaleAttribute": ""`` with string input. | +| This feature's ``config.json`` setting is ``"PushNotificationServer": "https://push-test.mattermost.com"`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Login Button Text +Push Notification Contents ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Optional) The text that appears in the login button on the login page. Defaults to ``SAML``. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonText": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Scoping IDP Provider Id -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Allows an authenticated user to skip the initial login page of their federated Azure AD server, and only require a password to log in. +**Send generic description with only sender name**: Push notifications include only the name of the person who sent the message but no information about channel name or message text. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ScopingIDPProviderId": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**Send generic description with user and channel names**: Push notifications include names of users and channels but no specific details from the message text. -Scoping IDP Name -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Adds the name associated with a user's Scoping Identity Provider ID. +**Send full message snippet**: Selecting "Send full message snippet" sends excerpts from messages triggering notifications with specifics and may include confidential information sent in messages. If your Push Notification Service is outside your firewall, it is HIGHLY RECOMMENDED this option only be used with an "https" protocol to encrypt the connection. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ScopingIDPName": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"PushNotificationContents": "generic"`` with options ``generic_no_channel``, ``generic`` and ``full`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -OAuth 2.0 -~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E10 and higher* +**Troubleshooting Push Notifications** -Settings to configure OAuth login for account creation and login. +To confirm push notifications are working: -Select OAuth 2.0 service provider: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Choose whether OAuth can be used for account creation and login. Options include: +1. Go to **System Console > Notifications > Mobile Push > Send Push Notifications** and select **Use TPNS connection to send notifications to iOS and Android apps**. +2. Set **Push Notification Server** to *https://push.mattermost.com* if using Enterprise Edition. If using Team Edition, set the value to *https://push-test.mattermost.com*. +3. To confirm push notifications are working, connect to the `Mattermost iOS App on iTunes `__ or the `Mattermost Android App on Google Play `__ and log in to your team site. +4. Close the app on your device, and close any other connections to your team site. +5. Wait 5 minutes and have another team member send you a direct message, which should trigger a push notification to the Mattermost app on your mobile device. +6. You should receive a push notification on your device alerting you of the direct message. - - **Do not allow sign-in via an OAuth 2.0 provider** - - **GitLab** (see `GitLab Settings `__ for more detail) - - **Google Apps** (see `Google Settings `__ for more detail) - - **Office 365 (Beta)** (see `Office 365 Settings `__ for more detail) +If you did not receive an alert: -This feature's setting does not appear in ``config.json``. +1. Set **System Console > General > Logging > File Log Level** to *DEBUG* (make sure to set this back to *INFO* after troubleshooting to save disk space). +2. Repeat the above steps. +3. Go to **System Console > Logs** and copy the log output into a file. +4. For Enterprise Edition customers, `submit a support request with the file attached `__. For Team Edition users, please start a thread in the `Troubleshooting forum `__ for peer-to-peer support. ________ -GitLab -~~~~~~~~~~~~~~~~~~~~~~~~~ -Enable authentication with GitLab -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Allow team creation and account signup using GitLab OAuth. To configure, input the **Secret** and **Id** credentials. - -**False**: GitLab OAuth cannot be used for team creation or account signup. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -**Note**: For Enterprise, GitLab settigs can be found under **OAuth 2.0** - -Application ID -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Obtain this value by logging into your GitLab account. Go to Profile Settings > Applications > New Application, enter a Name, then enter Redirect URLs ``https:///login/gitlab/complete`` (example: ``https://example.com:8065/login/gitlab/complete`` and ``https:///signup/gitlab/complete``. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Id": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Integrations +-------------------------------- +Settings to configure webhooks, slash commands and external integration services. -Application Secret Key +Custom Integrations +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable Incoming Webhooks ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Obtain this value by logging into your GitLab account. Go to Profile Settings > Applications > New Application, enter a Name, then enter Redirect URLs ``https:///login/gitlab/complete`` (example: ``https://example.com:8065/login/gitlab/complete`` and ``https:///signup/gitlab/complete``. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Secret": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Developers building integrations can create webhook URLs for public channels and private channels. Please see our `documentation page `__ to learn about creating webhooks, view samples, and to let the community know about integrations you have built. -User API Endpoint -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Enter ``https:///api/v3/user`` (example: ``https://example.com:3000/api/v3/user``). Use HTTP or HTTPS depending on how your server is configured. +**True**: Incoming webhooks will be allowed. To manage incoming webhooks, go to **Account Settings > Integrations**. The webhook URLs created in Account Settings can be used by external applications to create posts in any public or private channels that you have access to. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"UserApiEndpoint": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**False**: The Integrations > Incoming Webhooks section of Account Settings is hidden and all incoming webhooks are disabled. -Auth Endpoint -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Enter ``https:///oauth/authorize`` (example: ``https://example.com:3000/oauth/authorize``). Use HTTP or HTTPS depending on how your server is configured. +Security note: By enabling this feature, users may be able to perform `phishing attacks `__ by attempting to impersonate other users. To combat these attacks, a BOT tag appears next to all posts from a webhook. Enable at your own risk. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AuthEndpoint": ""`` with string input. | +| This feature's ``config.json`` setting is ``"EnableIncomingWebhooks": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Token Endpoint +Enable Outgoing Webhooks ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Enter ``https:///oauth/token`` (example: ``https://example.com:3000/oauth/token``). Use HTTP or HTTPS depending on how your server is configured. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"TokenEndpoint": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Google -~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20* +Developers building integrations can create webhook tokens for public channels. Trigger words are used to fire new message events to external integrations. For security reasons, outgoing webhooks are only available in public channels. Please see our `documentation page `__ to learn about creating webhooks and view samples. -Enable authentication with Google by selecting ``Google Apps`` from **OAuth 2.0 > Select OAuth 2.0 service provider** +**True**: Outgoing webhooks will be allowed. To manage outgoing webhooks, go to **Account Settings > Integrations**. -**True**: Allow team creation and account signup using Google OAuth. To configure, input the **Client ID** and **Client Secret** credentials. See `documentation `__ for more detail. +**False**: The Integrations > Outgoing Webhooks section of Account Settings is hidden and all outgoing webhooks are disabled. -**False**: Google OAuth cannot be used for team creation or account signup. +Security note: By enabling this feature, users may be able to perform `phishing attacks `__ by attempting to impersonate other users. To combat these attacks, a BOT tag appears next to all posts from a webhook. Enable at your own risk. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"EnableOutgoingWebhooks": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Client ID +Enable Custom Slash Commands ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Obtain this value by registering Mattermost as an application in your Google account. +Slash commands send events to external integrations that send a response back to Mattermost. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Id": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**True**: Allow users to create custom slash commands from **Main Menu** > **Integrations** > **Commands**. -Client Secret -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Obtain this value by registering Mattermost as an application in your Google account. +**False**: Slash Commands are hidden in the **Integrations** user interface. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Secret": ""`` with string input. | +| This feature's ``config.json`` setting is ``"EnableCommands": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -User API Endpoint +Enable OAuth 2.0 Service Provider ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -It is recommended to use `https://www.googleapis.com/plus/v1/people/me` as the User API Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"UserApiEndpoint": "https://www.googleapis.com/plus/v1/people/me"`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**True**: Mattermost acts as an OAuth 2.0 service provider allowing Mattermost to authorize API requests from external applications. -Auth Endpoint -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -It is recommended to use `https://accounts.google.com/o/oauth2/v2/auth` as the Auth Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. +**False**: Mattermost does not function as an OAuth 2.0 service provider. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AuthEndpoint": "https://accounts.google.com/o/oauth2/v2/auth"`` with string input. | +| This feature’s ``config.json`` setting is ``"EnableOAuthServiceProvider": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Token Endpoint +Restrict managing integrations to Admins ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -It is recommended to use `https://www.googleapis.com/oauth2/v4/token` as the Token Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. +*This permission has been migrated to the database and changing the config.json value no longer takes effect after upgrading to v4.9, released on April 16th, 2018. This permission can be modified using the System Console user interface.* -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"TokenEndpoint": "https://www.googleapis.com/oauth2/v4/token"`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**True**: When true, webhooks and slash commands can only be created, edited and viewed by Team and System Admins, and OAuth 2.0 applications by System Admins. Integrations are available to all users after they have been created by the Admin. -Office 365 -~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20* +**False**: Any team members can create webhooks, slash commands and OAuth 2.0 applications from **Main Menu** > **Integrations**. .. note:: - In line with Microsoft ADFS guidance we recommend `configuring intranet forms-based authentication for devices that do not support WIA `_. - - -Enable authentication with Office 365 by selecting ``Office 365 (Beta)`` from **OAuth 2.0 > Select OAuth 2.0 service provider**. - -**True**: Allow team creation and account signup using Office 365 OAuth. To configure, input the **Application ID** and **Application Secret Password** credentials. See `Documentation `__ for more detail. - -**False**: Office 365 OAuth cannot be used for team creation or account signup. + OAuth 2.0 applications can be authorized by all users if they have the **Client ID** and **Client Secret** for an app setup on the server. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"EnableOnlyAdminIntegrations": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Application ID +Enable integrations to override usernames ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Obtain this value by registering Mattermost as an application in your Microsoft or Office account. +**True**: Webhooks, slash commands, OAuth 2.0 apps, and other integrations such as `Zapier `__, will be allowed to change the username they are posting as. If no username is present, the username for the post is the same as it would be for a setting of **False**. + +**False**: Custom slash commands can only post as the username of the user who used the slash command. OAuth 2.0 apps can only post as the username of the user who set up the integration. For incoming webhooks and outgoing webhooks, the username is "webhook". See http://mattermost.org/webhooks for more details. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Id": ""`` with string input. | +| This feature's ``config.json`` setting is ``"EnablePostUsernameOverride": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Application Secret Password +Enable integrations to override profile picture icons ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Obtain this value by registering Mattermost as an application in your Microsoft or Office account. +**True**: Webhooks, slash commands and other integrations, such as `Zapier `__, will be allowed to change the profile picture they post with. + +**False**: Webhooks, slash commands and OAuth 2.0 apps can only post with the profile picture of the account they were set up with. See http://mattermost.org/webhooks for more details. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Secret": ""`` with string input. | +| This feature's ``config.json`` setting is ``"EnablePostIconOverride": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -User API Endpoint +Enable Personal Access Tokens ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -It is recommended to use `https://graph.microsoft.com/v1.0/me` as the User API Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. +**True**: When true, users can create `personal access tokens `__ for integrations in **Account Settings > Security**. They can be used to authenticate against the API and give full access to the account. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"UserApiEndpoint": "https://graph.microsoft.com/v1.0/me"`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +To manage who can create personal access tokens or to search users by token ID, go to the **System Console > Users** page. -Auth Endpoint -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -It is recommended to use `https://accounts.google.com/o/oauth2/v2/auth` as the Auth Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. +**False**: Personal access tokens are disabled on the server. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AuthEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"`` with string input. | +| This feature's ``config.json`` setting is ``"EnableUserAccessTokens": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Token Endpoint +________ + +External Services +~~~~~~~~~~~~~~~~~~~~~~~~~ +Google API Key ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -It is recommended to use `https://login.microsoftonline.com/common/oauth2/v2.0/token` as the Token Endpoint. Otherwise, enter a custom endpoint in `config.json` with HTTP or HTTPS depending on how your server is configured. +Mattermost offers the ability to embed YouTube videos from URLs shared by end users. Set this key and add YouTube Data API v3 as a service to your key to enable the display of titles for embedded YouTube video previews. Without the key, YouTube previews will still be created based on hyperlinks appearing in messages or comments but they will not show the video title. If Google detects the number of views is exceedingly high, they may throttle embed access. Should this occur, you can remove the throttle by registering for a Google Developer Key and entering it in this field following these instructions: https://www.youtube.com/watch?v=Im69kzhpR3I. Your Google Developer Key is used in client-side Javascript. + +Using a Google API Key allows Mattermost to detect when a video is no longer available and display the post with a *Video not found* label. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"TokenEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token"`` with string input. | +| This feature's ``config.json`` setting is ``"GoogleDeveloperKey": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ + Plugins (Beta) -------------------------------- Settings to configure plugins. -Plugin Management +Management ~~~~~~~~~~~~~~~~~~~~~~~~~ Enable Plugins @@ -2653,818 +2106,1235 @@ Lists installed plugins on your Mattermost server. Pre-packaged plugins are inst | This feature's ``config.json`` setting is ``"PluginStates": {}`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Autolink -~~~~~~~~~~~~~~~~~~~~~~~~~ -Configure this plugin directly in the config.json file. Learn more `in our documentation `_. - -Custom User Attributes -~~~~~~~~~~~~~~~~~~~~~~~~~ -Configure this plugin directly in the config.json file. Learn more `in our documentation `_. - -Github +JIRA (Beta) ~~~~~~~~~~~~~~~~~~~~~~~~~ -Configure this plugin directly in the config.json file. Learn more `in our documentation `_. +Enable JIRA +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Jira -~~~~~~~~~~~~~~~~~~~~~~~~~ -Configure this plugin directly in the config.json file. Learn more `in our documentation `_. +**True**: You can configure JIRA webhooks to post message in Mattermost. To help combat phishing attacks, all posts are labelled by a BOT tag. -Net Promoter Score -~~~~~~~~~~~~~~~~~~~~~~~~~ -Configure this plugin directly in the config.json file. Learn more `in our documentation `_. +**False**: JIRA webhook integration is not enabled. -Welcome Bot -~~~~~~~~~~~~~~~~~~~~~~~~~ -Configure this plugin directly in the config.json file. Learn more `in our documentation `_. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Enabled": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Zoom -~~~~~~~~~~~~~~~~~~~~~~~~~ -Configure this plugin directly in the config.json file. Learn more `in our documentation `_. +User +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Integrations --------------------------------- -Settings to configure webhooks, slash commands and external integration services. +Select the username that this integration is attached to. -Integration Management -~~~~~~~~~~~~~~~~~~~~~~~~~ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"UserName": ""`` with string input | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Incoming Webhooks +Secret ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Developers building integrations can create webhook URLs for public channels and private channels. Please see our `documentation page `__ to learn about creating webhooks, view samples, and to let the community know about integrations you have built. -**True**: Incoming webhooks will be allowed. To manage incoming webhooks, go to **Account Settings > Integrations**. The webhook URLs created in Account Settings can be used by external applications to create posts in any public or private channels that you have access to. - -**False**: The Integrations > Incoming Webhooks section of Account Settings is hidden and all incoming webhooks are disabled. - -Security note: By enabling this feature, users may be able to perform `phishing attacks `__ by attempting to impersonate other users. To combat these attacks, a BOT tag appears next to all posts from a webhook. Enable at your own risk. +The secret used to authenticate to Mattermost. Regenerating the secret for the webhook URL endpoint invalidates your existing JIRA integrations. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableIncomingWebhooks": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"Secret": ""`` with string input | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Outgoing Webhooks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Developers building integrations can create webhook tokens for public channels. Trigger words are used to fire new message events to external integrations. For security reasons, outgoing webhooks are only available in public channels. Please see our `documentation page `__ to learn about creating webhooks and view samples. +Note that to set up a JIRA integration via ``config.json``, you can use the following format in ``"PluginSettings:``: -**True**: Outgoing webhooks will be allowed. To manage outgoing webhooks, go to **Account Settings > Integrations**. + .. code-block:: text -**False**: The Integrations > Outgoing Webhooks section of Account Settings is hidden and all outgoing webhooks are disabled. + "Plugins": { + "jira": { + "Enabled": true, + "Secret": "k-ZtjoTrmIdPs7eAGjalDEK_3Q8r3gXJ", + "UserName": "jira" + } + } -Security note: By enabling this feature, users may be able to perform `phishing attacks `__ by attempting to impersonate other users. To combat these attacks, a BOT tag appears next to all posts from a webhook. Enable at your own risk. +where ``Enabled``, ``Secret`` and ``UserName`` are specified above. