The Systems Management page is used to manage connected systems:
- Systems Management Introduction
- Connected Systems
- Password Enforcement
- Password Policies
- Post Password Reset
- HPAM
- Dictionary
Systems Management Introduction
The Systems (management) page is used to manage connected systems, connected system groups, password policies, high privilege accounts, and the dictionary. A connected system group consists of connected systems where the passwords of user accounts are the same and changing a password in any one account propagates that same password to other accounts in the same group. Connected system groups have a password policy defined. This is the global password policy for all systems in the group. A system can be a member of only one group.
These tables are used by connected systems:
- CONNSYS_ID - Stores all connected systems that have been created.
- PRODUCT_CONNSYS_GROUP - Stores all connected system groups.
- PRODUCT_PWD_POLICY - Stores all password policies.
- PRODUCT_CONNSYS_GROUP_REL - Stores the relationship between the PRODUCT_CONNSYS_GROUP and CONNSYS_ID.
A PWD_POLICY_ID field is included in both the CONNSYS_ID table and PRODUCT_CONNSYS_GROUP table. If a connected system is not added to any existing connected system groups and the particular connected system has a password policy, the CONNSYS_ID table’s PWD_POLICY_ID field will have the value of the attached password policy. If the same connected system has been added to a connected system group and the group has a password policy attached, the password policy of the connected system will be replaced with the password policy of that particular connected system group.
Connected Systems
The Connected Systems page is used to manage both Identity and Provisioning connected systems.
To manage connected systems
-
From the Admin UI, click the Systems tab. The Connected System View page displays:
This table lists the available system types that can be added:
Name
Category
Identity
Provisioning
Accenture ITSM Remedy
Application
No
Yes
Active Directory 2008 - Exchange 2007
Directory Server
Yes
Yes
Active Directory 2008 - Exchange 2010
Directory Server
Yes
Yes
Active Directory 2008 - Exchange 2010 - Referral
Directory Server
Yes
Yes
Active Directory 2012 - Exchange 2013 - Referral
Directory Server
Yes
Yes
Atlassian JIRA
Application
No
Yes
Blackboard Learn 9
Application
Yes
Yes
Canvas LMS
Application
No
Yes
Fedora Directory Server
Directory Server
Yes
Yes
Fischer TAO
Traditional
Yes
Yes
Flat File
Traditional
No
Yes
Google Apps Multi Domain
Application
Yes
Yes
IBM 4690v5 OS
Application
Yes
Yes
IBM 4690v5 Supermarket App
Application
Yes
Yes
IBM DB2
Database
No
Yes
IBM Informix Database
Database
No
Yes
IBM RACF Native
Traditional
Yes
Yes
IBM RACF SecureWay
Traditional
Yes
Yes
IBM SecureWay Directory Server
Directory Server
Yes
Yes
IBM Tivoli Access Manager
Application
Yes
Yes
IBM Tivoli Directory Server
Directory Server
Yes
Yes
IBM Tivoli Federated Identity Manager
Application
No
Yes
Live@edu
Directory Server
Yes
Yes
Microsoft Access Database
Database
No
Yes
Microsoft Active Directory
Directory Server
Yes
Yes
Microsoft ADAM
Directory Server
Yes
Yes
Microsoft Dynamics CRM
Application
No
Yes
Microsoft Exchange
Directory Server
Yes
Yes
Microsoft Office 365
Application
Yes
Yes
Microsoft SharePoint 2010
Application
No
Yes
Microsoft SharePoint Secure Store
Application
Yes
No
Microsoft SQL Server
Database
Yes
Yes
Microsoft SQL Server 2005
Database
No
Yes
Microsoft SQL Stored Procedure
Database
Yes
No
MIT Kerberos
Traditional
Yes
No
Moodle
Application
Yes
Yes
Moodle 2 OK Tech
Application
Yes
No
MS AD 2008 and MS Exchange 2010 Referral
Directory Server
Yes
Yes
MySQL Database
Database
No
Yes
Novell eDirectory
Directory Server
Yes
Yes
OpenDJ Directory Server
Directory Server
Yes
Yes
OpenLDAP Directory Server
Directory Server
Yes
Yes
Oracle Database
Database
Yes
Yes
Oracle E-Business Suite
Application
Yes
Yes
Oracle Internet Directory
Directory Server
Yes
Yes
PeopleSoft Enterprise
Application
Yes
Yes
PIM
Application
No
Yes
PostgreSQL
Database
Yes
Yes
Progress OpenEdge
Database
No
Yes
Progress OpenEdge 10.1
Database
No
Yes
Red Hat Directory Server
Directory Server
Yes
Yes
Sage Pro
Traditional
Yes
No
Sakai CLE
Application
Yes
Yes
Salesforce CRM
Application
Yes
Yes
SAP NetWeaver
Application
Yes
Yes
SMS PIN
Application
Yes
Yes
SMTP Mail
Application
No
Yes
Sun iPlanet Directory Server
Directory Server
Yes
Yes
Sun Java System Directory Server
Directory Server
Yes
Yes
Sun ONE Directory Server
Directory Server
Yes
Yes
Sybase Database
Database
Yes
Yes
Sybase Stored Procedure
Database
Yes
Yes
UNIX SSH
Application
Yes
Yes
Unknown
NA
No
Yes
WebEx
Application
Yes
Yes
Windows Command Line
Application
No
Yes
Zimbra
Application
Yes
Yes
This table defines the Connected System View elements:
Elements and Descriptions
ID: Displays the SYSTEM_ID.
