Skip to main content

Systems Management

The Systems Management page is used to manage connected systems:

Systems Management Introduction

The Systems (management) page is used to manage connected systems, connected system groups, password policies, high privilege accounts, and the dictionary. A connected system group consists of connected systems where the passwords of user accounts are the same and changing a password in any one account propagates that same password to other accounts in the same group. Connected system groups have a password policy defined. This is the global password policy for all systems in the group. A system can be a member of only one group.

These tables are used by connected systems:

  • CONNSYS_ID - Stores all connected systems that have been created.
  • PRODUCT_CONNSYS_GROUP - Stores all connected system groups.
  • PRODUCT_PWD_POLICY - Stores all password policies.
  • PRODUCT_CONNSYS_GROUP_REL - Stores the relationship between the PRODUCT_CONNSYS_GROUP and CONNSYS_ID.

A PWD_POLICY_ID field is included in both the CONNSYS_ID table and PRODUCT_CONNSYS_GROUP table. If a connected system is not added to any existing connected system groups and the particular connected system has a password policy, the CONNSYS_ID table’s PWD_POLICY_ID field will have the value of the attached password policy. If the same connected system has been added to a connected system group and the group has a password policy attached, the password policy of the connected system will be replaced with the password policy of that particular connected system group.

Connected Systems

The Connected Systems page is used to manage both Identity and Provisioning connected systems.

To manage connected systems

  1. From the Admin UI, click the Systems tab. The Connected System View page displays:


    This table lists the available system types that can be added:

    Name

    Category

    Identity

    Provisioning

    Accenture ITSM Remedy

    Application

    No

    Yes

    Active Directory 2008 - Exchange 2007

    Directory Server

    Yes

    Yes

    Active Directory 2008 - Exchange 2010

    Directory Server

    Yes

    Yes

    Active Directory 2008 - Exchange 2010 - Referral

    Directory Server

    Yes

    Yes

    Active Directory 2012 - Exchange 2013 - Referral

    Directory Server

    Yes

    Yes

    Atlassian JIRA

    Application

    No

    Yes

    Blackboard Learn 9

    Application

    Yes

    Yes

    Canvas LMS

    Application

    No

    Yes

    Fedora Directory Server

    Directory Server

    Yes

    Yes

    Fischer TAO

    Traditional

    Yes

    Yes

    Flat File

    Traditional

    No

    Yes

    Google Apps Multi Domain

    Application

    Yes

    Yes

    IBM 4690v5 OS

    Application

    Yes

    Yes

    IBM 4690v5 Supermarket App

    Application

    Yes

    Yes

    IBM DB2

    Database

    No

    Yes

    IBM Informix Database

    Database

    No

    Yes

    IBM RACF Native

    Traditional

    Yes

    Yes

    IBM RACF SecureWay

    Traditional

    Yes

    Yes

    IBM SecureWay Directory Server

    Directory Server

    Yes

    Yes

    IBM Tivoli Access Manager

    Application

    Yes

    Yes

    IBM Tivoli Directory Server

    Directory Server

    Yes

    Yes

    IBM Tivoli Federated Identity Manager

    Application

    No

    Yes

    Live@edu

    Directory Server

    Yes

    Yes

    Microsoft Access Database

    Database

    No

    Yes

    Microsoft Active Directory

    Directory Server

    Yes

    Yes

    Microsoft ADAM

    Directory Server

    Yes

    Yes

    Microsoft Dynamics CRM

    Application

    No

    Yes

    Microsoft Exchange

    Directory Server

    Yes

    Yes

    Microsoft Office 365

    Application

    Yes

    Yes

    Microsoft SharePoint 2010

    Application

    No

    Yes

    Microsoft SharePoint Secure Store

    Application

    Yes

    No

    Microsoft SQL Server

    Database

    Yes

    Yes

    Microsoft SQL Server 2005

    Database

    No

    Yes

    Microsoft SQL Stored Procedure

    Database

    Yes

    No

    MIT Kerberos

    Traditional

    Yes

    No

    Moodle

    Application

    Yes

    Yes

    Moodle 2 OK Tech

    Application

    Yes

    No

    MS AD 2008 and MS Exchange 2010 Referral

    Directory Server

    Yes

    Yes

    MySQL Database

    Database

    No

    Yes

    Novell eDirectory

    Directory Server

    Yes

    Yes

    OpenDJ Directory Server

    Directory Server

    Yes

    Yes

    OpenLDAP Directory Server

    Directory Server

    Yes

    Yes

    Oracle Database

    Database

    Yes

    Yes

    Oracle E-Business Suite

    Application

    Yes

    Yes

    Oracle Internet Directory

    Directory Server

    Yes

    Yes

    PeopleSoft Enterprise

    Application

    Yes

    Yes

    PIM

    Application

    No

    Yes

    PostgreSQL

    Database

    Yes

    Yes

    Progress OpenEdge

    Database

    No

    Yes

    Progress OpenEdge 10.1

    Database

    No

    Yes

    Red Hat Directory Server

    Directory Server

    Yes

    Yes

    Sage Pro

    Traditional

    Yes

    No

    Sakai CLE

    Application

    Yes

    Yes

    Salesforce CRM

    Application

    Yes

    Yes

    SAP NetWeaver

    Application

    Yes

    Yes

    SMS PIN

    Application

    Yes

    Yes

    SMTP Mail

    Application

    No

    Yes

    Sun iPlanet Directory Server

    Directory Server

    Yes

    Yes

    Sun Java System Directory Server

    Directory Server

    Yes

    Yes

    Sun ONE Directory Server

    Directory Server

    Yes

    Yes

    Sybase Database

    Database

    Yes

    Yes

    Sybase Stored Procedure

    Database

    Yes

    Yes

    UNIX SSH

    Application

    Yes

    Yes

    Unknown

    NA

    No

    Yes

    WebEx

    Application

    Yes

    Yes

    Windows Command Line

    Application

    No

    Yes

    Zimbra

    Application

    Yes

    Yes

    This table defines the Connected System View elements:

    Elements and Descriptions

    ID: Displays the SYSTEM_ID.

    System Name: Displays the name of the connected system. Click the hyperlink to view details.

    Display Name: Displays the display name of the connected system.

    Type: Displays the type of connected system.

    Association: Displays the name of the server or GIG that the connected system is associated with.
    Modified User: Displays the name of the user that modified the connected system.

    Modified Date: Displays the system date and time when the connected system was modified.

    Add: Creates a new connected system.

    Copy: Copies the selected connected system to be added as a new connected system. For this button, only one system at a time can be selected.

    Delete: Removes the selected connected system(s).

    Test Connection: Verifies the connection to the selected connected system. For this button, only one system at a time can be selected.
    View Accounts: The Accounts View page displays all accounts for the selected system. For this button, only one system at a time can be selected.

    Where Used?: The Connected System Used View page displays where this connected system is used. For this button, only one system at a time can be selected.

    Where Used?: The Connected System Used View page displays where this connected system is used. For this button, only one system at a time can be selected.
    Category: View/change object categories associated with the selected connected system.

    Modifying a Connected System Type

    The Type of a connected system can be changed to another type if both types belong to the same category shown in the system types table above (e.g. Directory Server to Directory Server, Database to Database, etc.). This is a very broad grouping and cannot be used for the workflow executions as the configuration and attributes may not be similar. So, there is another level of grouping within Identity suite where connectors having similar attributes and configuration schema are grouped together such that a task configured for one type can be reused for another type if both belong to the same group. There are two such groups:

    Group1 - Microsoft Active Directory, Active Directory 2008 - Exchange 2007, Active Directory 2008 - Exchange 2010, Active Directory 2008 - Exchange 2010 - Referral, Active Directory 2012 - Exchange 2013 - Referral, Microsoft ADAM and Microsoft Exchange.

    Group2 - Sun iPlanet Directory Server, Fedora Directory Server, IBM Tivoli Directory Server, Novell eDirectory, Oracle Internet Directory, OpenDJ Directory Server, OpenLDAP Directory Server, Red Hat Directory Server, Sun Java System Directory Server and Sun ONE Directory Server.

    There is a separate grouping for triggers. Triggers having similar notification mechanisms and attribute schema are grouped together. There are two such groups:

    Group1 - Micorsoft Active Directory Trigger, MS Active Directory 2008 Trigger and MS Active Directory 2012 Trigger.

    Group2 - OpenDJ Trigger, Fedora Trigger, Novell eDir Trigger and Sun ONE Trigger.

    If the connected system type is changed within these groups, runtime will automatically switch to the new type. Even if types belonging to the same group are similar in attribute and configuration schema, there can be minor differences. In that case, we just need to load and re-deploy the workflow from Studio to update the runtime configurations files.

    Note: Modifying a connected system type may require manual changes to existing workflows, user records, user entitlements, triggers, resources, and other features that use that connected system. Before modifying a connected system type, follow the View Accounts and Where Used procedures to determine the impact of this change.