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableOutgoingWebhooks": true`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Custom Slash Commands -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Slash commands send events to external integrations that send a response back to Mattermost. -**True**: Allow users to create custom slash commands from **Main Menu** > **Integrations** > **Commands**. +________ -**False**: Slash Commands are hidden in the **Integrations** user interface. +Files +-------------------------------- +Mattermost currently supports storing files on the local filesystem and Amazon S3 or S3 compatible containers. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableCommands": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +.. note:: + We have tested Mattermost with `Minio `__ and `Digital Ocean Spaces `_ products but not all S3 compatible containers on the market. If you are looking to use other S3 compatible containers we advise completing your own testing. -Enable OAuth 2.0 Service Provider +Storage +~~~~~~~~~~~~~~~~~~~~~~~~~ +File Storage System ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost acts as an OAuth 2.0 service provider allowing Mattermost to authorize API requests from external applications. -**False**: Mattermost does not function as an OAuth 2.0 service provider. ++-------------------------+---------------------+ +| ``config.json`` setting | ``DriverName`` | ++-------------------------+---------------------+ +| Allowed Values | ``local`` (default) | +| | ``amazons3`` | ++-------------------------+---------------------+ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"EnableOAuthServiceProvider": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +This selects which file storage system is used, Local File System or Amazon S3. -Restrict managing integrations to Admins -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*This permission has been migrated to the database and changing the config.json value no longer takes effect after upgrading to v4.9, released on April 16th, 2018. This permission can be modified using the System Console user interface.* +**Local File System**: Files and images are stored in the specified local file directory. -**True**: When true, webhooks and slash commands can only be created, edited and viewed by Team and System Admins, and OAuth 2.0 applications by System Admins. Integrations are available to all users after they have been created by the Admin. +**Amazon S3**: Files and images are stored on Amazon S3 based on the provided access key, bucket and region fields. The ``amazons3`` driver is compatible with Minio (Beta) and Digital Ocean Spaces based on the provided access key, bucket and region fields. -**False**: Any team members can create webhooks, slash commands and OAuth 2.0 applications from **Main Menu** > **Integrations**. +Local Storage Directory +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: - OAuth 2.0 applications can be authorized by all users if they have the **Client ID** and **Client Secret** for an app setup on the server. ++-------------------------+--------------------------------------------------------------------------------------+ +| ``config.json`` setting | ``Directory`` | ++-------------------------+--------------------------------------------------------------------------------------+ +| Allowed Values | Any directory writeable by the user Mattermost is running as. Default is ``./data/`` | ++-------------------------+--------------------------------------------------------------------------------------+ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableOnlyAdminIntegrations": true`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +The local directory to which files are written when the File Storage System is set to ``local``. This is relative to the directory Mattermost is installed to and defaults to ``./data`` When File Storage System is set to S3 this setting has no effect. -Enable integrations to override usernames +Amazon S3 Bucket ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Webhooks, slash commands, OAuth 2.0 apps, and other integrations such as `Zapier `__, will be allowed to change the username they are posting as. If no username is present, the username for the post is the same as it would be for a setting of **False**. +The name of the bucket for your S3 compatible object storage instance. -**False**: Custom slash commands can only post as the username of the user who used the slash command. OAuth 2.0 apps can only post as the username of the user who set up the integration. For incoming webhooks and outgoing webhooks, the username is "webhook". See http://mattermost.org/webhooks for more details. ++-------------------------+---------------------------------------------+ +| ``config.json`` setting | ``AmazonS3Bucket`` | ++-------------------------+---------------------------------------------+ +| Allowed Values | A string with the S3-compatible bucket name | ++-------------------------+---------------------------------------------+ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnablePostUsernameOverride": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable integrations to override profile picture icons +Amazon S3 Region ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Webhooks, slash commands and other integrations, such as `Zapier `__, will be allowed to change the profile picture they post with. +AWS region you selected when creating your S3 bucket. If no region is set, Mattermost attempts to get the appropriate region from AWS, or sets it to 'us-east-1' if none found. For Minio or Digital Ocean Spaces leave this setting empty -**False**: Webhooks, slash commands and OAuth 2.0 apps can only post with the profile picture of the account they were set up with. See http://mattermost.org/webhooks for more details. ++-------------------------+---------------------------------------------+ +| ``config.json`` setting | ``AmazonS3Region`` | ++-------------------------+---------------------------------------------+ +| Allowed Values | A string with the S3-compatible bucket name | ++-------------------------+---------------------------------------------+ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnablePostIconOverride": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Bot Account Creation +Amazon S3 Endpoint ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: When true, users can create bot accounts for integrations in **Integrations > Bot Accounts**. Bot accounts are similar to user accounts except they cannot be used to log in. See `documentation `_ to learn more. +Hostname of your S3-compatible instance. Defaults to "s3.amazonaws.com". -**False**: Bot accounts cannot be created through the user interface or the RESTful API. Plugins can still create and manage bot accounts. +.. note:: + For Digital Ocean Spaces, the hostname should be set to ````.digitaloceanspaces.com, where ```` is the abbreviation for the region you chose when setting up the Space. It can be ``nyc3``, ``ams3``, or ``sgp1``. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableBotAccountCreation": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++-------------------------+------------------------------------------------------------------+ +| ``config.json`` setting | ``AmazonS3Endpoint`` | ++-------------------------+------------------------------------------------------------------+ +| Allowed Values | A string with the hostname of the S3-compatible storage instance | ++-------------------------+------------------------------------------------------------------+ -Enable Personal Access Tokens + +Amazon S3 Access Key ID ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: When true, users can create `personal access tokens `__ for integrations in **Account Settings > Security**. They can be used to authenticate against the API and give full access to the account. +This is required for access unless you are using an `Amazon S3 IAM Role `__ with Amazon S3. Your EC2 administrator can supply you with the access key ID. -To manage who can create personal access tokens or to search users by token ID, go to the **System Console > Users** page. ++-------------------------+---------------------------------------------------------------------+ +| ``config.json`` setting | ``AmazonS3AccessKeyId`` | ++-------------------------+---------------------------------------------------------------------+ +| Allowed Values | A string with the access key for the S3-compatible storage instance | ++-------------------------+---------------------------------------------------------------------+ -**False**: Personal access tokens are disabled on the server. +Amazon S3 Secret Access Key +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The secret access key associated with your Amazon S3 Access Key ID. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableUserAccessTokens": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++-------------------------+----------------------------------------------------------------------------+ +| ``config.json`` setting | ``AmazonS3SecretAccessKey`` | ++-------------------------+----------------------------------------------------------------------------+ +| Allowed Values | A string with the secret access key for the S3-compatible storage instance | ++-------------------------+----------------------------------------------------------------------------+ -GIF (Beta) -~~~~~~~~~~~~~~~~~~~~~~~~~ -Enable GIF Picker -^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Allow users to select GIFs from the emoji picker via a Gfycat integration. +Enable Secure Amazon S3 Connections +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**False**: GIFs cannot be selected in the emoji picker. +**True**: Enables only secure Amazon S3 Connections. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableGifPicker": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**False**: Allows insecure connections to Amazon S3. -.. note:: ++-------------------------+--------------------------------------------+ +| ``config.json`` setting | ``AmazonS3SSL`` | ++-------------------------+--------------------------------------------+ +| Allowed Values | ``true`` or ``false``, default is ``true`` | ++-------------------------+--------------------------------------------+ - Mattermost deployments restricted to access behind a firewall must open port 443 to both https://api.gfycat.com/v1 and https://gfycat.com/ (for all request types) for this feature to work. +Enable Server-Side Encryption for Amazon S3 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Gfycat API Key -^^^^^^^^^^^^^^^^^^^^^^^^^ -When blank, uses the default API key provided by Gfycat. Alternatively, a unique API key can be requested at https://developers.gfycat.com/signup/#/. Enter the client ID you receive via email to this field. +*Available in Enterprise Edition E20* -+-----------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"GfycatApiKey": "2_KtH_W5"`` with string input. | -+-----------------------------------------------------------------------------------------------+ +**True**: Encrypts files in Amazon S3 using server-side encryption with `Amazon S3-managed keys `__. -Gfycat API Secret -^^^^^^^^^^^^^^^^^^^^^^^^^ -The API secret generated by Gfycat for your API key. When blank, uses the default API secret provided by Gfycat. +**False**: Doesn't encrypt files in Amazon S3. -+---------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"GfycatApiSecret": "3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof"`` with string input. | -+---------------------------------------------------------------------------------------------------------------------------------------------------------+ +.. note:: + Server-Side Encryption only works with Amazon S3 -CORS -~~~~~~~~~~~~~~~~~~~~~~~~~ ++-------------------------+---------------------------------------------+ +| ``config.json`` setting | ``AmazonS3SS3`` | ++-------------------------+---------------------------------------------+ +| Allowed Values | ``true`` or ``false``, default is ``false`` | ++-------------------------+---------------------------------------------+ -Enable cross-origin requests from +Enable Amazon S3 Debugging ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Enable HTTP cross-origin requests from specific domains separated by spaces. Type ``*`` to allow CORS from any domain or leave it blank to disable it. +**True**: When true, log additional debugging information to the system logs. Typically set to `false` in production. -.. note:: - Please make sure you have entered your Site URL before enabling this setting to prevent losing access to the System Console after saving. If you experience lost access to the System Console after changing this setting, you can set your `Site URL `__ through the ``config.json`` file. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AllowCorsFrom": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**False**: No Amazon S3 debugging information is included in the system logs. -CORS Exposed Headers ++-------------------------+---------------------------------------------+ +| ``config.json`` setting | ``AmazonS3Trace`` | ++-------------------------+---------------------------------------------+ +| Allowed Values | ``true`` or ``false``, default is ``false`` | ++-------------------------+---------------------------------------------+ + +Test Connection +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Ensures that the user can access the server and that the settings are valid. + +Allow File Sharing ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Whitelist of headers that will be accessible to the requester. +When false, disables file sharing on the server. All file and image uploads on messages are forbidden across clients and devices, including mobile. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"CorsExposedHeaders": ""`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableFileAttachments": true`` with options ``true`` and ``false``. | ++---------------------------------------------------------------------------------------------------------------------+ -CORS Allow Credentials +Allow File Uploads on Mobile ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Requests that pass validation will include the ``Access-Control-Allow-Credentials`` header. +*Available in Enterprise Edition E20* -**False**: Requests won't include the ``Access-Control-Allow-Credentials`` header. +When false, disables file uploads on mobile apps. All file and image uploads on messages are forbidden across clients and devices, including mobile. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"CorsAllowCredentials": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableMobileUpload": true`` with options ``true`` and ``false``. | ++---------------------------------------------------------------------------------------------------------------------+ -CORS Debug +Allow File Downloads on Mobile ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Prints messages to the logs to help when developing an integration that uses CORS. These messages will include the structured key value pair ``"source":"cors"``. +*Available in Enterprise Edition E20* -**False**: Debug messages not printed to the logs. +When false, disables file downloads on mobile apps. Users can still download files from a mobile web browser. + ++---------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableMobileDownload": true`` with options ``true`` and ``false``. | ++---------------------------------------------------------------------------------------------------------------------+ + +Maximum File Size +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Maximum file size for message attachments entered in megabytes in the System Console UI. Converted to bytes in ``config.json`` at 1048576 bytes per megabyte. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"CorsDebug": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"MaxFileSize": 52428800`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Compliance --------------------------------- +.. warning:: Verify server memory can support your setting choice. Large file sizes increase the risk of server crashes and failed uploads due to network disruptions. -Data Retention Policy -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20* +Enable Image Proxy +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Changes to properties in this section will require a server restart before taking effect. +When true, enables an image proxy for loading external images. The image proxy is used by the Mattermost apps to prevent them from connecting directly to remote servers. This anonymizes their connections and prevents them from accessing insecure content. -.. warning:: Once a message or a file is deleted, the action is irreversible. Please be careful when setting up a custom data retention policy. +See the :doc:`documentation ` to learn more. -Message Retention -^^^^^^^^^^^^^^^^^^ -Set how long Mattermost keeps messages in channels and direct messages. ++---------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Enable": true`` with options ``true`` and ``false``. | ++---------------------------------------------------------------------------------------------------------------------+ -If **Keep messages for a set amount of time** is chosen, set how many days messages are kept in Mattermost. Messages, including file attachments older than the duration you set will be deleted nightly. The minimum time is one day. +Image Proxy Type +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableMessageDeletion": false`` with options ``true`` and ``false``. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +The type of image proxy used by Mattermost. There are two options: -and +**local**: The Mattermost server itself acts as the image proxy. This is the default option. -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"MessageRetentionDays": 365`` with whole number input. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**atmos/camo**: An external `atmos/camo `_ image proxy is used. -File Retention -^^^^^^^^^^^^^^^^^^ -Set how long Mattermost keeps file uploads in channels and direct messages. - -If **Keep files for a set amount of time** is chosen, set how many days file uploads are kept in Mattermost. Files older than the duration you set will be deleted nightly. The minimum time is one day. - -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableFileDeletion": false`` with options ``true`` and ``false``. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -and +See the `documentation `_ to learn more. -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"FileRetentionDays": 365`` with whole number input. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++-----------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ImageProxyType": "local"``, with options ``local`` and ``atmos/camo`` for above settings respectively. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------+ -Data Deletion Time -^^^^^^^^^^^^^^^^^^^ -Set the start time of the daily scheduled data retention job. Choose a time when fewer people are using your system. Must be a 24-hour time stamp in the form HH:MM. +Remote Image Proxy URL +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This setting is based on the local time of the server. +The URL of the ``atmos/camo`` proxy. This setting is not needed when using the local image proxy. -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"DeletionJobStartTime": 02:00`` with 24-hour time stamp input in the form HH:MM | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RemoteImageProxyURL": ""`` with string input. | ++---------------------------------------------------------------------------------------------------------------------+ -Run Deletion Job Now -^^^^^^^^^^^^^^^^^^^^^ -This button initiates a Data Retention deletion job immediately. +Remote Image Proxy Options +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -You can monitor the status of the job in the data deletion job table below this button. +The URL signing key passed to an ``atmos/camo`` image proxy. This setting is not needed when using the local image proxy. -Compliance Export (Beta) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available as an add-on to Enterprise Edition E20* +See the `documentation `_ to learn more. -Enable Compliance Export -^^^^^^^^^^^^^^^^^^^^^^^^^ -**True:** When true, Mattermost will generate a compliance export file that contains all messages that were posted in the last 24 hours. The export task is scheduled to run once per day. See the `documentation to learn more `__. ++---------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RemoteImageProxyOptions": ""`` with string input. | ++---------------------------------------------------------------------------------------------------------------------+ -**False:** When false, Mattermost doesn't generate a compliance export file. +________ -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableExport": false`` with options ``true`` and ``false``. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Images +~~~~~~~~~~~~~~~~~~~~~~~~~ +Attachment Thumbnail Width +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Removed in July 16th, 2017 release* -Compliance Export Time -^^^^^^^^^^^^^^^^^^^^^^^^ -Set the start time of the daily scheduled compliance export job. Choose a time when fewer people are using your system. Must be a 24-hour time stamp in the form HH:MM. +Width of thumbnails generated from uploaded images. Updating this value changes how thumbnail images render in future, but does not change images created in the past. -This setting is based on the local time of the server. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ThumbnailWidth": 120`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"DailyRunTime": 01:00`` with 24-hour time stamp input in the form HH:MM | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Attachment Thumbnail Height +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Removed in July 16th, 2017 release* -Export File Format -^^^^^^^^^^^^^^^^^^^^^^^^ -File format of the compliance export. Corresponds to the system that you want to import the data into. +Height of thumbnails generated from uploaded images. Updating this value changes how thumbnail images render in future, but does not change images created in the past. -Currently CSV, Actiance XML and Global Relay EML are supported. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ThumbnailHeight": 100`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -If Global Relay is chosen, then the following options will be presented: +Image Preview Width +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Removed in July 16th, 2017 release* -Global Relay Customer Account -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Type of Global Relay customer account your organization has, either ``A9/Type 9`` or ``A10/Type 10``. +Maximum width of preview image. Updating this value changes how preview images render in future, but does not change images created in the past. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"CustomerType": A9/Type 9`` with options ``A9/Type 9`` and ``A10/Type 10`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"PreviewWidth": 1024`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Global Relay SMTP Username +Image Preview Height ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The username for authenticating to the Global Relay SMTP server. +*Removed in July 16th, 2017 release* + +Maximum height of preview image ("0": Sets to auto-size). Updating this value changes how preview images render in future, but does not change images created in the past. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SmtpUsername": ""`` with string input. | +| This feature's ``config.json`` setting is ``"PreviewHeight": 0`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Global Relay SMTP Password +Profile Picture Width ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The password associated with the Global Relay SMTP username. +*Removed in July 16th, 2017 release* + +The width to which profile pictures are resized after being uploaded via Account Settings. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SmtpPassword": ""`` with string input. | +| This feature's ``config.json`` setting is ``"ProfileWidth": 128`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Global Relay Email Address -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The email address your Global Relay server monitors for incoming compliance exports. +Profile Picture Height +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Removed in July 16th, 2017 release* + +The height to which profile pictures are resized after being uploaded via Account Settings. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EmailAddress": ""`` with string input. | +| This feature's ``config.json`` setting is ``"ProfileHeight": 128`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Run Compliance Export Job Now -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This button initiates a Compliance Export job immediately. +________ -You can monitor the status of the job in the compliance export job table below this button. +Customization +-------------------------------- +Settings to customize your deployment with custom branding and legal and support links. -Compliance Monitoring +Custom Branding ~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20* - -Settings used to enable and configure Mattermost compliance reports. -Enable Compliance Reporting +Site Name ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Compliance reporting is enabled in Mattermost. - -**False**: Compliance reporting is disabled. +Name of service shown in login screens and UI. Maximum 30 characters. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"SiteName": "Mattermost"`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Compliance Report Directory +Enable Custom Branding ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Sets the directory where compliance reports are written. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Directory": "./data/"`` with string input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +*This feature was moved to Team Edition in Mattermost v5.0, released June 16th, 2018. In previous versions, this feature is available in Enterprise Edition E10 and higher.* -Enable Daily Report -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Mattermost generates a daily compliance report. +**True**: Enables custom branding to show a JPG image some custom text on the server login page. -**False**: Daily reports are not generated. +**False**: Custom branding is disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableDaily": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"EnableCustomBrand": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Custom Terms of Service (Beta) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Custom Terms of Service -~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20*. - -Enable Custom Terms of Service +Custom Brand Image ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -.. note:: +Custom JPG image is displayed on left side of server login page. Recommended maximum image size is less than 2 MB because image will be loaded for every user who logs in. - This page can only be modified using the System Console user interface. ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This features has no ``config.json`` setting and must be set in the System Console user interface. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**True**: When true, new users must accept the terms of service before accessing any Mattermost teams on desktop, web or mobile. Existing users must accept them after login or a page refresh. To update terms of service link displayed in account creation and login pages, go to **System Console > Legal and Support > Terms of Service Link**. +Custom Brand Text +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**False**: During account creation or login, users can review terms of service by accessing the link configured via **System Console > Legal and Support > Terms of Service link**. +Custom text will be shown below custom brand image on left side of server login page. Maximum 500 characters allowed. You can format this text using the same `Markdown formatting codes `__ as using in Mattermost messages. -Custom Terms of Service Text -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Text that will appear in your custom Terms of Service. Supports Markdown-formatted text. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"CustomBrandText": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Re-Acceptance Period +Site Description ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The number of days before Terms of Service acceptance expires, and the terms must be re-accepted. +Description of service shown in login screens and UI. When not specified, "All team communication in one place, searchable and accessible anywhere" is displayed. -Defaults to 365 days. 0 indicates the terms do not expire. ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"CustomDescriptionText": ""`` with string input. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Experimental -------------- -There are a number of settings considered "experimental" that are configurable from the System Console. These may be replaced or removed in a future release. +________ -Features +Announcement Banner ~~~~~~~~~~~~~~~~~~~~~~~~~ -AD/LDAP Settings -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Enable Announcement Banner +^^^^^^^^^^^^^^^^^^^^^^^^^^ -AD/LDAP Login Button Color -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the color of the AD/LDAP login button for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. +Enable an announcement banner across all teams. The banner is displayed at the top of the screen and is the entire width of the screen. By default, users can dismiss the banner until you either change the text of the banner or until you re-enable the banner after it has been disabled. You can prevent users from dismissing the banner, and you can control the text color and the background color. -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonColor": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------------------+ +**True**: Enable the announcement banner. The banner is displayed only if ``BannerText`` has a value. -AD/LDAP Login Button Border Color -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the color of the AD/LDAP login button border for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. +**False**: Disable the announcement banner. -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonBorderColor": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------------------+ ++-----------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableBanner": false`` with options ``true`` and ``false``. | ++-----------------------------------------------------------------------------------------------------------+ -AD/LDAP Login Button Text Color -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the color of the AD/LDAP login button text for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. +Banner Text +^^^^^^^^^^^ -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonTextColor": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------------------+ +The text of the announcement banner. -Allow Authentication Transfer (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E10 and higher* ++------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"BannerText": ""`` with string input. | ++------------------------------------------------------------------------------------+ -**True**: Users can change their sign-in method to any that is enabled on the server, either via Account Settings or the APIs. +Banner Color +^^^^^^^^^^^^ -**False**: Users cannot change their sign-in method, regardless of which authentication options are enabled. +The background color of the announcement banner. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"ExperimentalEnableAuthenticationTransfer": true`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``""BannerColor": "#f2a93b"`` with string input. | ++---------------------------------------------------------------------------------------------+ -Autoclose Direct Messages in Sidebar (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Banner Text Color +^^^^^^^^^^^^^^^^^ -**True**: By default, direct message conversations with no activity for 7 days will be hidden from the sidebar. This can be disabled in **Account Settings** > **Sidebar**. +The color of the text in the announcement banner. -**False**: Conversations remain in the sidebar until they are manually closed. ++-------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``""BannerTextColor": "#333333"`` with string input. | ++-------------------------------------------------------------------------------------------------+ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"CloseUnusedDirectMessages": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Allow Banner Dismissal +^^^^^^^^^^^^^^^^^^^^^^ -Link Metadata Timeout -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Users can dismiss the banner until the next time they log in or the banner is updated. -Adds a configurable timeout for requests made to return link metadata. If the metadata is not returned before this timeout expires, the message will post without requiring metadata. This timeout covers the failure cases of broken URLs and bad content types on slow network connections. +**False**: The banner is permanently visible until it is turned off by the System Admin. -+---------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LinkMetadataTimeoutMilliseconds": 5000`` with whole number input | -+---------------------------------------------------------------------------------------------------------------------------------+ ++-------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``""AllowBannerDismissal": true`` with options ``true`` and ``false``. | ++-------------------------------------------------------------------------------------------------------------------+ -Email Settings -^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Email Batching Buffer Size -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the maximum number of notifications batched into a single email. +________ -+--------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``EmailBatchingBufferSize": 256`` with whole number input | -+--------------------------------------------------------------------------------------------------------------------------+ +Emoji +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable Emoji Picker +^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Enables an emoji picker that allows users to select emoji to add as reactions or use in messages. Enabling the emoji picker with a large number of custom emoji may slow down performance. -Email Batching Interval -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the maximum frequency, in seconds, which the batching job checks for new notifications. Longer batching intervals will increase performance. +**False**: Emoji picker is disabled. -+-----------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``EmailBatchingInterval": 30`` with whole number input | -+-----------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableCustomEmoji": true`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Skip Server Certificate Verification -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Enable Custom Emoji +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Enables a Custom Emoji option in the Main Menu, where users can go to create customized emoji. -**True**: Do not validate SMTP servers when connecting to them. +**False**: Custom emojis are disabled. -**False**: Validate SMTP servers when connecting to them. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableCustomEmoji": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SkipServerCertificateVerification": false`` with options ``true`` and ``false``. | -+-------------------------------------------------------------------------------------------------------------------------------+ +Restrict Custom Emoji Creation +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*This permission has been migrated to the database and changing the config.json value no longer takes effect after upgrading to v4.9, released on April 16th, 2018. This permission can be modified using the System Console user interface.* -Email Login Button Color -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the color of the email login button for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. +*Available in Enterprise Edition E10 and higher* -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonColor": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------------------+ +**Allow everyone to create custom emoji**: Allows everyone to create custom emoji from the **Main Menu** > **Custom Emoji**. -Email Login Button Border Color -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the color of the email login button border for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. +**Allow System and Team Admins to create custom emoji**: The Custom Emoji option is hidden from the Main Menu for users who are not System or Team Admins. -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonBorderColor": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------------------+ +**Only allow System Admins to create custom emoji**: The Custom Emoji option is hidden from the Main Menu for users who are not System Admins. -Email Login Button Text Color -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the color of the email login button text for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RestrictCustomEmojiCreation": "all"`` with options ``all``, ``admin`` and ``system_admin`` for above settings respectively. | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonTextColor": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------------------+ +________ -Enable Account Deactivation -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Ability for users to deactivate their own account from **Account Settings > Advanced**. If a user deactivates their own account, they will get an email notification confirming they were deactivated. -**False**: Ability for users to deactivate their own account is disabled. +GIF (Beta) +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable GIF Picker +^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Allow users to select GIFs from the emoji picker via a Gfycat integration. + +**False**: GIFs cannot be selected in the emoji picker. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableUserDeactivation": false`` with options ``true`` and ``false`` for above settings respectively. | +| This feature's ``config.json`` setting is ``"EnableGifPicker": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Automatic Replies (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +.. note:: -**True**: Users can enable Automatic Replies in **Account Settings > Notifications**. Users set a custom message that will be automatically sent in response to Direct Messages. + Mattermost deployments restricted to access behind a firewall must open port 443 to both https://api.gfycat.com/v1 and https://gfycat.com/ (for all request types) for this feature to work. -**False**: Disables the Automatic Direct Message Replies feature and hides it from Account Settings. +Gfycat API Key +^^^^^^^^^^^^^^^^^^^^^^^^^ +When blank, uses the default API key provided by Gfycat. Alternatively, a unique API key can be requested at https://developers.gfycat.com/signup/#/. Enter the client ID you receive via email to this field. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ExperimentalEnableAutomaticReplies": false`` with options ``true`` and ``false`` for above settings respectively. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++-----------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"GfycatApiKey": "2_KtH_W5"`` with string input. | ++-----------------------------------------------------------------------------------------------+ -Enable Channel Viewed WebSocket Messages -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This setting determines whether channel_viewed WebSocket events are sent, which synchronize unread notifications across clients and devices. Disabling the setting in larger deployments may improve server performance. +Gfycat API Secret +^^^^^^^^^^^^^^^^^^^^^^^^^ +The API secret generated by Gfycat for your API key. When blank, uses the default API secret provided by Gfycat. -+------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableChannelViewedMessages": true`` with options ``true`` and ``false``. | -+------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"GfycatApiSecret": "3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof"`` with string input. | ++---------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Client-Side Certification -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E20* +________ -**True**: Enables client-side certification for your Mattermost server. See `documentation `__ to learn more. +Posts +~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable Link Previews +^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Enables users to display a preview of website content below the message, if available. When true, website previews can be enabled from Account Settings > Display > Website Link Previews. -**False**: Client-side certification is disabled. +**False**: Website link previews are disabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ClientSideCertEnable": false`` with options ``true`` and ``false`` for the above settings respectively. | +| This feature's ``config.json`` setting is ``"EnableLinkPreviews": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Client-Side Certification Login Method -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E20* - -Used in combination with the ``ClientSideCertEnable`` setting. - -**Primary**: After the client side certificate is verified, user's email is retrieved from the certificate and is used to log in without a password. - -**Secondary**: After the client side certificate is verified, user's email is retrieved from the certificate and matched against the one supplied by the user. If they match, the user logs in with regular email/password credentials. +Custom URL Schemes +^^^^^^^^^^^^^^^^^^^^^^^^^ +A list of URL schemes that are used for autolinking in message text. ``http``, ``https``, ``ftp``, ``tel`` and ``mailto`` always create links. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ClientSideCertCheck": secondary`` with options ``primary`` and ``secondary`` for the above settings respectively. | +| This feature's ``config.json`` setting is ``"CustomUrlSchemes": []`` which takes an array of URL schemes such as ``["git", "smtp"]`. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Default Channel Leave/Join System Messages -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This setting determines whether team leave/join system messages are posted in the default ``town-square`` channel. +________ -**True**: Enables leave/join system messages in the default ``town-square`` channel. +.. _legal-support-links: +Legal and Support +~~~~~~~~~~~~~~~~~~~~~~~~~ +Legal and Support links will be hidden in the user interface if these fields are left blank. -**False**: Disables leave/join messages from the default ``town-square`` channel. These system messages won't be added to the database either. +Terms of Service link +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configurable link to Terms of Service your organization may provide to end users. By default, links to a Terms of Service page hosted on about.mattermost.com. If changing the link to a different Terms of Service, make sure to include the "Mattermost Conditions of Use" notice to end users that must also be shown to users from the "Terms of Service" link. -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"ExperimentalEnableDefaultChannelLeaveJoinMessages": true`` with options ``true`` and ``false`` for above settings respectively. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"TermsOfServiceLink": "https://about.mattermost.com/default-terms/"`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Hardened Mode (Experimental) +Privacy Policy link ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configurable link to Privacy Policy your organization may provide to end users. By default, links to a Privacy Policy page hosted on about.mattermost.com. -**True**: Enables a hardened mode for Mattermost that makes user experience trade-offs in the interest of security. ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"PrivacyPolicyLink": "https://about.mattermost.com/default-privacy-policy/"`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**False**: Disables hardened mode. +About link +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configurable link to an About page describing your organization may provide to end users. By default, links to an About page hosted on about.mattermost.com. -Changes made when hardened mode is enabled: ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AboutLink": "https://about.mattermost.com/default-about/"`` with string input. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - - Failed login returns a generic error message instead of a specific message for username and password. - - If `multi-factor authentication (MFA) `__ is enabled, the route to check if a user has MFA enabled always returns true. This causes the MFA input screen to appear even if the user does not have MFA enabled. The user may enter any value to pass the screen. Note that hardened mode does not affect user experience when MFA is enforced. - - Password reset does not inform the user that they can not reset their SSO account through Mattermost and instead claims to have sent the password reset email. - - Mattermost sanitizes all 500 errors before returned to the client. Use the supplied ``request_id`` to match user facing errors with the server logs. +Help link +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configurable link to a Help page your organization may provide to end users. By default, links to Mattermost help documentation hosted on `docs.mattermost.com `__ . -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"ExperimentalEnableHardenedMode": false`` with options ``true`` and ``false`` for above settings respectively. | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"HelpLink": "https://about.mattermost.com/default-help/"`` with string input. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable AD/LDAP Group Sync (Experimental) +Report a Problem link ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E20 and higher* +Set the link for the support website. -**True**: Enables AD/LDAP Group Sync configurable under **Access Controls > Groups**. ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ReportAProblemLink": "https://about.mattermost.com/default-report-a-problem/"`` with string input. | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**False**: Disables AD/LDAP Group Sync and removes the **Access Controls > Groups** from the System Console. +Support Email +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Set an email for feedback or support requests. -For more information on AD/LDAP Group Sync, please see the `AD/LDAP Group Sync documentation `_. +So you don't miss messages, please make sure to change this value to an email your system administrator receives, example: `support@yourcompany.com`. This address is displayed on email notifications and during the Getting Started tutorial for end users to ask support questions. -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"ExperimentalLdapGroupSync": false`` with options ``true`` and ``false`` for above settings respectively. | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"SupportEmail":"feedback@mattermost.com"`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Preview Features (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Custom Terms of Service +~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E20*. -**True**: Preview features can be enabled from **Account Settings** > **Advanced** > **Preview pre-release features**. +Enable Custom Terms of Service +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**False**: Disables and hides preview features from **Account Settings** > **Advanced** > **Preview pre-release features**. +.. note:: -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"EnablePreviewFeatures": true`` with options ``true`` and ``false`` for above settings respectively. | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + This page can only be modified using the System Console user interface. -Enable Theme Selection -^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E10 and higher* +**True**: When true, new users must accept the terms of service before accessing any Mattermost teams on desktop, web or mobile. Existing users must accept them after login or a page refresh. To update terms of service link displayed in account creation and login pages, go to **System Console > Legal and Support > Terms of Service Link**. -**True:** Enables the **Display** > **Theme** tab in Account Settings so users can select their theme. +**False**: During account creation or login, users can review terms of service by accessing the link configured via **System Console > Legal and Support > Terms of Service link**. -**False:** Users cannot select a different theme. The **Display** > **Theme** tab is hidden in Account Settings. +Custom Terms of Service Text +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Text that will appear in your custom Terms of Service. Supports Markdown-formatted text. -+-----------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableThemeSelection": true`` with options ``true`` and ``false``. | -+-----------------------------------------------------------------------------------------------------------------+ +Re-Acceptance Period +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The number of days before Terms of Service acceptance expires, and the terms must be re-accepted. -Allow Custom Themes -^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E10 and higher* +Defaults to 365 days. 0 indicates the terms do not expire. -**True:** Enables the **Display** > **Theme** > **Custom Theme** section in Account Settings. +________ -**False:** Users cannot use a custom theme. The **Display** > **Theme** > **Custom Theme** section is hidden in Account Settings. +Mattermost App Links +~~~~~~~~~~~~~~~~~~~~~~~~~ -+--------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AllowCustomThemes": true`` with options ``true`` and ``false``. | -+--------------------------------------------------------------------------------------------------------------+ +Mattermost Apps Download Page Link +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configurable link to a download page for Mattermost Apps. When a link is present, an option to "Download Apps" will be added in the Main Menu so users can find the download page. Leave this field blank to hide the option from the Main Menu. Defaults to a page on about.mattermost.com where users can download the iOS, Android, and Desktop clients. If you are using an `Enterprise App Store `__ for your mobile apps, change this link to point to a customized download page where users can find the correct apps. -Default Theme -^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E10 and higher* ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AppDownloadLink": "https://about.mattermost.com/downloads/"`` with string input. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Set a default theme that applies to all new users on the system. +Android App Download Link +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configurable link to download the Android app. When a link is present, users who access the site on a mobile web browser will be prompted with a page giving them the option to download the app. Leave this field blank to prevent the page from appearing. If you are using an `Enterprise App Store `__ for your mobile apps, change this link to point to the correct app. -+-----------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"DefaultTheme": "default"`` with options ``default``, ``organization``, ``mattermostDark`` and ``windows10``. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------+ ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AndroidAppDownloadLink": "https://about.mattermost.com/mattermost-android-app/"`` with string input. | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Tutorial (Experimental) +iOS App Download Link ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configurable link to download the iOS app. When a link is present, users who access the site on a mobile web browser will be prompted with a page giving them the option to download the app. Leave this field blank to prevent the page from appearing. If you are using an `Enterprise App Store `__ for your mobile apps, change this link to point to the correct app. -**True**: Users are prompted with a tutorial when they open Mattermost for the first time after account creation. - -**False**: The tutorial is disabled. Users are placed in Town Square when they open Mattermost for the first time after account creation. ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"IosAppDownloadLink": "https://about.mattermost.com/mattermost-ios-app/"`` with string input. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -+--------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"EnableTutorial": true`` with options ``true`` and ``false`` for above settings respectively. | -+--------------------------------------------------------------------------------------------------------------------------------------------+ +________ -Enable User Typing Messages +Compliance +-------------------------------- + +Data Retention Policy +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E20* + +Changing properties in this section will require a server restart before taking effect. + +.. warning:: Once a message or a file is deleted, the action is irreversible. Please be careful when setting up a custom data retention policy. + +Message Retention +^^^^^^^^^^^^^^^^^^ +Set how long Mattermost keeps messages in channels and direct messages. + +If **Keep messages for a set amount of time** is chosen, set how many days messages are kept in Mattermost. Messages, including file attachments older than the duration you set will be deleted nightly. The minimum time is one day. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableMessageDeletion": false`` with options ``true`` and ``false``. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +and + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"MessageRetentionDays": 365`` with whole number input. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +File Retention +^^^^^^^^^^^^^^^^^^ +Set how long Mattermost keeps file uploads in channels and direct messages. + +If **Keep files for a set amount of time** is chosen, set how many days file uploads are kept in Mattermost. Files older than the duration you set will be deleted nightly. The minimum time is one day. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableFileDeletion": false`` with options ``true`` and ``false``. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +and + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"FileRetentionDays": 365`` with whole number input. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Data Deletion Time +^^^^^^^^^^^^^^^^^^^ +Set the start time of the daily scheduled data retention job. Choose a time when fewer people are using your system. Must be a 24-hour time stamp in the form HH:MM. + +This setting is based on the local time of the server. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"DeletionJobStartTime": 02:00`` with 24-hour time stamp input in the form HH:MM | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Run Deletion Job Now +^^^^^^^^^^^^^^^^^^^^^ +This button initiates a Data Retention deletion job immediately. + +You can monitor the status of the job in the data deletion job table below this button. + +Compliance Export (Beta) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available as an add-on to Enterprise Edition E20* + +Enable Compliance Export +^^^^^^^^^^^^^^^^^^^^^^^^^ +**True:** When true, Mattermost will generate a compliance export file that contains all messages that were posted in the last 24 hours. The export task is scheduled to run once per day. See the `documentation to learn more `__. + +**False:** When false, Mattermost doesn't generate a compliance export file. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableExport": false`` with options ``true`` and ``false``. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Compliance Export Time +^^^^^^^^^^^^^^^^^^^^^^^^ +Set the start time of the daily scheduled compliance export job. Choose a time when fewer people are using your system. Must be a 24-hour time stamp in the form HH:MM. + +This setting is based on the local time of the server. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"DailyRunTime": 01:00`` with 24-hour time stamp input in the form HH:MM | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Export File Format +^^^^^^^^^^^^^^^^^^^^^^^^ +File format of the compliance export. Corresponds to the system that you want to import the data into. + +Currently CSV, Actiance XML and Global Relay EML are supported. + +If Global Relay is chosen, then the following options will be presented: + +Global Relay Customer Account +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Type of Global Relay customer account your organization has, either ``A9/Type 9`` or ``A10/Type 10``. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"CustomerType": A9/Type 9`` with options ``A9/Type 9`` and ``A10/Type 10`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Global Relay SMTP Username ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This setting determines whether "user is typing..." messages are displayed below the message box. Disabling the setting in larger deployments may improve server performance. +The username for authenticating to the Global Relay SMTP server. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableUserTypingMessages": "true"`` with string input. | +| This feature's ``config.json`` setting is ``"SmtpUsername": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Time Between User Typing Updates (User Typing Timeout) +Global Relay SMTP Password ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This setting defines how frequently "user is typing..." messages are updated, measured in milliseconds. +The password associated with the Global Relay SMTP username. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"TimeBetweenUserTypingUpdatesMilliseconds": 5000`` with whole number input. | +| This feature's ``config.json`` setting is ``"SmtpPassword": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Global Relay Email Address +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The email address your Global Relay server monitors for incoming compliance exports. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EmailAddress": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Run Compliance Export Job Now +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This button initiates a Compliance Export job immediately. + +You can monitor the status of the job in the compliance export job table below this button. + +Advanced +-------------------------------- +Advanced settings to configure rate limiting, databases and developer options. + +Rate Limiting +~~~~~~~~~~~~~~~~~~~~~~~~~ +Changing properties in this section will require a server restart before taking effect. + +Enable Rate Limiting +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: APIs are throttled at the rate specified by **PerSec**. + +**False**: APIs are not throttled. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Maximum Queries per Second +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Throttle API at this number of requests per second if rate limiting is enabled. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"PerSec": 10`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Maximum Burst Size +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Maximum number of requests allowed beyond the per second query limit. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"MaxBurst": 100`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Memory Store Size +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Maximum number of user sessions connected to the system as determined by **VaryByRemoteAddr** and **VaryByHeader** variables. + +Typically set to the number of users in the system. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"MemoryStoreSize": 10000`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Vary rate limit by remote address +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Rate limit API access by IP address. Recommended to set to ``true`` if you're using a proxy. + +**False**: Rate limiting does not vary by IP address. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"VaryByRemoteAddr": true`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Vary rate limit by HTTP header +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Vary rate limiting by HTTP header field specified (e.g. when configuring Ngnix set to "X-Real-IP", when configuring AmazonELB set to "X-Forwarded-For"). Recommended to be set if you're using a proxy. + +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"VaryByHeader": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Vary rate limit by user +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Rate limit API access by user authentication token. Recommended to set to ``true`` if you're using a proxy. + +**False**: Rate limiting does not vary by user authentication token. + ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"VaryByUser": false`` with options ``true`` and ``false`` for above settings respectively. | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ + + +Database +~~~~~~~~~~~~~~~~~~~~~~~~~ +Changing properties in this section will require a server restart before taking effect. + +Driver Name +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This setting can only be changed from config.json file, it cannot be changed from the System Console user interface. + +``mysql``: enables driver to MySQL database. + +``postgres``: enables driver to PostgreSQL database. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"DriverName": "mysql"`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Data Source +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This is the connection string to the master database. When **DriverName** is set to ``postgres``, use a connection string in the form ``postgres://mmuser:password@localhost:5432/mattermost_test?sslmode=disable&connect_timeout=10``. This setting can only be changed from ``config.json`` file. + +.. note:: + To enable SSL, add ``&tls=true`` to your database connection string if your SQL driver supports it. Add ``&tls=skip-verify`` if you use self-signed certificates. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"DataSource": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Maximum Idle Connections +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Maximum number of idle connections held open to the database. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"MaxIdleConns": 10`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Maximum Open Connections +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Maximum number of open connections held open to the database. + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"MaxOpenConns": 10`` with whole number input. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +SQL Query Timeout +^^^^^^^^^^^^^^^^^ +The number of seconds to wait for a response from the database after opening a connection and sending the query. Errors that you see in the UI or in the logs as a result of a query timeout can vary depending on the type of query. + ++-------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"QueryTimeout": 30`` with whole number input. | ++-------------------------------------------------------------------------------------------------------------------------+ + +Maximum Connection Lifetime +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Maximum lifetime for a connection to the database, in milliseconds. Use this setting to configure the maximum amount of time a connection to the database may be reused. Defaults to an hour (3,600,000 milliseconds). + ++-------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ConnMaxLifetimeMilliseconds": 3600000`` with whole number input. | ++-------------------------------------------------------------------------------------------------------------------------+ + +Minimum Hashtag Length +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Minimum number of characters in a hashtag. This must be greater than or equal to 2. MySQL databases must be configured to support searching strings shorter than three characters, see `documentation `_. + ++-------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"MinimumHashtagLength": 3`` with whole number input. | ++-------------------------------------------------------------------------------------------------------------------------+ + +At Rest Encrypt Key +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +A 32-character key for encrypting and decrypting sensitive fields in the database. You can generate your own cryptographically random alphanumeric string, or you can go to **System Console > Advanced > Database** and click **Regenerate**, which displays the value until you click **Save**. + +When using High Availability, the salt must be identical in each instance of Mattermost. + +The following fields are encrypted using this key + +- ``SqlSettings.DriverName`` +- ``SqlSettings.DataSource`` +- ``SqlSettings.MaxIdleConns`` +- ``SqlSettings.MaxOpenConns`` +- ``SqlSettings.Trace`` +- ``SqlSettings.QueryTimeout`` +- ``SqlSettings.ConnMaxLifetimeMilliseconds`` + ++------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AtRestEncryptKey": ""`` with string input. | ++------------------------------------------------------------------------------------------+ + +Trace +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Executing SQL statements are written to the log for development. + +**False**: SQL statements are not written to the log. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Trace": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Recycle Database Connections +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Available in Enterprise Edition E20* + +This button reconnects to the database listed in the configuration settings. All old connections are closed after 20s. + +The workflow for failover without downing the server is to change the database line in the config.json file, click **Reload Configuration from Disk** in the General > Configuration section then click **Recycle Database Connections**. + +________ + +Elasticsearch +~~~~~~~~~~~~~~ +*Available in Enterprise Edition E20* + +Changing properties in this section will require a server restart before taking effect. + +Enable Elasticsearch Indexing +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True:** indexing of new posts occurs automatically. Search queries will use database search until "Enable Elasticsearch for search queries" is enabled. `Learn more about Elasticsearch in our documentation `__. + +**False:** Elasticsearch indexing is disabled and new posts are not indexed. If indexing is disabled and re-enabled after an index is created, it is recommended to purge and rebuild the index to ensure complete search results. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableIndexing": false`` with options ``true`` and ``false`` for above settings respectively. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Server Connection Address +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The address of the Elasticsearch server. `Learn more about Elasticsearch in our documentation `__. + ++------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ConnectionUrl": ""`` with string input. | ++------------------------------------------------------------------------------------------------------------------------+ + +Server Username +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) The username to authenticate to the Elasticsearch server. + ++-------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Username": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------+ + +Server Password +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +(Optional) The password to authenticate to the Elasticsearch server. + ++-------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Password": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------+ + +Enable Cluster Sniffing +^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Sniffing finds and connects to all data nodes in your cluster automatically. + +**False**: Sniffing is disabled. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Sniff": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Bulk Indexing +^^^^^^^^^^^^^^^^^^^^^^^^ +This button starts a bulk index of all existing posts in the database. If the indexing process is cancelled the index and search results will be incomplete. + +Purge Indexes +^^^^^^^^^^^^^^^^^^^^^^^^ +This button purges the entire Elasticsearch index. Typically only used if the index has corrupted and search is not behaving as expected. After purging the index a new index can be created with the **Bulk Index** button. + +Enable Elasticsearch for search queries +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Elasticsearch will be used for all search queries using the latest index. Search results may be incomplete until a bulk index of the existing post database is finished. + +**False**: Database search is used for search queries. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableSearching": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +________ + + +Developer +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Enable Testing Commands +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: `/test` slash command is enabled to load test accounts and test data. + +**False**: `/test` slash command is disabled. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableTesting": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Enable Developer Mode +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Javascript errors are shown in a purple bar at the top of the user interface. Not recommended for use in production. + +**False**: Users are not alerted to Javascript errors. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableDeveloper": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Allow untrusted internal connections to +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This setting limits the ability for the Mattermost server to make untrusted requests within its local network. A request is considered "untrusted" when it's made on behalf of a client. The following features make untrusted requests and are affected by this setting: + +- Integrations using webhooks, slash commands or message actions. This prevents them from requesting endpoints within the local network. +- Link previews. When a link to a local network address is posted in a chat message, this prevents a link preview from being displayed. +- The `local image proxy `_. If the local image proxy is enabled, images located on the local network cannot be used by integrations or posted in chat messages. + +Requests that can only be configured by admins are considered trusted and will not be affected by this setting. Trusted URLs include ones used for OAuth login or for sending push notifications. + +.. warning:: + This setting is intended to prevent users located outside your local network from using the Mattermost server to request confidential data from inside your network. Care should be used when configuring this setting to prevent unintended access to your local network. + +Some examples of when you may want to modify this setting include: + +- When installing a plugin that includes its own images, such as `Matterpoll `__, you will need to add the Mattermost server's domain name to this list. +- When running a bot or webhook-based integration on your local network, you will need to add the hostname of the bot/integration to this list. +- If your network is configured in such a way that publicly accessible webpages or images are accessed by the Mattermost server using their internal IP address, the hostnames for those servers must be added to this list. + +This setting is a whitelist of local network addresses that can be requested by the Mattermost server. It is configured as a whitespace separated list of hostnames, IP addresses and CIDR ranges that can be accessed such as ``webhooks.internal.example.com 127.0.0.1 10.0.16.0/28``. Since v5.9 the public IP of the Mattermost application server itself is also considered a reserved IP. + +IP address and domain name rules are applied before host resolution. CIDR rules are applied after host resolution. For example, if the domain "webhooks.internal.example.com" resolves to the IP address 10.0.16.20, a webhook with the URL "https://webhooks.internal.example.com/webhook" can be whitelisted using ``webhooks.internal.example.com`` or ``10.0.16.16/28``, but not ``10.0.16.20``. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AllowedUntrustedInternalConnections": ""`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________________________________________________________________________________________________________________________________________________________________________ + +.. _high-availability: + +High Availability +~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E20* + +Changing properties in this section will require a server restart before taking effect. + +When High Availability mode is enabled, the System Console is set to read-only and settings can only be changed by editing the configuration file directly. However, for testing and validating a High Availability setup, you can set *ReadOnlyConfig* to ``false``, which allows changes made in the System Console to be saved back to the configuration file. + +To learn more about configuring High Availability, see `High Availability Cluster <../deployment/cluster.html>`__. + +Enable High Availability Mode +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: The Mattermost Server will attempt inter-node communication with the other servers in the cluster that have the same Cluster Name. This sets the System Console to read-only mode to keep the servers ``config.json`` files in sync. + +**False**: Mattermost high availability is disabled. + ++-----------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false``. | ++-----------------------------------------------------------------------------------------------------+ -Enable X to Leave Channels from Left-Hand Sidebar (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Users can leave Public and Private Channels by clicking the "x" beside the channel name. +Cluster Name +^^^^^^^^^^^^ +The cluster to join by name. Only nodes with the same cluster name will join together. This is to support Blue-Green deployments or staging pointing to the same database. -**False**: Users must use the **Leave Channel** option from the channel menu to leave channels. ++------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ClusterName": ""`` with string input. | ++------------------------------------------------------------------------------------+ -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableXToLeaveChannelsFromLHS": false`` with options ``true`` and ``false`` for above settings respectively. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Override Hostname +^^^^^^^^^^^^^^^^^ +If blank, Mattermost attempts to get the Hostname from the OS or use the IP Address. You can override the hostname of this server with this property. It is not recommended to override the Hostname unless needed. This property can also be set to a specific IP Address if needed. Also see `cluster discovery `_ for more details. -Primary Team (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The primary team of which users on the server are members. When a primary team is set, the options to join other teams or leave the primary team are disabled. ++-----------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"OverrideHostname": ""`` with string input. | ++-----------------------------------------------------------------------------------------+ -If the team URL of the primary team is https://example.mattermost.com/myteam/, then set the value to ``myteam`` in ``config.json``. +Use IP Address +^^^^^^^^^^^^^^ +**True**: The cluster attempts to communicate using the IP Address. -+-----------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ExperimentalPrimaryTeam": ""`` with string input. | -+-----------------------------------------------------------------------------------------------------------------+ +**False**: The cluster attempts to communicate using the hostname. -SAML Settings -^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++---------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"UseIpAddress": true`` with options ``true`` and ``false``. | ++---------------------------------------------------------------------------------------------------------+ -SAML Login Button Color -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the color of the SAML login button for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. +Use Experimental Gossip +^^^^^^^^^^^^^^^^^^^^^^^ +**True**: The server attempts to communicate via the gossip protocol over the gossip port. -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonColor": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------------------+ +**False**: The server attempts to communicate over the streaming port. -SAML Login Button Border Color -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the color of the SAML login button border for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. +Note that the gossip port and gossip protocol are used to determine cluster health even when this setting is ``false``. -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonBorderColor": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------------------+ ++-------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"UseExperimentalGossip": false`` with options ``true`` and ``false``. | ++-------------------------------------------------------------------------------------------------------------------+ -SAML Login Button Text Color -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specify the color of the SAML login button text for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. +Read Only Config +^^^^^^^^^^^^^^^^ +**True**: Changes made to settings in the System Console are ignored. -+-------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"LoginButtonTextColor": ""`` with string input. | -+-------------------------------------------------------------------------------------------------------------------------------+ +**False**: Changes made to settings in the System Console are written to ``config.json``. -Sidebar Organization (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +When running in production it is recommended to set this to true. -**True**: Enables channel sidebar organization options in **Account Settings** > **Sidebar** > **Channel grouping and sorting** including options for grouping unread channels, sorting channels by most recent post and combining all channel types into a single list. ++-----------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ReadOnlyConfig": true`` with options ``true`` and ``false``. | ++-----------------------------------------------------------------------------------------------------------+ -**False**: Hides the channel sidebar organization options in **Account Settings** > **Sidebar** > **Channel grouping and sorting**. +Gossip Port +^^^^^^^^^^^ +The port used for the gossip protocol. Both UDP and TCP should be allowed on this port. -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"ExperimentalChannelOrganization": false`` with options ``true`` and ``false`` for above settings respectively. | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++-------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"GossipPort": 8074`` with whole number input. | ++-------------------------------------------------------------------------------------------+ -Timezone -^^^^^^^^^^^^^^^^^^^^^^^^^ -Select the timezone used for timestamps in the user interface and email notifications. +Streaming Port +^^^^^^^^^^^^^^ +The port used for streaming data between servers. -**True** The Timezone setting is visible in the Account Settings and a time zone is automatically assigned in the next active session. ++----------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"StreamingPort": 8075`` with whole number input. | ++----------------------------------------------------------------------------------------------+ -**False** The Timezone setting is hidden in the Account Settings. +Inter-Node Listen Address +^^^^^^^^^^^^^^^^^^^^^^^^^ +*Deprecated. Not used in version 4.0 and later* -+------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ExperimentalTimezone": false`` with options ``true`` and ``false``. | -+------------------------------------------------------------------------------------------------------------------+ +The address the Mattermost Server will listen on for inter-node communication. When setting up your network you should secure the listen address so that only machines in the cluster have access to that port. This can be done in different ways, for example, using IPsec, security groups, or routing tables. -Town Square is Hidden in Left-Hand Sidebar (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E10 and higher* ++-----------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"InterNodeListenAddress": ":8075"`` with string input. | ++-----------------------------------------------------------------------------------------------------+ -**True**: Hides Town Square in the left-hand sidebar if there are no unread messages in the channel. +Inter-Node URLs +^^^^^^^^^^^^^^^ +*Deprecated. Not used in version 4.0 and later* -**False**: Town Square is always visible in the left-hand sidebar even if all messages have been read. +A list of all the machines in the cluster, separated by commas, for example, ``["http://10.10.10.2", "http://10.10.10.4"]``. It is recommended to use the internal IP addresses so all the traffic can be secured. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ExperimentalHideTownSquareinLHS": false`` with options ``true`` and ``false`` for above settings respectively. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++--------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"InterNodeUrls": []`` with string input. | ++--------------------------------------------------------------------------------------+ -Town Square is Read-Only (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E10 and higher* +________________________________________________________________________________________________________________________________________________________________________ -**True**: Only System Admins can post in Town Square. Other members are not able to post, reply, upload files, emoji react or pin messages to Town Square, nor are they able to change the channel name, header or purpose. +Performance Monitoring +~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E20* -**False**: Anyone can post in Town Square. +Enable Performance Monitoring +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Mattermost enables performance monitoring collection and profiling. Please see `documentation `__ to learn more about configuring performance monitoring for Mattermost. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ExperimentalTownSquareIsReadOnly": false`` with options ``true`` and ``false`` for above settings respectively. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**False**: Mattermost performance monitoring is disabled. -Use Channel Name in Email Notifications (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Channel and team name appears in email notification subject lines. Useful for servers using only one team. ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"Enable": false`` with options ``true`` and ``false`` for above settings respectively. | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**False**: Only team name appears in email notification subject line. -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"UseChannelInEmailNotifications": false`` with options ``true`` and ``false`` for above settings respectively. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Listen Address +^^^^^^^^^^^^^^^^^^ +The address the Mattermost server will listen on to expose performance metrics. -User Status Away Timeout -^^^^^^^^^^^^^^^^^^^^^^^^^ ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"InterNodeListenAddress": ":8067"`` with string input. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -This setting defines the number of seconds after which the user's status indicator changes to "Away", when they are away from Mattermost. +------ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"UserStatusAwayTimeout": 300`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Settings configurable only in config.json -------------------------------------------- +Settings configurable only in config.json +----------------------------------------- There are a number of settings customizable in ``config.json`` unavailable in the System Console and require updating from the file itself. @@ -3499,19 +3369,6 @@ This setting only takes effect if you are using the built-in server binary direc | This feature's ``config.json`` setting is ``"TLSMinVer": "1.2"`` with string input. | +-------------------------------------------------------------------------------------+ -Trusted Proxy IP Header -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Specified headers that will be checked one by one for IP addresses (order is important). All other headers are ignored. - -New configs after v5.12 will have this set by default to ``[]``, meaning that no header will be trusted. Configs prior to v5.12 without the config entry will have it set to ``X-Forwarded-By``, ``X-Real-Ip`` to maintain backwards compatibility as an authority to what the client's IP address is. - -We recommend keeping the default setting when Mattermost is running without a proxy, to avoid the client sending the headers and bypassing rate limiting and/or the audit log. For environments that use a reverse proxy this problem does not exist, if the headers are set by NGINX itself. In those environments only explicitly whitelist the header that is set by the reverse proxy and no additional values. - -+---------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``TrustedProxyIPHeader`` with string array input. | -+---------------------------------------------------------------------------------------------------+ - Enable Strict Transport Security (HSTS) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -3584,6 +3441,22 @@ If this setting is enabled, users can search messages. Disabling search can resu | This feature's ``config.json`` setting is ``"EnablePostSearch": true`` with options ``true`` and ``false``. | +-------------------------------------------------------------------------------------------------------------+ +Enable User Typing Messages +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This setting determines whether "user is typing..." messages are displayed below the message box. Disabling the setting in larger deployments may improve server performance. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableUserTypingMessages": "true"`` with string input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Time Between User Typing Updates +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This setting defines how frequently "user is typing..." messages are updated, measured in milliseconds. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"TimeBetweenUserTypingUpdatesMilliseconds": 5000`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + Enable User Status Updates ^^^^^^^^^^^^^^^^^^^^^^^^^^ Turn status updates off to improve performance. When status updates are off, users appear online only for brief periods when posting a message, and only to members of the channel in which the message is posted. @@ -3592,6 +3465,14 @@ Turn status updates off to improve performance. When status updates are off, use | This feature's ``config.json`` setting is ``"EnableUserStatuses": true`` with options ``true`` and ``false``. | +---------------------------------------------------------------------------------------------------------------+ +Enable Channel Viewed WebSocket Messages +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This setting determines whether channel_viewed WebSocket events are sent, which synchronize unread notifications across clients and devices. Disabling the setting in larger deployments may improve server performance. + ++------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableChannelViewedMessages": true`` with options ``true`` and ``false``. | ++------------------------------------------------------------------------------------------------------------------------+ + Segment Write Key ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -3608,8 +3489,6 @@ WebSocket Secure Port (Optional) This setting defines the port on which the secured WebSocket will listen using the `wss` protocol. Otherwise it defaults to `443`. When the client attempts to make a WebSocket connection it first checks to see if the page is loaded with HTTPS. If so, it will use the secure WebSocket connection. If not, it will use the unsecure WebSocket connection. IT IS HIGHLY RECOMMENDED PRODUCTION DEPLOYMENTS ONLY OPERATE UNDER HTTPS AND WSS. -Changes to this setting require a server restart before taking effect. - +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"WebsocketSecurePort" : 443`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -3619,8 +3498,6 @@ WebSocket Port (Optional) This setting defines the port on which the unsecured WebSocket will listen using the `ws` protocol. Otherwise it defaults to `80`. When the client attempts to make a WebSocket connection it first checks to see if the page is loaded with HTTPS. If so, it will use the secure WebSocket connection. If not, it will use the unsecure WebSocket connection. IT IS HIGHLY RECOMMENDED PRODUCTION DEPLOYMENTS ONLY OPERATE UNDER HTTPS AND WSS. -Changes to this setting require a server restart before taking effect. - +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature’s ``config.json`` setting is ``WebsocketPort": 80`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -3636,17 +3513,6 @@ Enable API Team Deletion | This feature’s ``config.json`` setting is ``"EnableAPITeamDeletion": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Disable Bots When Owner Is Deactivated -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -**True**: Bot accounts managed by a user are disabled by default upon user deactivation. Those with permissions to manage bot accounts can re-enable them in **Main Menu > Integrations > Bot Accounts**. - -**False**: Bot accounts managed by a user stay enabled upon user deactivation. We strongly recommend creating new tokens for the bot to ensure the user who was deactivated no longer has access to read or write data in the system via the bot access token. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"DisableBotsWhenOwnerIsDeactivated": true`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - SQL Settings ~~~~~~~~~~~~ @@ -3685,9 +3551,7 @@ The queries above rebuild the materialized `PublicChannels` table without modify Read Replicas (Enterprise Edition) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specifies the connection strings for the read replica databases. Each string must be in the same form as used for the `Data Source`_ setting. - -Changes to this setting require a server restart before taking effect. +Specifies the connection strings for the read replica databases. Each string must be in the same form as used for the `Data Source`_ setting. A server restart is required for changes to this setting to take effect. +---------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"DataSourceReplicas": []`` with a comma-separated list of database connection strings as input. | @@ -3695,14 +3559,26 @@ Changes to this setting require a server restart before taking effect. Search Replicas (Enterprise Edition) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Specifies the connection strings for the search replica databases. A search replica is similar to a read replica, but is used only for handling search queries. Each string must be in the same form as used for the `Data Source`_ setting. - -Changes to this setting require a server restart before taking effect. +Specifies the connection strings for the search replica databases. A search replica is similar to a read replica, but is used only for handling search queries. Each string must be in the same form as used for the `Data Source`_ setting. A server restart is required for changes to this setting to take effect. +---------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"DataSourceSearchReplicas": []`` with a comma-separated list of database connection strings as input. | +---------------------------------------------------------------------------------------------------------------------------------------------------+ +Team Settings +~~~~~~~~~~~~~~~~~~~~~~~~~ + +User Status Away Timeout +^^^^^^^^^^^^^^^^^^^^^^^^^ + +This setting defines the number of seconds after which the user's status indicator changes to "Away", when they are away from Mattermost. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"UserStatusAwayTimeout": 300`` with whole number input. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +________ + File Settings ~~~~~~~~~~~~~~~~~~~~~~~~~ Initial Font @@ -3739,26 +3615,81 @@ Amazon S3 Lowercase Bucket ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **True**: S3 bucket names are fully lowercase. -**False**: S3 bucket names may contain uppercase and lowercase letters. +**False**: S3 bucket names may contain uppercase and lowercase letters. + +*Removed in November 16th, 2016 release* + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AmazonS3LowercaseBucket": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Amazon S3 Signature V2 +^^^^^^^^^^^^^^^^^^^^^^ + +By default, Mattermost uses Signature V4 to sign API calls to AWS, but under some circumstances, V2 is required. For more information about when to use V2, see http://docs.aws.amazon.com/general/latest/gr/signature-version-2.html + +**True**: Use Signature Version 2 Signing Process + +**False**: Use Signature Version 4 Signing Process + ++------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AmazonS3SignV2": false`` with options ``true`` and ``false``. | ++------------------------------------------------------------------------------------------------------------+ + +Email Settings +~~~~~~~~~~~~~~~~~~~~~~~~~ +Email Batching Buffer Size +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the maximum number of notifications batched into a single email. + ++--------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``EmailBatchingBufferSize": 256`` with whole number input | ++--------------------------------------------------------------------------------------------------------------------------+ + +Email Batching Interval +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the maximum frequency, in seconds, which the batching job checks for new notifications. Longer batching intervals will increase performance. + ++-----------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``EmailBatchingInterval": 30`` with whole number input | ++-----------------------------------------------------------------------------------------------------------------------+ + +Skip Server Certificate Verification +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +**True**: Do not validate SMTP servers when connecting to them. + +**False**: Validate SMTP servers when connecting to them. + ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"SkipServerCertificateVerification": false`` with options ``true`` and ``false``. | ++-------------------------------------------------------------------------------------------------------------------------------+ -*Removed in November 16th, 2016 release* +Login Button Color +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the color of the email login button for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AmazonS3LowercaseBucket": false`` with options ``true`` and ``false`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonColor": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------------------+ -Amazon S3 Signature V2 -^^^^^^^^^^^^^^^^^^^^^^ +Login Button Border Color +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the color of the email login button border for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. -By default, Mattermost uses Signature V4 to sign API calls to AWS, but under some circumstances, V2 is required. For more information about when to use V2, see http://docs.aws.amazon.com/general/latest/gr/signature-version-2.html ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonBorderColor": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------------------+ -**True**: Use Signature Version 2 Signing Process +Login Button Text Color +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the color of the email login button text for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. -**False**: Use Signature Version 4 Signing Process ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonTextColor": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------------------+ -+------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AmazonS3SignV2": false`` with options ``true`` and ``false``. | -+------------------------------------------------------------------------------------------------------------+ +________ GitLab Settings ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -3770,6 +3701,8 @@ Standard setting for OAuth to determine the scope of information shared with OAu | This feature's ``config.json`` setting is ``"Scope": ""`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ + Google Settings ~~~~~~~~~~~~~~~~~~~~~~~~~ Scope @@ -3780,6 +3713,8 @@ Standard setting for OAuth to determine the scope of information shared with OAu | This feature's ``config.json`` setting is ``"Scope": "profile email"`` with string input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ + Office 365 Settings ~~~~~~~~~~~~~~~~~~~~~~~~~ Scope @@ -3790,6 +3725,66 @@ Standard setting for OAuth to determine the scope of information shared with OAu | This feature's ``config.json`` setting is ``"Scope": "User.Read"`` with string input | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ + +AD/LDAP Settings +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Login Button Color +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the color of the AD/LDAP login button for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. + ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonColor": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------------------+ + +Login Button Border Color +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the color of the AD/LDAP login button border for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. + ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonBorderColor": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------------------+ + +Login Button Text Color +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the color of the AD/LDAP login button text for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. + ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonTextColor": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------------------+ + +________ + +SAML Settings +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Login Button Color +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the color of the SAML login button for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. + ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonColor": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------------------+ + +Login Button Border Color +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the color of the SAML login button border for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. + ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonBorderColor": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------------------+ + +Login Button Text Color +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Specify the color of the SAML login button text for white labeling purposes. Use a hex code with a #-sign before the code. This setting only applies to the mobile apps. + ++-------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LoginButtonTextColor": ""`` with string input. | ++-------------------------------------------------------------------------------------------------------------------------------+ + +________ + Cluster Settings ~~~~~~~~~~~~~~~~~~~~~~~~~ Maximum Idle Connections @@ -3816,6 +3811,8 @@ The number of milliseconds to leave an idle connection open between servers in t | This feature's ``config.json`` setting is ``"IdleConnTimeoutMilliseconds": 90000`` with whole number input. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +________ + Metrics Settings ~~~~~~~~~~~~~~~~~~~~~~~~~ Block Profile Rate @@ -3826,185 +3823,35 @@ The profiler aims to sample an average of one blocking event per rate nanosecond To include every blocking event in the profile, set the rate to 1. To turn off profiling entirely, set the rate to 0. -Changes to this setting require a server restart before taking effect. - +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"BlockProfileRate": "0"`` with decimal and whole number input between 0 and 1. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Experimental Settings only in config.json ------------------------------------------ - -Service Settings -~~~~~~~~~~~~~~~~~ -Group Unread Channels (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in December 16, 2018 release and replaced by a new ExperimentalChannelOrganization setting* - -**Disabled**: Unread channels section is disabled for all users. - -**Default On**: Enables the unread channels sidebar section by default. Users can turn it off in **Account Settings** > **Sidebar**. - -**Default Off**: Disables the unread channels sidebar section by default. Users can turn it on in **Account Settings** > **Sidebar**. - -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"ExperimentalGroupUnreadChannels": "disabled"`` with options ``disabled``, ``default_on`` and ``default_off`` for above settings respectively. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Strict CSRF Token Enforcement (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -**True**: Enables CSRF protection tokens for additional hardening compared to the currently used custom header. When the user logs in, an additional cookie is created with the CSRF token contained. - -**False**: Disables CSRF protection tokens. - -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"ExperimentalStrictCSRFEnforcement": false`` with options ``true`` and ``false`` for above settings respectively. | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Limit Access to Config Settings Prior to Login -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in December 16, 2018 release* - -Enable this setting to limit the number of config settings sent to users prior to login. - -Supported for Mattermost server v5.1.0 and later, and Mattermost Mobile apps v1.10.0 and later. - -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"ExperimentalLimitClientConfig": "false"`` with options ``true`` and ``false`` for above settings respectively. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Disable Legacy MFA API Endpoint -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -**True**: Disables the legacy ``checkMfa`` endpoint, which is only required for Mattermost Mobile Apps on version 1.16 or earlier when using multi-factor authentication (MFA). Recommended to set to ``true`` for additional security hardening. - -**False**: Keeps the legacy ``checkMfa`` endpoint enabled to support mobile versions 1.16 and earlier. Keeping the endpoint enabld creates an information disclosure about whether a user has set up MFA. - -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"DisableLegacyMFA": true,`` with options ``true`` and ``false`` for above settings respectively. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Restrict System Admin (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -**True**: Restricts the System Admin from viewing and modifying a subset of server configuration settings from the System Console. Not recommended for use in on-prem installations. This is intended to support Mattermost Private Cloud in giving the System Admin role to users but restricting certain actions only for Cloud Administrators. - -**False**: No restrictions are applied to the System Admin role. - -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature’s ``config.json`` setting is ``"RestrictSystemAdmin": false,`` with options ``true`` and ``false`` for above settings respectively. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Team Settings -~~~~~~~~~~~~~~ - -Default Channels (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Default channels every user is added to automatically after joining a new team. Only applies to public channels, but affects all teams on the server. - -When not set, every user is added to ``off-topic`` and ``town-square`` channel by default. - -Note that even if ``town-square`` is not listed, every user is added to that channel after joining a new team. - -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ExperimentalDefaultChannels": ""`` which takes an array of channel names such as ``["announcement", "developers"]``. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Allow Users to View Archived Channels (Experimental) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -**True**: Allows users to view permalinks and search for content of channels that have been archived. Users can only view the content in channels of which they were a member before the channel was archived. - -**False**: Users are unable to view permalinks and search for content of channels that have been archived. - -+-------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ViewArchivedChannels": false`` with options ``true`` and ``false`` for above settings respectively. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Email Settings -~~~~~~~~~~~~~~ - -Client Requirement Settings (Experimental) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Latest Android Version -^^^^^^^^^^^^^^^^^^^^^^^^^ -The latest version of the Android React Native app that is recommended for use. - -+-----------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AndroidLatestVersion": ""`` with whole number and decimal input. For example, `1.2.0` | -+-----------------------------------------------------------------------------------------------------------------------------------------+ - -Minimum Android Version -^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The minimum version of the Android React Native app that is required to be used. - -+----------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AndroidMinVersion": ""`` with whole number and decimal input. For example, `1.2.0` | -+----------------------------------------------------------------------------------------------------------------------------------------+ - -Latest Desktop Version -^^^^^^^^^^^^^^^^^^^^^^^^^^ -The latest version of the desktop app that is recommended for use. - -+-------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"DesktopLatestVersion": ""`` with whole number and decimal input. For example, `1.2.0` | -+-------------------------------------------------------------------------------------------------------------------------------------------+ - -Minimum Destop Version -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The minimum version of the desktop app that is required to be used. - -+----------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"DesktopMinVersion": ""`` with whole number and decimal input. For example, `1.2.0` | -+----------------------------------------------------------------------------------------------------------------------------------------+ - -Latest iOS Version -^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The latest version of the iOS app that is recommended for use. - -+---------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"IosLatestVersion": ""`` with whole number and decimal input. For example, `1.2.0` | -+---------------------------------------------------------------------------------------------------------------------------------------+ - -Minimum iOS Version -^^^^^^^^^^^^^^^^^^^^^ -The minimum version of the iOS React Native app that is required to be used. - -+------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"IosMinVersion": ""`` with whole number and decimal input. For example, `1.2.0` | -+------------------------------------------------------------------------------------------------------------------------------------+ - -Theme Settings (Experimental) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Allowed Themes -^^^^^^^^^^^^^^^^^^^^^^^^^ -*Available in Enterprise Edition E10 and higher* +Experimental Settings +~~~~~~~~~~~~~~~~~~~~~~~~~ +*Available in Enterprise Edition E20* -Select the themes that can be chosen by users when ``"EnableThemeSelection"`` is set to ``true``. +Enable Client-Side Certification +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Enables client-side certification for your Mattermost server. See `documentation `__ to learn more. -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AllowedThemes": "default"`` with options ``default``, ``organization``, ``mattermostDark`` and ``windows10`` optionally separated by commas. For example, ``["mattermostDark", "windows10"]`` | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**False**: Client-side certification is disabled. -Display Settings (Experimental) -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ClientSideCertEnable": false`` with options ``true`` and ``false`` for the above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Supported Timezones Path -^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set the path of the JSON file that lists supported timezones when ``ExperimentalTimezone`` is set to true. +Client-Side Certification Login Method +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Used in combination with the ``ClientSideCertEnable`` setting. -The file must be in the same directory as your ``config.json`` file if you set a relative path. Defaults to ``timezones.json``. +**Primary**: After the client side certificate is verified, user's email is retrieved from the certificate and is used to log in without a password. -+-----------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"SupportedTimezonesPath": "timezones.json"`` with string input. | -+-----------------------------------------------------------------------------------------------------------------+ +**Secondary**: After the client side certificate is verified, user's email is retrieved from the certificate and matched against the one supplied by the user. If they match, the user logs in with regular email/password credentials. -Experimental Settings -~~~~~~~~~~~~~~~~~~~~~~~~~ -*Available in Enterprise Edition E20* ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ClientSideCertCheck": secondary`` with options ``primary`` and ``secondary`` for the above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Disable Post Metadata ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -4017,6 +3864,15 @@ Disable Post Metadata | This feature's ``config.json`` setting is ``"DisablePostMetadata": false`` with options ``true`` and ``false`` for the above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Link Metadata Timeout +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Adds a configurable timeout for requests made to return link metadata. If the metadata is not returned before this timeout expires, the message will post without requiring metadata. This timeout covers the failure cases of broken URLs and bad content types on slow network connections. + ++---------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"LinkMetadataTimeoutMilliseconds": 5000`` with whole number input | ++---------------------------------------------------------------------------------------------------------------------------------+ + Analytics Settings ~~~~~~~~~~~~~~~~~~~~~~~~~ *Available in Enterprise Edition E10 and higher* @@ -4092,12 +3948,14 @@ Timeout in seconds for Elasticseaerch calls. Bulk Indexing Time Window ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Determines the maximum time window for a batch of posts being indexed by the Bulk Indexer. This setting servers as a performance optimisation for installs with over ~10 million posts in the database. Approximate this value based on the average number of seconds for 2,000 posts to be added to the database on a typical day in production. Setting this value too low will cause Bulk Indexing jobs to run slowly. +Determines the maximum time window for a batch of posts being indexed by the Bulk Indexer. This setting servers as a performance optimisation for installs with over ~10 millioin posts in the database. Approximate this value based on the average number of seconds for 2,000 posts to be added to the database on a typical day in production. Setting this value too low will cause Bulk Indexing jobs to run slowly. +-----------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"BulkIndexingTimeWindowSeconds": 3600`` with whole number input | +-----------------------------------------------------------------------------------------------------------------+ +________ + Message Export Settings ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -4113,7 +3971,7 @@ File Location ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Set the file location of the compliance exports. -By default, they are written to the `exports` subdirectory of the configured `Local Storage directory `_. +By default, they are written to the `exports` subdirectory of the configured `Local Storage directory `. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | This feature's ``config.json`` setting is ``"FileLocation": "export"`` with string input. | @@ -4141,324 +3999,430 @@ Enable Plugin Uploads | This feature's ``config.json`` setting is ``"EnableUploads": false`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable Plugin Health Check +Directory +^^^^^^^^^^ +The location of the plugin files. If blank, they are stored in the ./plugins directory. The path that you set must exist and Mattermost must have write permissions in it. + ++-----------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"Directory": "./plugins"`` with string input. | ++-----------------------------------------------------------------------------------------------------------------+ + +------ + +Experimental settings +----------------------------------------- + +There are a number of settings considered "experimental" and these may be replaced or removed in a future release. + +Service Settings +~~~~~~~~~~~~~~~~~ + +Enable Tutorial (Experimental) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**True**: Enables plugin health check to ensure all plugins are periodically monitored, and restarted or deactivated based on their health status. +**True**: Users are prompted with a tutorial when they open Mattermost for the first time after account creation. + +**False**: The tutorial is disabled. Users are placed in Town Square when they open Mattermost for the first time after account creation. + ++--------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"EnableTutorial": true`` with options ``true`` and ``false`` for above settings respectively. | ++--------------------------------------------------------------------------------------------------------------------------------------------+ + +Enable Default Channel Leave/Join System Messages +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +This setting determines whether team leave/join system messages are posted in the default ``town-square`` channel. + +**True**: Enables leave/join system messages in the default ``town-square`` channel. + +**False**: Disables leave/join messages from the default ``town-square`` channel. These system messages won't be added to the database either. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"ExperimentalEnableDefaultChannelLeaveJoinMessages": true`` with options ``true`` and ``false`` for above settings respectively. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Allow Authentication Transfer (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Available in Enterprise Edition E10 and higher* -The health check runs every 30 seconds. If the plugin is detected to fail 3 times within an hour, the Mattermost server attempts to restart it. If the restart fails 3 successive times, it is automatically disabled. +**True**: Users can change their sign-in method to any that is enabled on the server, either via Account Settings or the APIs. -**False**: Disables plugin health check on your Mattermost server. +**False**: Users cannot change their sign-in method, regardless of which authentication options are enabled. +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"EnableHealthCheck": true`` with options ``true`` and ``false`` for above settings respectively. | +| This feature’s ``config.json`` setting is ``"ExperimentalEnableAuthenticationTransfer": true`` with options ``true`` and ``false`` for above settings respectively. | +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Directory -^^^^^^^^^^ -The location of the plugin files. If blank, they are stored in the ./plugins directory. The path that you set must exist and Mattermost must have write permissions in it. +Autoclose Direct Messages in Sidebar (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+-----------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Directory": "./plugins"`` with string input. | -+-----------------------------------------------------------------------------------------------------------------+ +**True**: By default, direct message conversations with no activity for 7 days will be hidden from the sidebar. This can be disabled in **Account Settings** > **Sidebar**. -Client Directory -^^^^^^^^^^^^^^^^^^ -The location of client plugin files. If blank, they are stored in the ./client/plugins directory. The path that you set must exist and Mattermost must have write permissions in it. +**False**: Conversations remain in the sidebar until they are manually closed. -+-----------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"Directory": "./client/plugins"`` with string input. | -+-----------------------------------------------------------------------------------------------------------------+ ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"CloseUnusedDirectMessages": false`` with options ``true`` and ``false`` for above settings respectively. | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Jobs -~~~~~~~~~~~~~~~~~~~~~~~~~ +Enable Preview Features (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Settings to configure the how Mattermost schedules and completes periodic tasks such as the deletion of old posts with Data Retention enabled or indexing of posts with Elasticsearch. These settings control which Mattermost servers are designated as a Scheduler, a server that queues the tasks at the correct times, and as a Worker, a server that completes the given tasks. +**True**: Preview features can be enabled from **Account Settings** > **Advanced** > **Preview pre-release features**. -When running Mattermost on a single machine, both ``RunJobs`` and ``RunScheduler`` should be enabled. Without both of these enabled, Mattermost will not function properly. +**False**: Disables and hides preview features from **Account Settings** > **Advanced** > **Preview pre-release features**. -When running Mattermost in High Availability mode, ``RunJobs`` should be enabled on one or more servers while ``RunScheduler`` should be enabled on all servers under normal circumstances. A High Availability cluster will have one Scheduler and one or more Workers. See the below sections for more information. ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"EnablePreviewFeatures": true`` with options ``true`` and ``false`` for above settings respectively. | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Run Jobs +Sidebar Organization (Experimental) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set whether or not this Mattermost server will handle tasks created by the Scheduler. -When running Mattermost on a single machine, this setting should always be enabled. +**True**: Enables channel sidebar organization options in **Account Settings** > **Sidebar** > **Channel grouping and sorting** including options for grouping unread channels, sorting channels by most recent post and combining all channel types into a single list. -When running Mattermost in High Availablity mode, one or more servers should have this setting enabled. It is recommended that a High Availability cluster has one or more dedicated Workers with this setting enabled while the remaining Mattermost app servers have it disabled. +**False**: Hides the channel sidebar organization options in **Account Settings** > **Sidebar** > **Channel grouping and sorting**. -+------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RunJobs": true`` with options ``true`` and ``false`` for above settings respectively. | -+------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"ExperimentalChannelOrganization": false`` with options ``true`` and ``false`` for above settings respectively. | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Run Scheduler +Group Unread Channels (Experimental) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Set whether or not this Mattermost server will schedule tasks that will be completed by a Worker. +*Removed in December 16, 2018 release and replaced by a new ExperimentalChannelOrganization setting* -When running Mattermost on a single machine, this setting should always be enabled. +**Disabled**: Unread channels section is disabled for all users. + +**Default On**: Enables the unread channels sidebar section by default. Users can turn it off in **Account Settings** > **Sidebar**. -When running Mattermost in High Availablity mode, this setting should always be enabled. In a High Availability cluster, exactly one of the servers will be designated as the Scheduler at a time to ensure that duplicate tasks aren't created. See `High Availability documentation `__ for more details. +**Default Off**: Disables the unread channels sidebar section by default. Users can turn it on in **Account Settings** > **Sidebar**. -+-----------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RunScheduler": true`` with options ``true`` and ``false`` for above settings respectively. | -+-----------------------------------------------------------------------------------------------------------------------------------------+ ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"ExperimentalGroupUnreadChannels": "disabled"`` with options ``disabled``, ``default_on`` and ``default_off`` for above settings respectively. | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Enable Hardened Mode (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Deprecated Configuration Settings ------------------------------------ +**True**: Enables a hardened mode for Mattermost that makes user experience trade-offs in the interest of security. -Policy -~~~~~~~~~~~~~~~~~~~~~~~~~ -*Removed in June 16, 2018 release* +**False**: Disables hardened mode. -Permission policy settings are available in Enterprise Edition E10 and E20. In v5.0 and later, these settings are found in the `Advanced Permissions `__ page instead of configuration settings. +Changes made when hardened mode is enabled: -Enable sending team invites from + - Failed login returns a generic error message instead of a specific message for username and password. + - If `multi-factor authentication (MFA) `__ is enabled, the route to check if a user has MFA enabled always returns true. This causes the MFA input screen to appear even if the user does not have MFA enabled. The user may enter any value to pass the screen. Note that hardened mode does not affect user experience when MFA is enforced. + - Password reset does not inform the user that they can not reset their SSO account through Mattermost and instead claims to have sent the password reset email. + - Mattermost sanitizes all 500 errors before returned to the client. Use the supplied ``request_id`` to match user facing errors with the server logs. + ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"ExperimentalEnableHardenedMode": false`` with options ``true`` and ``false`` for above settings respectively. | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Enable AD/LDAP Group Sync (Experimental) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Available in Enterprise Edition E20 and higher* -*Removed in June 16, 2018 release* +**True**: Enables AD/LDAP Group Sync configurable under **Access Controls > Groups**. -Set policy on who can invite others to a team using the **Send Email Invite**, **Get Team Invite Link**, and **Add Members to Team** options on the main menu. If **Get Team Invite Link** is used to share a link, you can expire the invite code from **Team Settings > Invite Code** after the desired users have joined the team. Options include: +**False**: Disables AD/LDAP Group Sync and removes the **Access Controls > Groups** from the System Console. -**All team members**: Allows any team member to invite others using an email invitation, team invite link or by adding members to the team directly. +For more information on AD/LDAP Group Sync, please see the `AD/LDAP Group Sync documentation `_. -**Team and System Admins**: Hides the email invitation, team invite link, and the add members to team buttons in the Main Menu from users who are not Team Admins or System Admins. ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"ExperimentalLdapGroupSync": false`` with options ``true`` and ``false`` for above settings respectively. | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**System Admins**: Hides the email invitation, team invite link, and add members to team buttons in the Main Menu from users who are not System Admins. +Strict CSRF Token Enforcement (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictTeamInvite": "all"`` with options ``all``, ``team_admin`` and ``system_admin`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**True**: Enables CSRF protection tokens for additional hardening compared to the currently used custom header. When the user logs in, an additional cookie is created with the CSRF token contained. -Enable public channel creation for +**False**: Disables CSRF protection tokens. + ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"ExperimentalStrictCSRFEnforcement": false`` with options ``true`` and ``false`` for above settings respectively. | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Limit Access to Config Settings Prior to Login ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Removed in December 16, 2018 release* -*Removed in June 16, 2018 release* +Enable this setting to limit the number of config settings sent to users prior to login. -Restrict the permission level required to create public channels. +Supported for Mattermost server v5.1.0 and later, and Mattermost Mobile apps v1.10.0 and later. -**All team members**: Allow all team members to create public channels. ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"ExperimentalLimitClientConfig": "false"`` with options ``true`` and ``false`` for above settings respectively. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**Team Admins and System Admins**: Restrict creating public channels to Team Admins and System Admins. +Disable Legacy MFA API Endpoint +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**System Admins**: Restrict creating public channels to System Admins. +**True**: Disables the legacy ``checkMfa`` endpoint, which is only required for Mattermost Mobile Apps on version 1.16 or earlier when using multi-factor authentication (MFA). Recommended to set to ``true`` for additional security hardening. -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictPublicChannelCreation": "all"`` with options ``all``, ``team_admin`` and ``system_admin`` for above settings respectively. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**False**: Keeps the legacy ``checkMfa`` endpoint enabled to support mobile versions 1.16 and earlier. Keeping the endpoint enabld creates an information disclosure about whether a user has set up MFA. -Enable public channel renaming for -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"DisableLegacyMFA": true,`` with options ``true`` and ``false`` for above settings respectively. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -*Removed in June 16, 2018 release* +Restrict System Admin (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Restrict the permission level required to rename and set the header or purpose for public channels. +**True**: Restricts the System Admin from viewing and modifying a subset of server configuration settings from the System Console. Not recommended for use in on-prem installations. This is intended to support Mattermost Private Cloud in giving the System Admin role to users but restricting certain actions only for Cloud Administrators. -**All channel members**: Allow all channel members to rename public channels. +**False**: No restrictions are applied to the System Admin role. -**Channel Admins, Team Admins, and System Admins**: Restrict renaming public channels to Channel Admins, Team Admins, and System Admins who are members of the channel. ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature’s ``config.json`` setting is ``"RestrictSystemAdmin": false,`` with options ``true`` and ``false`` for above settings respectively. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**Team Admins and System Admins**: Restrict renaming public channels to Team Admins and System Admins who are members of the channel. +Team Settings +~~~~~~~~~~~~~~ -**System Admins**: Restrict renaming public channels to System Admins who are members of the channel. +Primary Team (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The primary team of which users on the server are members. When a primary team is set, the options to join other teams or leave the primary team are disabled. -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictPublicChannelManagement": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +If the team URL of the primary team is https://example.mattermost.com/myteam/, then set the value to ``myteam`` in ``config.json``. -Enable public channel deletion for -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++-----------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ExperimentalPrimaryTeam": ""`` with string input. | ++-----------------------------------------------------------------------------------------------------------------+ -*Removed in June 16, 2018 release* +Default Channels (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Default channels every user is added to automatically after joining a new team. Only applies to public channels, but affects all teams on the server. -Restrict the permission level required to delete public channels. Deleted channels can be recovered from the database using a `command line tool `__. +When not set, every user is added to ``off-topic`` and ``town-square`` channel by default. -**All channel members**: Allow all channel members to delete public channels. +Note that even if ``town-square`` is not listed, every user is added to that channel after joining a new team. + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ExperimentalDefaultChannels": ""`` which takes an array of channel names such as ``["announcement", "developers"]``. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Enable X to Leave Channels from Left-Hand Sidebar (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Users can leave Public and Private Channels by clicking the "x" beside the channel name. + +**False**: Users must use the **Leave Channel** option from the channel menu to leave channels. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableXToLeaveChannelsFromLHS": false`` with options ``true`` and ``false`` for above settings respectively. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Town Square is Read-Only (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Available in Enterprise Edition E10 and higher* + +**True**: Only System Admins can post in Town Square. Other members are not able to post, reply, upload files, emoji react or pin messages to Town Square, nor are they able to change the channel name, header or purpose. + +**False**: Anyone can post in Town Square. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ExperimentalTownSquareIsReadOnly": false`` with options ``true`` and ``false`` for above settings respectively. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**Channel Admins, Team Admins, and System Admins**: Restrict deleting public channels to Channel Admins, Team Admins, and System Admins who are members of the channel. +Town Square is Hidden in Left-Hand Sidebar (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +*Available in Enterprise Edition E10 and higher* -**Team Admins and System Admins**: Restrict deleting public channels to Team Admins and System Admins who are members of the channel. +**True**: Hides Town Square in the left-hand sidebar if there are no unread messages in the channel. -**System Admins**: Restrict deleting public channels to System Admins who are members of the channel. +**False**: Town Square is always visible in the left-hand sidebar even if all messages have been read. -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictPublicChannelDeletion": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ExperimentalHideTownSquareinLHS": false`` with options ``true`` and ``false`` for above settings respectively. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Enable private channel creation for +Allow Users to View Archived Channels (Experimental) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in June 16, 2018 release* +**True**: Allows users to view permalinks and search for content of channels that have been archived. Users can only view the content in channels of which they were a member before the channel was archived. -Restrict the permission level required to create private channels. +**False**: Users are unable to view permalinks and search for content of channels that have been archived. -**All team members**: Allow all team members to create private channels. ++-------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ViewArchivedChannels": false`` with options ``true`` and ``false`` for above settings respectively. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------+ -**Team Admins and System Admins**: Restrict creating private channels to Team Admins and System Admins. +Enable Automatic Replies (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -**System Admins**: Restrict creating private channels to System Admins. +**True**: Users can enable Automatic Replies in Account Settings > Notifications. Users set a custom message that will be automatically sent in response to Direct Messages. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictPrivateChannelCreation": "all"`` with options ``all``, ``team_admin`` and ``system_admin`` for above settings respectively. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +**False**: Disables the Automatic Direct Message Replies feature and hides it from Account Settings. -Enable private channel renaming for -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ExperimentalEnableAutomaticReplies": false`` with options ``true`` and ``false`` for above settings respectively. | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -*Removed in June 16, 2018 release* +Email Settings +~~~~~~~~~~~~~~ -Restrict the permission level required to rename and set the header or purpose for private channels. +Use Channel Name in Email Notifications (Experimental) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +**True**: Channel and team name appears in email notification subject lines. Useful for servers using only one team. -**All channel members**: Allow all channel members to rename private channels. +**False**: Only team name appears in email notification subject line. -**Channel Admins, Team Admins, and System Admins**: Restrict renaming private channels to Channel Admins, Team Admins, and System Admins who are members of the private channel. ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"UseChannelInEmailNotifications": false`` with options ``true`` and ``false`` for above settings respectively. | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -**Team Admins and System Admins**: Restrict renaming private channels to Team Admins and System Admins who are members of the private channel. +Client Requirement Settings (Experimental) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -**System Admins**: Restrict renaming private channels to System Admins who are members of the private channel. +Latest Android Version +^^^^^^^^^^^^^^^^^^^^^^^^^ +The latest version of the Android React Native app that is recommended for use. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictPrivateChannelManagement": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++-----------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AndroidLatestVersion": ""`` with whole number and decimal input. For example, `1.2.0` | ++-----------------------------------------------------------------------------------------------------------------------------------------+ -Enable managing of private channel members for -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Minimum Android Version +^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The minimum version of the Android React Native app that is required to be used. -*Removed in June 16, 2018 release* ++----------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AndroidMinVersion": ""`` with whole number and decimal input. For example, `1.2.0` | ++----------------------------------------------------------------------------------------------------------------------------------------+ -Set policy on who can add and remove members from private channels. +Latest Desktop Version +^^^^^^^^^^^^^^^^^^^^^^^^^^ +The latest version of the desktop app that is recommended for use. -**All team members**: Allow all team members to add and remove members. ++-------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"DesktopLatestVersion": ""`` with whole number and decimal input. For example, `1.2.0` | ++-------------------------------------------------------------------------------------------------------------------------------------------+ -**Team Admins, Channel Admins, and System Admins**: Allow only Team Admins, Channel Admins, and System Admins to add and remove members. +Minimum Destop Version +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The minimum version of the desktop app that is required to be used. -**Team Admins, and System Admins**: Allow only Team Admins and System Admins to add and remove members. ++----------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"DesktopMinVersion": ""`` with whole number and decimal input. For example, `1.2.0` | ++----------------------------------------------------------------------------------------------------------------------------------------+ -**System Admins**: Allow only System Admins to add and remove members. +Latest iOS Version +^^^^^^^^^^^^^^^^^^^^^^^^^^^ +The latest version of the iOS app that is recommended for use. -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictPrivateChannelManageMembers": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++---------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"IosLatestVersion": ""`` with whole number and decimal input. For example, `1.2.0` | ++---------------------------------------------------------------------------------------------------------------------------------------+ -Enable private channel deletion for -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Minimum iOS Version +^^^^^^^^^^^^^^^^^^^^^ +The minimum version of the iOS React Native app that is required to be used. -*Removed in June 16, 2018 release* ++------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"IosMinVersion": ""`` with whole number and decimal input. For example, `1.2.0` | ++------------------------------------------------------------------------------------------------------------------------------------+ -Restrict the permission level required to delete private channels. Deleted channels can be recovered from the database using a `command line tool `__. +Theme Settings (Experimental) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -**All channel members**: Allow all channel members to delete private channels. +Enable Theme Selection +^^^^^^^^^^^^^^^^^^^^^^^^^ +*Available in Enterprise Edition E10 and higher* -**Channel Admins, Team Admins, and System Admins**: Restrict deleting private channels to Channel Admins, Team Admins, and System Admins who are members of the private channel. +**True:** Enables the **Display** > **Theme** tab in Account Settings so users can select their theme. -**Team Admins and System Admins**: Restrict deleting private channels to Team Admins and System Admins who are members of the private channel. +**False:** Users cannot select a different theme. The **Display** > **Theme** tab is hidden in Account Settings. -**System Admins**: Restrict deleting private channels to System Admins who are members of the private channel. ++-----------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"EnableThemeSelection": true`` with options ``true`` and ``false``. | ++-----------------------------------------------------------------------------------------------------------------+ -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictPrivateChannelDeletion": "all"`` with options ``all``, ``channel_admin``, ``team_admin``, and ``system_admin`` for above settings respectively. | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Default Theme +^^^^^^^^^^^^^^^^^^^^^^^^^ +*Available in Enterprise Edition E10 and higher* -Allow which users to delete messages -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Set a default theme that applies to all new users on the system. -*Removed in June 16, 2018 release* ++-----------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"DefaultTheme": "default"`` with options ``default``, ``organization``, ``mattermostDark`` and ``windows10``. | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------+ -Restrict the permission level required to delete messages. Team Admins, Channel Admins, and System Admins can delete messages only in channels where they are members. Messages can be deleted anytime. +Allow Custom Themes +^^^^^^^^^^^^^^^^^^^^^^^^^ +*Available in Enterprise Edition E10 and higher* -**Message authors can delete their own messages, and Administrators can delete any message**: Allow authors to delete their own messages, and allow Team Admins, Channel Admins, and System Admins to delete any message. +**True:** Enables the **Display** > **Theme** > **Custom Theme** section in Account Settings. -**Team Admins and System Admins**: Allow only Team Admins and System Admins to delete messages. +**False:** Users cannot use a custom theme. The **Display** > **Theme** > **Custom Theme** section is hidden in Account Settings. -**System Admins**: Allow only System Admins to delete messages. ++--------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AllowCustomThemes": true`` with options ``true`` and ``false``. | ++--------------------------------------------------------------------------------------------------------------+ -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"RestrictPostDelete": "all"`` with options ``all``, ``team_admin`` and ``system_admin`` for above settings respectively. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Allowed Themes +^^^^^^^^^^^^^^^^^^^^^^^^^ +*Available in Enterprise Edition E10 and higher* -Allow users to edit their messages -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Select the themes that can be chosen by users when ``"EnableThemeSelection"`` is set to ``true``. -*Removed in June 16, 2018 release* ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"AllowedThemes": "default"`` with options ``default``, ``organization``, ``mattermostDark`` and ``windows10`` optionally separated by commas. For example, ``["mattermostDark", "windows10"]`` | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Set the time limit that users have to edit their messages after posting. +Display Settings (Experimental) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -**Any time**: Allow users to edit their messages at any time after posting. +Timezone +^^^^^^^^^^^^^^^^^^^^^^^^^ +Select the timezone used for timestamps in the user interface and email notifications. -**Never**: Do not allow users to edit their messages. +**True** The Timezone setting is visible in the Account Settings and a time zone is automatically assigned in the next active session. -**{n} seconds after posting**: Users can edit their messages within the specified time limit after posting. The time limit is applied using the config.json setting ``"PostEditTimeLimit"`` described below. +**False** The Timezone setting is hidden in the Account Settings. -+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"AllowEditPost": "always"`` with options ``always``, ``never``, and ``time_limit`` for above settings respectively. | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"ExperimentalTimezone": false`` with options ``true`` and ``false``. | ++------------------------------------------------------------------------------------------------------------------+ -Post edit time limit -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Supported Timezones Path +^^^^^^^^^^^^^^^^^^^^^^^^^^ +Set the path of the JSON file that lists supported timezones when ``ExperimentalTimezone`` is set to true. -When post editing is permitted, setting ``"PostEditTimeLimit": -1`` allows editing anytime, or setting ``"PostEditTimeLimit"`` to a positive integer restricts editing time in seconds. If post editing is disabled, this setting does not apply. +The file must be in the same directory as your ``config.json`` file if you set a relative path. Defaults to ``timezones.json``. -+--------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PostEditTimeLimit": -1`` with whole number input. | -+--------------------------------------------------------------------------------------------------+ ++-----------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"SupportedTimezonesPath": "timezones.json"`` with string input. | ++-----------------------------------------------------------------------------------------------------------------+ -Images +Jobs ~~~~~~~~~~~~~~~~~~~~~~~~~ -Attachment Thumbnail Width -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in July 16th, 2017 release* - -Width of thumbnails generated from uploaded images. Updating this value changes how thumbnail images render in future, but does not change images created in the past. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ThumbnailWidth": 120`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -Attachment Thumbnail Height -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in July 16th, 2017 release* +Settings to configure the how Mattermost schedules and completes periodic tasks such as the deletion of old posts with Data Retention enabled or indexing of posts with Elasticsearch. These settings control which Mattermost servers are designated as a Scheduler, a server that queues the tasks at the correct times, and as a Worker, a server that completes the given tasks. -Height of thumbnails generated from uploaded images. Updating this value changes how thumbnail images render in future, but does not change images created in the past. +When running Mattermost on a single machine, both ``RunJobs`` and ``RunScheduler`` should be enabled. Without both of these enabled, Mattermost will not function properly. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ThumbnailHeight": 100`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +When running Mattermost in High Availability mode, ``RunJobs`` should be enabled on one or more servers while ``RunScheduler`` should be enabled on all servers under normal circumstances. A High Availability cluster will have one Scheduler and one or more Workers. See the below sections for more information. -Image Preview Width +Run Jobs ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in July 16th, 2017 release* - -Maximum width of preview image. Updating this value changes how preview images render in future, but does not change images created in the past. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PreviewWidth": 1024`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +Set whether or not this Mattermost server will handle tasks created by the Scheduler. -Image Preview Height -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in July 16th, 2017 release* +When running Mattermost on a single machine, this setting should always be enabled. -Maximum height of preview image ("0": Sets to auto-size). Updating this value changes how preview images render in future, but does not change images created in the past. +When running Mattermost in High Availablity mode, one or more servers should have this setting enabled. It is recommended that a High Availability cluster has one or more dedicated Workers with this setting enabled while the remaining Mattermost app servers have it disabled. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"PreviewHeight": 0`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RunJobs": true`` with options ``true`` and ``false`` for above settings respectively. | ++------------------------------------------------------------------------------------------------------------------------------------+ -Profile Picture Width +Run Scheduler ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in July 16th, 2017 release* - -The width to which profile pictures are resized after being uploaded via Account Settings. +Set whether or not this Mattermost server will schedule tasks that will be completed by a Worker. -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ProfileWidth": 128`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +When running Mattermost on a single machine, this setting should always be enabled. -Profile Picture Height -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -*Removed in July 16th, 2017 release* +When running Mattermost in High Availablity mode, this setting should always be enabled. In a High Availability cluster, exactly one of the servers will be designated as the Scheduler at a time to ensure that duplicate tasks aren't created. See `High Availability documentation `__ for more details. -The height to which profile pictures are resized after being uploaded via Account Settings. ++-----------------------------------------------------------------------------------------------------------------------------------------+ +| This feature's ``config.json`` setting is ``"RunScheduler": true`` with options ``true`` and ``false`` for above settings respectively. | ++-----------------------------------------------------------------------------------------------------------------------------------------+ -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| This feature's ``config.json`` setting is ``"ProfileHeight": 128`` with whole number input. | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+