System Name: Displays the name of the connected system. Click the hyperlink to view details.
Display Name: Displays the display name of the connected system.
Type: Displays the type of connected system.
Association: Displays the name of the server or GIG that the connected system is associated with.
Modified User: Displays the name of the user that modified the connected system. Modified Date: Displays the system date and time when the connected system was modified.
Add: Creates a new connected system.
Copy: Copies the selected connected system to be added as a new connected system. For this button, only one system at a time can be selected.
Delete: Removes the selected connected system(s).
Test Connection: Verifies the connection to the selected connected system. For this button, only one system at a time can be selected.
View Accounts: The Accounts View page displays all accounts for the selected system. For this button, only one system at a time can be selected. Where Used?: The Connected System Used View page displays where this connected system is used. For this button, only one system at a time can be selected.
Where Used?: The Connected System Used View page displays where this connected system is used. For this button, only one system at a time can be selected.
Category: View/change object categories associated with the selected connected system. Modifying a Connected System Type
The Type of a connected system can be changed to another type if both types belong to the same category shown in the system types table above (e.g. Directory Server to Directory Server, Database to Database, etc.). This is a very broad grouping and cannot be used for the workflow executions as the configuration and attributes may not be similar. So, there is another level of grouping within Identity suite where connectors having similar attributes and configuration schema are grouped together such that a task configured for one type can be reused for another type if both belong to the same group. There are two such groups:
Group1 - Microsoft Active Directory, Active Directory 2008 - Exchange 2007, Active Directory 2008 - Exchange 2010, Active Directory 2008 - Exchange 2010 - Referral, Active Directory 2012 - Exchange 2013 - Referral, Microsoft ADAM and Microsoft Exchange.
Group2 - Sun iPlanet Directory Server, Fedora Directory Server, IBM Tivoli Directory Server, Novell eDirectory, Oracle Internet Directory, OpenDJ Directory Server, OpenLDAP Directory Server, Red Hat Directory Server, Sun Java System Directory Server and Sun ONE Directory Server.
There is a separate grouping for triggers. Triggers having similar notification mechanisms and attribute schema are grouped together. There are two such groups:
Group1 - Micorsoft Active Directory Trigger, MS Active Directory 2008 Trigger and MS Active Directory 2012 Trigger.
Group2 - OpenDJ Trigger, Fedora Trigger, Novell eDir Trigger and Sun ONE Trigger.
If the connected system type is changed within these groups, runtime will automatically switch to the new type. Even if types belonging to the same group are similar in attribute and configuration schema, there can be minor differences. In that case, we just need to load and re-deploy the workflow from Studio to update the runtime configurations files.
Note: Modifying a connected system type may require manual changes to existing workflows, user records, user entitlements, triggers, resources, and other features that use that connected system. Before modifying a connected system type, follow the View Accounts and Where Used procedures to determine the impact of this change.
-
Select the desired System Name. The Connected System Details page displays, for example:
-
To modify an existing system by changing the type of system, from the Type drop-down list, select the new type, and click Update. This message displays:
Warning: Modifying the connected system type may require manual changes to existing workflows, user records, user entitlements, triggers, resources and other features that use this connected system. Use the Where Used? and View Accounts buttons to determine the impact of this change. Do you want to make this change now? Yes No
- Click Yes to continue. This message displays:
Connected System modified successfully.Note: Type of a Connected System Can't be modified if the System is configured as Extended User Profile Information LDAP System. The Type field will be disabled for such systems.