  2. Select the desired System Name. The Connected System Details page displays, for example:



  3. To modify an existing system by changing the type of system, from the Type drop-down list, select the new type, and click Update. This message displays:

    Warning: Modifying the connected system type may require manual changes to existing workflows, user records, user entitlements, triggers, resources and other features that use this connected system. Use the Where Used? and View Accounts buttons to determine the impact of this change. Do you want to make this change now? Yes No

  4. Click Yes to continue. This message displays:

    Connected System modified successfully.

    Note: Type of a Connected System Can't be modified if the System is configured as Extended User Profile Information LDAP System. The Type field will be disabled for such systems.

View Accounts

  1. Select a system, and click the View Accounts The Accounts View page displays all accounts for the selected system:



    Elements and Descriptions

    Account Name: Displays the name of the account. Click the hyperlink to display the Account Details page.

    Account ID: Displays the DN of the account.

    Profile Name: Displays the account profile name. Click the hyperlink to display user profile details.

    Type: Displays the type of account.

    Start Date: Displays the date the account was created.
    End Date: Displays the date the account will end being operational.
    Last Pswd. Change: Displays the date the account password was last changed.

    Status: Displays the status of the account.
    Note: Clicking a column heading sorts in ascending or descending order.

  2. Click an Account Name to The Account Details page displays:



    Elements and Descriptions

    System Name: Displays the name of the connected system that the provisioned account/ entitlement belongs to.

    Account Name: Displays the name of the account.
    Account ID: isplays the identification details (DN or account username) of the account provisioned.

    Provisioning Information / Entitlement Information

    Policy Name: Displays the name of the policy that assigned the resource, which in turn provisioned the account/entitlement. This value can be NULL as account/ entitlement can be created without a policy.

    Group Name: Displays the name of the group that assigned the policy/resource, which in turn provisioned the account/entitlement. This value can be NULL as account/ entitlement can be created without a group.

    Resource Name: Displays the resource name that provisioned the account/entitlement, if any. This value can be NULL as account/entitlement can be created without a resource.

    Creation Date: Displays the date the account/entitlement was created.
    Process: Displays the information regarding the account creation: Admin Assoc (account association from Password View), Provisioned, Self-Claimed, HPAM, or Legacy (all other processes are considered Legacy).
  3. Click Back.

On the Accounts View page, click a Profile Name to view. The User Details page displays:

Where Used

To display where a connected system is used

  1. On the Connected System View page, select a system, and click the Where Used? button. The Connected System Used View page displays where this connected system is used:



    Elements and Descriptions

    Type: Displays the type of object using this connected system.

    Name: Displays the name of the object.
    Description: Displays the description of the object.

    Export to File: Exports the results to a CSV file.


  2. Click Back to return to the Connected System View page.
    For detailed information on managing connected systems, see Managing the Connected System.

Schema

This button will be enabled in Connected System Detail (New) and (Update) pages for 'LDAP' family systems. This will display the schema for the connected system and allows administrator to add and delete the schema elements. A connected system can be configured in Configuration _ IdentityServer ► ExtendedUserProfileInformationLDAPSystem only if schema is loaded for the system.

  1. Fill in the 'Connection Information' and 'User Object Classes' in Connected System Detail (New) & (Update) pages.

  2. Click on the 'Schema' button to display the 'Connected System Schema' page.

  3. Clicking the Refresh button on this page will fetch the attributes of the specified object classes from the connected system.



  4. After refreshing the schema, administrator can add/delete schema elements. Click the Back button and click Update. This will save the schema to the connected system If the user attempts to delete a schema attribute that is mapped, an error message will be displayed when they attempt to update the connected system configuration.

  5. If the schema has already been saved and modified, then clicking the Refresh button will cause the schema list to remove any attributes that are not in the system’s schema and add (as new rows) attributes that are in the system’s schema, but not currently saved.

  6. Once the schema is modified and saved in the connected system, these schema elements/ attributes can be used in extended ldap column in product attribute mapping, if this system is set as the ExtendedUserProfileInformationLDAPSystem.

  7. Sorting and Searching can be done on the columns Name, Object Class and Type.

Password Enforcement

This page lists the different Password Enforcements created by the identity administrator. Each Password enforcement Configuration needs to specify a password policy, member, connected systems, user groups and password expiry notifications that enforce this password policy. Multiple 'Password Enforcement' configurations are allowed with different priority values assigned to each. An evaluation process determines the password enforcements that a user qualifies for, and if the user qualifies for multiple password enforcement configurations, the enforcement with highest priority will become effective. Enforcing different password policies, for different user accounts in the same connected system, can be achieved through these multiple password enforcement configurations.