View Accounts
-
Select a system, and click the View Accounts The Accounts View page displays all accounts for the selected system:
Elements and Descriptions
Account Name: Displays the name of the account. Click the hyperlink to display the Account Details page.
Account ID: Displays the DN of the account.
Profile Name: Displays the account profile name. Click the hyperlink to display user profile details.
Type: Displays the type of account.
Start Date: Displays the date the account was created.
End Date: Displays the date the account will end being operational. Last Pswd. Change: Displays the date the account password was last changed. Status: Displays the status of the account.
Note: Clicking a column heading sorts in ascending or descending order.
-
Click an Account Name to The Account Details page displays:
Elements and Descriptions
System Name: Displays the name of the connected system that the provisioned account/ entitlement belongs to.
Account Name: Displays the name of the account.
Account ID: isplays the identification details (DN or account username) of the account provisioned. Provisioning Information / Entitlement Information
Policy Name: Displays the name of the policy that assigned the resource, which in turn provisioned the account/entitlement. This value can be NULL as account/ entitlement can be created without a policy.
Group Name: Displays the name of the group that assigned the policy/resource, which in turn provisioned the account/entitlement. This value can be NULL as account/ entitlement can be created without a group.
Resource Name: Displays the resource name that provisioned the account/entitlement, if any. This value can be NULL as account/entitlement can be created without a resource.
Creation Date: Displays the date the account/entitlement was created.
Process: Displays the information regarding the account creation: Admin Assoc (account association from Password View), Provisioned, Self-Claimed, HPAM, or Legacy (all other processes are considered Legacy). - Click Back.
On the Accounts View page, click a Profile Name to view. The User Details page displays:
Where Used
To display where a connected system is used
-
On the Connected System View page, select a system, and click the Where Used? button. The Connected System Used View page displays where this connected system is used:
Elements and Descriptions
Type: Displays the type of object using this connected system.
Name: Displays the name of the object.
Description: Displays the description of the object. Export to File: Exports the results to a CSV file.
- Click Back to return to the Connected System View page.
For detailed information on managing connected systems, see Managing the Connected System.
Schema
This button will be enabled in Connected System Detail (New) and (Update) pages for 'LDAP' family systems. This will display the schema for the connected system and allows administrator to add and delete the schema elements. A connected system can be configured in Configuration _ IdentityServer ► ExtendedUserProfileInformationLDAPSystem only if schema is loaded for the system.
-
Fill in the 'Connection Information' and 'User Object Classes' in Connected System Detail (New) & (Update) pages.
-
Click on the 'Schema' button to display the 'Connected System Schema' page.
Clicking the Refresh button on this page will fetch the attributes of the specified object classes from the connected system.
After refreshing the schema, administrator can add/delete schema elements. Click the Back button and click Update. This will save the schema to the connected system If the user attempts to delete a schema attribute that is mapped, an error message will be displayed when they attempt to update the connected system configuration.
If the schema has already been saved and modified, then clicking the Refresh button will cause the schema list to remove any attributes that are not in the system’s schema and add (as new rows) attributes that are in the system’s schema, but not currently saved.
Once the schema is modified and saved in the connected system, these schema elements/ attributes can be used in extended ldap column in product attribute mapping, if this system is set as the ExtendedUserProfileInformationLDAPSystem.
- Sorting and Searching can be done on the columns Name, Object Class and Type.
Password Enforcement
This page lists the different Password Enforcements created by the identity administrator. Each Password enforcement Configuration needs to specify a password policy, member, connected systems, user groups and password expiry notifications that enforce this password policy. Multiple 'Password Enforcement' configurations are allowed with different priority values assigned to each. An evaluation process determines the password enforcements that a user qualifies for, and if the user qualifies for multiple password enforcement configurations, the enforcement with highest priority will become effective. Enforcing different password policies, for different user accounts in the same connected system, can be achieved through these multiple password enforcement configurations.
Sync Password, Mutual Exclusiveness, Enable/Disable, Priority, Visible to users are the configurable options in addition to connected system members and user groups in a password enforcement configuration.
- SyncPassword - This feature ensures that all the connected systems accounts of a user in a password enforcement have a common password.
- Mutually Exclusive - If a password enforcement is marked as mutually exclusive, the end user cannot use the same password to reset connected system accounts belonging to different enforcements.
- Enable/Disable - This option can enable or disable a password enforcement. Only enabled password enforcements are considered for the evaluation process to determine the qualified password enforcement for a user.
- Priority - Password enforcement configurations are created with an assigned priority. Password policies in higher priority enforcement configuration will be set as the enforced password policy when a user qualifies for multiple enforcement configurations. Two password enforcement configurations can not have the same priority. Priority value range is from 1 to 100 with 100 as the highest priority.
- Visible to users - This checkbox in the connected system members section controls the visibility of user accounts in self-service password reset screens.
To manage Password Enforcement Configurations
-
From the Admin UI ► Systems tab ► Function Menu, click Password Enforcement. The Password Enforcement Configuration View page displays with the list of Password Enforcements:
Elements and Descriptions
Name: Displays the name of the password enforcement.
Display Name: Displays the display name of the the password enforcement.
Description: Displays the description for the password enforcement.
Priority: Each password enforcement created has a unique priority. Priority has values between 1- 100. If a user qualifies for multiple enforcement configurations, the one with the highest priority will be enforced.
Enabled: Only enabled password enforcement configurations can be evaluated / enforced.
Modified User: Displays the name of the user that modified the password enforcement.
Modified Date: Displays the system date and time when the password enforcement configuration was modified.
Add: Creates a new Password Enforcement.
Copy: Copies a selected password enforcement to be added as a new password enforcement . For this button, only one enforcement at a time can be selected .
Delete: Deletes the selected password enforcement.
User View: This button allows the administrator to select a user, and view the password policies or enforcements the user qualifies for. -
Password Enforcement Configuration View ► User View button allows the administrator to select a user and view the password enforcements for the selected user. Click/Select the UserView button.
The Search Users for Password Enforcement Evaluation screen displays:
-
Select a user and Password Enforcement Evaluation for that user displays.
Click on 'View' link to display the password policy details for the user account.
Notes:
- A default enforcement, named Default, is created if a password policy selection is made during Identity install. The Default enforcement contains IdentitySystem as the member connected system and All Users as the user qualification rule. The Identity Administrator can add or delete the member connected systems and user qualification rules.
- You can place IdentitySystem and all of your connected systems into one password enforcement (e.g., Default) to use one common password for all connected systems.
Password Enforcement Configuration Details
These procedures are described:
- Viewing Password Enforcement Configuration Details
- Adding Password Enforcement
-
Modifying a Password Enforcement
Viewing Password Enforcement Configuration Details
-
From the Password Enforcement Configuration View page, click on the password enforcement name. The Password Enforcement Configuration Detail (Update) page displays:
Elements and Descriptions
Password Enforcement Configuration Detail (Update)
Name: Displays the descriptive name for the password enforcement configuration (e.g., Default). This field cannot be updated after creating a password enforcement.
Locale: Displays the preferred language (default: English).
Display Name: Displays the name of the password enforcement.
Description: Displays a description of the password enforcement.
Password Policy: The password policy selected for this password enforcement configuration.
Search: Select/Click the Search button to display the Password Policy List.
View Rules: Select/Click the View Rules button to display the selected Password Rules in a pop up window.
Priority: Displays the priority assigned to this configuration. This will be a value between 1 & 100. If a user qualifies for multiple enforcements, the highest priority enforcement should be enforced.
Enabled: Will be checked if the enforcement is enabled. Only enabled enforcements will be evaluated during the password enforcement evaluation for a user.
Sync Passwords: If this check box is checked, all connected system accounts for this enforcement configuration will be reset with the same password during the password reset process. Basically the passwords of all accounts in the enforcement will be in sync for an individual account or group.
Mutually Exclusive: If this checkbox is checked, then the user cannot select connected system accounts from another enforcement configuration and enter the same password. This checkbox will be enabled only if the Sync Passwords option is selected.
Connected System Members: This section displays connected systems configured for the password enforcement.
Name: Name of the connected system.
Description: Connected system description.
Visible to Users: This check box controls the visibility of user accounts in self-service password reset screens.
Scramble Password on Expiry: This check box allows the user to choose if the password of the account need to be scrambled up on expiry.
Master: Selecting this radio button makes the selected connected system the Master connected system of the PEC. When the Password Sync Option is enabled, the Master system in a PEC will be the first connected system to get its password reset. If the Master system password reset fails, then reset of all other connected systems in the PEC will be skipped. The Master indicator will be displayed in all the areas that allow accounts in PEC to be selected for password reset.
Add: Adds a connected system to this section.
Note: Please note that connected systems with "Pass word Reset By" options set to "External" cannot be added as a memeber to the password enforcement configuration.
Delete: Deletes a connected system User Qualification Rules: This section lists the user groups that qualifies for this password enforcement.
UserGroup: Selected user groups for this password enforcement.
Description: Description for the added user group.
Password Expiry Notifications: This section lists the password expiry notifications for this password enforcement.