Sync Password, Mutual Exclusiveness, Enable/Disable, Priority, Visible to users are the configurable options in addition to connected system members and user groups in a password enforcement configuration.

  • SyncPassword - This feature ensures that all the connected systems accounts of a user in a password enforcement have a common password.
  • Mutually Exclusive - If a password enforcement is marked as mutually exclusive, the end user cannot use the same password to reset connected system accounts belonging to different enforcements.
  • Enable/Disable - This option can enable or disable a password enforcement. Only enabled password enforcements are considered for the evaluation process to determine the qualified password enforcement for a user.
  • Priority - Password enforcement configurations are created with an assigned priority. Password policies in higher priority enforcement configuration will be set as the enforced password policy when a user qualifies for multiple enforcement configurations. Two password enforcement configurations can not have the same priority. Priority value range is from 1 to 100 with 100 as the highest priority.
  • Visible to users - This checkbox in the connected system members section controls the visibility of user accounts in self-service password reset screens.

To manage Password Enforcement Configurations

  1. From the Admin UI ► Systems tab ► Function Menu, click Password Enforcement. The Password Enforcement Configuration View page displays with the list of Password Enforcements:



    Elements and Descriptions

    Name: Displays the name of the password enforcement.

    Display Name: Displays the display name of the the password enforcement.

    Description: Displays the description for the password enforcement.

    Priority: Each password enforcement created has a unique priority. Priority has values between 1- 100. If a user qualifies for multiple enforcement configurations, the one with the highest priority will be enforced.

    Enabled: Only enabled password enforcement configurations can be evaluated / enforced.

    Modified User: Displays the name of the user that modified the password enforcement.

    Modified Date: Displays the system date and time when the password enforcement configuration was modified.

    Add: Creates a new Password Enforcement.

    Copy: Copies a selected password enforcement to be added as a new password enforcement . For this button, only one enforcement at a time can be selected .

    Delete: Deletes the selected password enforcement.
    User View: This button allows the administrator to select a user, and view the password policies or enforcements the user qualifies for.
  2. Password Enforcement Configuration View ► User View button allows the administrator to select a user and view the password enforcements for the selected user. Click/Select the UserView button.

    The Search Users for Password Enforcement Evaluation screen displays:



  3. Select a user and Password Enforcement Evaluation for that user displays.




    Click on 'View' link to display the password policy details for the user account.

    Notes:

    • A default enforcement, named Default, is created if a password policy selection is made during Identity install. The Default enforcement contains IdentitySystem as the member connected system and All Users as the user qualification rule. The Identity Administrator can add or delete the member connected systems and user qualification rules.
    • You can place IdentitySystem and all of your connected systems into one password enforcement (e.g., Default) to use one common password for all connected systems.

    Password Enforcement Configuration Details

    These procedures are described:

  4. From the Password Enforcement Configuration View page, click on the password enforcement name. The Password Enforcement Configuration Detail (Update) page displays:



    Elements and Descriptions

    Password Enforcement Configuration Detail (Update)

    Name: Displays the descriptive name for the password enforcement configuration (e.g., Default). This field cannot be updated after creating a password enforcement.

    Locale: Displays the preferred language (default: English).

    Display Name: Displays the name of the password enforcement.

    Description: Displays a description of the password enforcement.

    Password Policy: The password policy selected for this password enforcement configuration.

    Search: Select/Click the Search button to display the Password Policy List.

    View Rules: Select/Click the View Rules button to display the selected Password Rules in a pop up window.

    Priority: Displays the priority assigned to this configuration. This will be a value between 1 & 100. If a user qualifies for multiple enforcements, the highest priority enforcement should be enforced.

    Enabled: Will be checked if the enforcement is enabled. Only enabled enforcements will be evaluated during the password enforcement evaluation for a user.

    Sync Passwords: If this check box is checked, all connected system accounts for this enforcement configuration will be reset with the same password during the password reset process. Basically the passwords of all accounts in the enforcement will be in sync for an individual account or group.

    Mutually Exclusive: If this checkbox is checked, then the user cannot select connected system accounts from another enforcement configuration and enter the same password. This checkbox will be enabled only if the Sync Passwords option is selected.

    Connected System Members: This section displays connected systems configured for the password enforcement.