Days Before Expiry: Number of days prior to password expiry on which notification is sent.
Notification: Name of the notification that is sent on password expiry. Add: Adds a password expiry notification to this section.
Note: Please note that only notifications with type as "Password" can be added to this section.
Delete: Deletes a password expiry notification.
Edit: Edits a password expiry notification. Notification after password expired: Notification sent to the user when an account password has expired.
* Denotes required fields.
Adding Password Enforcement
- From AdminU ► Systems select Password Enforcement function menu. The Password Enforcement Configuration View page displays. Click the Add button.
-
The Password Enforcement Configuration Detail (Add New) page displays:
Elements and Descriptions
Locale: Select the preferred language from the drop down list . Default is English.
Name: Password Enforcement Name.
Display Name: Password Enforcement display name.
Description: Description of the password enforcement to be created. Password Policy: Select a password policy for the password enforcement. Search: Click on this to display the Password Policy List to select from.
View Rules: Clicking this button will display the password rules for the selected password policy.
Priority: Assign a priority value to this configuration. This will be a value between 1 & 100. If a user qualifies for multiple enforcements, the password enforcement with highest priority will be enforced.
Enabled: Check to enable the password enforcement. Only enabled enforcements will be evaluated during the password enforcement evaluation for a user.
Sync Passwords: Select this option if passwords for all connected system accounts for this enforcement configuration should be in sync .
Mutually Exclusive: Select this option, if the user cannot use this password for resetting connected system accounts from another password enforcement. This option will be enabled only if the Sync Passwords option is selected. - Select connected systems for this password enforcement.
-
Under Connected System Members click on Add button. From Connected Systems View page select the connected systems.
Note: Please note that the Connected System View page will not be listing connected systems created with “Password Reset By” option set to “External.”
Elements and Descriptions
Visible to users: Select this check box to display the user account in this connected system in self- service password reset screens.
Scramble Password on Expiry: Select this check box if the user want the password of the account to be scrambled up on expiry.
Master: Select this radio button to make the selected connected system the Master connected system of the PEC. When the Password Sync Option is enabled, the Master system in a PEC will be the first connected system to get its password reset. If the Master system password reset fails, then reset of all other connected systems in the PEC will be skipped. The Master symbol will be displayed in all the areas that allow accounts to be selected for password reset. - Select User Qualification Rules (user groups) for this password enforcement.
-
In section User Qualification Rules click the Add button. From User Group View, select the user groups.
-
Select Password Expiry Notifications for this password enforcement.
- In the section Password Expiry Notifications click the Add button. Enter the days before expiry and from the Notifications View, select the notification.
-
From the Notifications View select the notification for expired passwords.
-
Click Add. This message displays:
Password Enforcement Configuration added successfully.
Modifying a Password Enforcement
On the Password Enforcement Configuration View page, select the desired password enforcement configuration. The Password Enforcement Configuration Detail (Update) page displays.
Make the desired changes, and click Update to update the changes for the password enforcement configuration, for example:
Password Policies
A password policy can be associated with one or more connected systems that are not in a group. For example, System A and System B have the same password policy but users can reset their passwords on these systems individually.
A password policy can also be associated with one or more connected system groups; a connected system group can only have one password policy associated with it.
If a connected system is a member of a group that has a password policy defined, the connected system cannot have its own policy. If a connected system was associated with a policy and it is later added to a group, a message displays a warning such as: System <name> has <policy name> password policy associated with it. If it is to a group, the group’s password policy will replace the current policy.
This page is used to specify password content and other policies for each of the connected systems or connected system groups.
-
From the Admin UI ► Systems tab ► Function Menu, click Password Policies. The Manage Password Policies page displays. Use policies to create rules for establishing user passwords on connected systems. Two default password policies, Standard Passwords and Complex Passwords, are created when Identity is installed.
Policy Details
To view policy details
Click a Policy Name on the Manage Password Policies The Password Policy Details page displays:
Elements and Descriptions |
---|
Name: Displays the name of the password policy. |
Display Name: Displays the display name of the password policy. |
Description: Displays the description of the password policy. |
Standard Password Policy: Clicking the plus or minus expands/collapses this section. Check the box to enable the standard password policy rules. When enabled, the following rules of the standard policies can be modified. |
Visible: Password rule should be visible if the check box is checked. |
Conditional: Password Rule should be conditional if the check box is checked. |
Length |
Minimum: The minimum number of password characters to allow. |
Maximum: The maximum number of password characters to allow. |
Letters |
Allow letters only: Only letters (no numerics or special characters) can be used in passwords. |
Must start with a letter: Passwords must begin with an alphabetic character. |
Minimum number of letters: The lowest allowable number of letters to be used in passwords. A blank or zero (0) entry indicates that no letters are required. |
Maximum number of letters: The highest allowable number of letters to be used in passwords. |
Require mixed case: Requires both upper case and lower case password characters. |
Minimum number of upper case letter: The lowest allowable number of upper case letters to be used in passwords. A blank or zero (0) entry indicates that no upper case letters are required. The Require mixed case check box must be selected. |
Minimum number of lower case letters: The highest allowable number of upper case letters to be used in passwords. A blank or zero (0) entry indicates that no lower case letters are required. The Require mixed case check box must be selected. |
Numbers |
Allow numbers only: Only numbers (no letters or special characters) can be used in passwords. |
Must start with a number: Passwords must begin with a numeric character. |
Minimum number of numerics: The lowest allowable number of numerics to be used in passwords. A blank or zero (0) entry indicates that no numerics are required. |
Maximum number of numerics: The highest allowable number of numerics to be used in passwords. |
Dictionary |
Disallow words found in dictionary when: Disallows using actual words (house, runner, etc.) in passwords. Password cracking programs attempt to guess passwords by trying words found in a dictionary. Dictionary word checking is case in- sensitive (i.e., "house", "hOUse", and "HOUSE" are treated as the same word). Note: Go to the Dictionary page to learn how to add words to the dictionary (thereby disallowing their use in passwords), and to remove words from the dictionary (thereby allowing their use in passwords). |
Contained within password: Passwords cannot contain a word in the dictionary. |
Contained within password (ignore non-letters in password)Dictionary: Passwords cannot contain an embedded word in the dictionary. For example, "h1o2u3se" is invalid because the password becomes "house" when the non-letters are removed, which is a word in the dictionary. |
Password starts with word: Passwords cannot start with a word in the dictionary. |
Password ends with word: Passwords cannot end with a word in the dictionary. |
Minimum length of word to check against: The length of the smallest word that cannot be used in passwords. |
Additional: Password cracking programs often attempt to guess passwords by trying known information about the user such as first name, last name, ID, etc. Notes:
|
Disallow repeating character sequences: Disallows repeating characters (11, xx, etc.) in passwords. Passwords with repeating characters are easier for password cracking programs to discover. |
Minimum number of special characters: The lowest allowable number of special characters to be used in passwords. A blank or zero (0) entry indicates that no special characters are required. |
Disallow characters: Special characters to disallow in passwords. |
Maximum number of character pairs: The highest allowable number of character pairs (11, xx, etc.) to be used in passwords. |
Maximum number of character occurrences: The highest allowable number of occurrences of a single character to be used in passwords. |
User Related: Password cracking programs often attempt to guess passwords by trying known information about the user such as first name, last name, ID, etc. Testing is case insensitive. Names, user IDs, and passwords are converted to lowercase before testing. Notes:
|
Disallow the user attributes: Use PICK button to select user attributes. Passwords cannot use these attributes value. |
Disallow reverse or circular shift of user attribute: Disallows using:
|
Disallow rearrangement of user attribute: Passwords cannot use a rearrangement of selected user attributes value (e.g.,j1h4on password for john41 user name). |
Length of user attribute to disallow: The lowest allowable number of characters of the selected user attributes value to disallow in passwords. |
Disallow the Identity User ID: Passwords cannot use the Identity user ID. |
Disallow reverse of Identity User ID: Passwords cannot use the reverse of the Identity user ID. |
Disallow rearrangement of Identity User ID: Passwords cannot use a rearrangement of the Identity user ID. |
Length of Identity User ID to disallow: The lowest allowable number of characters of the Identity user ID to be used in passwords. |
Password Reuse and Age |
Allow Password Reuse Allows users to use previous passwords when changing their password. |
Number of passwords to remember: The number of old passwords to remember (and allow) if the Allow Password Reuse check box is selected. For security reasons, a value of 3 or greater should be used. |
Minimum Password Age: After a password reset, Identity users should not be allowed to change their password before the number of days set in this field. This rule is enforced for Identity users during password reset from Self-Service and Kiosk pages. This rule is not applicable for password reset from Admin UI and also password reset by OBO users. |
Maximum Password Age: The maximum number of days to allow passwords to be used:
|
Quorum for conditional |
Minimum Number of conditional rules to be satisfied: User can specify the number of conditional rules to be satisfied. |
Custom Password PolicyClicking the plus or minus expands/collapses this section. Check the box if the standard policy settings are not sufficient for your password policy requirements. This policy will be enforced by Identity Password Manager at runtime during reset password operations.
See Custom Password Policy for an example of how a policy can be written. |
Description: Enter the description of the Custom Password Policy. Select the preferred language from the drop-down list (the default is English). The description is used in these instances:
|
Function Name: The name of the JavaScript function that implements the custom policy. |
Policy Script: Enter the Custom Password Policy script. |
Update: Saves the changes made to this page and returns to the previous page. Note: This button does not display for system defined password policies. |
Category: Displays the Object Category Association page listing the default object category associations. Note: This button does not display for system defined password policies. |
Test: Tests the password policy against the test password to ensure that it is working as expected. The Test button executes the JavaScript function entered above if the Custom Password Policy check box is selected. On the Test Password Policy page, enter the password to be tested against the password policy then click the Test button. If the given password is not valid, the rule results display. |
* Denotes required fields.
Custom Password Policy
Note that this example uses testPassword as the Function Name; any other name can be used.
/*
* testPassword() - invoked to see if the password conforms to a user defined policy.
* Called whenever a user's password is reset.
*
* Parameters
*
* password - the password to be tested.
* locale - the preferred locale of any error message.
*
* Output;
* The function should return true if the password meets the user defined password policy.
* If the password does not meet the user defined policy, then the function should return
* a string that describes what is wrong with the proposed
*
*/
function testPassword( password, locale)
{
if (password == 'test')
{
if (locale.substr( 0, 2) == 'de')
return 'Das Passwort kann nicht getestet werden!';
else if (locale.substr( 0, 2) == 'es')
return 'Contrase?a no puede ser prueba!';
else
return 'Password cannot be test!';
}
/*
* The getAttribute( attribute) function is available to access any FUP mapped profile
* attributes of the user. If the attribute is not mapped, or is not set, then
* getAttribute() will return null.
*/
if (getAttribute('Job-Department') == 'Sales' && password.indexOf( 'Sales') != -1)
return 'Password cannot contain Sales.';
else
return true;
}
/*
* generatePassword() - invoked when the generate password button is clicked in the
* Admin UI
*
* Parameters:
*
* password - contains the password generated by the standard password policy rules
* for this policy. The generatePassword() function can use this password as
* a starting point.
*
* Output:
* Standard Password Policy rules are enabled, the password must also conform to * The function should return a password that meets the custom password policy. If
* those rules
*
*/
function generatePassword( password)
{
// override any generated password and return a random number between 0 and 1.
password = Math.random();
return password;
}
To create this policy
-
Select the Custom Password Policy check box on the Password Policy Details Enter the description and function name.
-
Copy and paste your JavaScript code into the custom Policy Script field.
-
Test the custom policy by clicking the Test button.
- On the Test Password Policy page, enter the password to be tested against the custom policy then click the Test button:
- If policy validation succeeds, the message Password is valid displays. The entered password met the requirements in the custom JavaScript policy.
- If policy validation fails, the message displayed is based on the JavaScript logic and error message in the JavaScript code.
Post Password Reset
The Post Password Reset feature enables organizations to configure workflows that are to be called after a password reset has occurred. This includes resets from Self-Service, the Admin UI, as well as resets that originate from the Active Directory Password Filter. This feature provides additional flexibility and controls to specify whether the workflow should run on password reset success, failure, or always. It also allows multiple systems to be associated with the workflow. If multiple systems are associated with a single workflow, at the time of password reset, the workflow will be initiated once with information on the systems (and accounts) that were associated with that workflow.
The data passed from Identity to the Provisioning workflow is in XML (root/entry) format. Multiple entries may be present in the XML depending on the number of accounts for which the password has been reset.
The following information is included in the XML data:
- Profile information (product attributes mapped to profile columns) of the Identity
- Product attributes listed below regardless of whether they are mapped:
- Account-ID - Account ID of the account for which the password was reset.
- Account-UserName - Account user name of the account for which the password was reset.
- Account-SystemID - ID of the connected system in which the account exists.
- Account-SystemName - Name of the connected system in which the account exists.
- Account-PasswordEncrypted - Encrypted user password. Note: The password is encrypted in a fashion similar to the Data Mapper rule Encrypt Data.
- Account-PasswordResetBy - PBWUSERID of the user who reset the passeord.
- Transaction-Status - Status of the password reset operation: 5 for Success, 6 for Failed.
- Transaction-StatusMessage - Empty, if password reset is a success; error message on failure.
- Transaction-ProcessEntry - The value 1 will always be sent.
There can be multiple Post Password Reset configurations created representing various systems and workflow combinations. For example, define Post Password Reset Config 1 and associate system A, B, and C with one workflow; and define Post Password Reset Config 2 and associate systems B, C, and D with another workflow.
Note: This is an organization specific feature, so each organization has its own list of configurations. Master Administrators of both the Master Organization and Client Organizations, and Connected System Administrators of both the Master Organization and Client Organizations can see and manage Post Password Reset configurations.
To manage Post Password Reset configurations
-
From the Admin UI ► Systems tab ► Function Menu, click Post Password Reset. The Post Password Reset Configuration page displays:
-
To create a new Post Password Reset configuration, click the Add/Copy The Post Password Reset Configuration Detail (Add) page displays:
-
Enter this information:
Elements and Descriptions
Name*: Configuration names are unique and should not be repeated while creating other configurations within the same organization. Name can contain only alphanumerics, hyphens, and underscores. This is mandatory and can have a maximum of 255 characters.
Description: The description or purpose of the configuration. This is optional and can have a maximum of 512 characters.
Enable: To enable the configuration, check this box (default: unchecked).
Note: Individual Post Password Reset configurations can be enabled or disabled if required. Disabling a particular configuration will prevent the workflows from being called.
Systems*: Lists the selected connected systems. When the password reset occurs on these systems, Identity will initiate the workflow specified in the Workflow section.
Add - Displays the Connected System View page. This lists only those connected systems that are configured for password rest by either Users and OBO User or OBO User Only.
Remove - Removes the selected connected system from the list.
Note: To create a Post Password Reset configuration, at least one connected system must be selected.
Workflow*: Displays the selected workflow that will be launched when password reset occurs on any one of the connected systems listed in the Systems section. The workflow Name and Description if any, are shown in one field with the description in parenthesis.
Select - Displays the Deployed Workflow List page. This lists deployed workflows that begin with the ProvisioningHub and that are of type Normal and Resource.
For example, the Simulated Login Framework (SLF) feature allows users to single sign-on to Web applications by using the password received from the IdP. This password is stored encrypted as an attribute in the IdP’s LDAP store. If the end user uses Identity to change the password on the target application, the IdP’s LDAP attribute that stores the password is not updated and the SLF process will fail. Therefore, a workflow can be created so that the IdP’s LDAP attribute that stores the password can be updated after the password reset process in Identity.
Execute Workflow On Password Reset: Specify when the workflow should run on password reset: Always (default), Success, or Failure.
Add: Creates a new Post Password Reset configuration with specified connected system(s) and workflow.
* Denotes required fields.
To view/modify the details of a Post Password Reset configuration, click the Name hyperlink.The Post Password Reset Configuration Detail (Update) page displays, where the details (except the name) can be modified.
To delete a Post Password Reset configuration, check the box corresponding to the configuration, and click the Delete button.
HPAM
See the High Privilege Accounts for detailed information on requesting and approving accounts with high privilege.
Dictionary
This page is used to add or remove words from a dictionary to disallow/allow their use in passwords. For example, selecting Disallow words found in dictionary in a password policy, and "house" is in the dictionary, disallows usage of "house" as a password in the policy.
To add or remove words from a dictionary
-
From the Admin UI ► Systems tab ► Function Menu, click Dictionary. The Password Policy Dictionary page displays:
Elements and Descriptions
Use Standard Dictionary in addition to Custom Dictionary: Use both the standard dictionary included in Identity and the custom dictionary established on this page.
Contents: Displays words that are in the custom dictionary. Words in this field can be deleted from the custom dictionary.
Remove: Removes a custom dictionary word after selecting it in the Contents field.
Enter Words Separated by Space: Select to add words to the custom dictionary.
Word: Enter words to be added to the custom dictionary. Note: Words must be separated by spaces.
Add Words From File: Select to add words from a text file to the custom dictionary.
File Path: Click Browse and select a file. The file is uploaded to the server and the words in the file are added to the custom dictionary.
Note: Words must be separated by spaces or new lines.
Add To Dictionary: Creates the new custom dictionary entry. - To remove words from the custom dictionary, select one or more words in the Contents field, and click the Remove button.
-
To add words to the custom dictionary, perform one of these procedures:
- Select the Enter Comma Separated Words option button, enter the word(s) to add, and click
Or
- Select the Add Words From File option button, click Browse, select a file, and click Add To Dictionary.
A message displays indicating how many words were added to the custom dictionary. A warning message may display if one or more words already exist in the standard or custom dictionary.