    Name: Name of the connected system.

    Description: Connected system description.

    Visible to Users: This check box controls the visibility of user accounts in self-service password reset screens.

    Scramble Password on Expiry: This check box allows the user to choose if the password of the account need to be scrambled up on expiry.

    Master: Selecting this radio button makes the selected connected system the Master connected system of the PEC. When the Password Sync Option is enabled, the Master system in a PEC will be the first connected system to get its password reset. If the Master system password reset fails, then reset of all other connected systems in the PEC will be skipped. The Master indicator will be displayed in all the areas that allow accounts in PEC to be selected for password reset.

    Add: Adds a connected system to this section.

    Note: Please note that connected systems with "Pass word Reset By" options set to "External" cannot be added as a memeber to the password enforcement configuration.
    Delete: Deletes a connected system

    User Qualification Rules: This section lists the user groups that qualifies for this password enforcement.

    UserGroup: Selected user groups for this password enforcement.

    Description: Description for the added user group.

    Password Expiry Notifications: This section lists the password expiry notifications for this password enforcement.

    Days Before Expiry: Number of days prior to password expiry on which notification is sent.
    Notification: Name of the notification that is sent on password expiry.

    Add: Adds a password expiry notification to this section. 

    Note: Please note that only notifications with type as "Password" can be added to this section.

    Delete: Deletes a password expiry notification.
    Edit: Edits a password expiry notification.

    Notification after password expired: Notification sent to the user when an account password has expired.

    * Denotes required fields.

Adding Password Enforcement

  1. From AdminU ► Systems select Password Enforcement function menu. The Password Enforcement Configuration View page displays. Click the Add button.

  2. The Password Enforcement Configuration Detail (Add New) page displays:



    Elements and Descriptions

    Locale: Select the preferred language from the drop down list . Default is English.

    Name: Password Enforcement Name.

    Display Name: Password Enforcement display name.
    Description: Description of the password enforcement to be created.
    Password Policy: Select a password policy for the password enforcement.

    Search: Click on this to display the Password Policy List to select from.

    View Rules: Clicking this button will display the password rules for the selected password policy.

    Priority: Assign a priority value to this configuration. This will be a value between 1 & 100. If a user qualifies for multiple enforcements, the password enforcement with highest priority will be enforced.

    Enabled: Check to enable the password enforcement. Only enabled enforcements will be evaluated during the password enforcement evaluation for a user.

    Sync Passwords: Select this option if passwords for all connected system accounts for this enforcement configuration should be in sync .
    Mutually Exclusive: Select this option, if the user cannot use this password for resetting connected system accounts from another password enforcement. This option will be enabled only if the Sync Passwords option is selected.
  3. Select connected systems for this password enforcement.

  4. Under Connected System Members click on Add button. From Connected Systems View page select the connected systems.

    Note: Please note that the Connected System View page will not be listing connected systems created with “Password Reset By” option set to “External.”



    Elements and Descriptions

    Visible to users: Select this check box to display the user account in this connected system in self- service password reset screens.

    Scramble Password on Expiry: Select this check box if the user want the password of the account to be scrambled up on expiry.
    Master: Select this radio button to make the selected connected system the Master connected system of the PEC. When the Password Sync Option is enabled, the Master system in a PEC will be the first connected system to get its password reset. If the Master system password reset fails, then reset of all other connected systems in the PEC will be skipped. The Master symbol will be displayed in all the areas that allow accounts to be selected for password reset.
  5. Select User Qualification Rules (user groups) for this password enforcement.

  6. In section User Qualification Rules click the Add button. From User Group View, select the user groups.

  7. Select Password Expiry Notifications for this password enforcement.

  8. In the section Password Expiry Notifications click the Add button. Enter the days before expiry and from the Notifications View, select the notification.

  9. From the Notifications View select the notification for expired passwords.

  10. Click Add. This message displays:

    Password Enforcement Configuration added successfully.

Modifying a Password Enforcement

  1. On the Password Enforcement Configuration View page, select the desired password enforcement configuration. The Password Enforcement Configuration Detail (Update) page displays.

  2. Make the desired changes, and click Update to update the changes for the password enforcement configuration, for example:

Password Policies

A password policy can be associated with one or more connected systems that are not in a group. For example, System A and System B have the same password policy but users can reset their passwords on these systems individually.

A password policy can also be associated with one or more connected system groups; a connected system group can only have one password policy associated with it.

If a connected system is a member of a group that has a password policy defined, the connected system cannot have its own policy. If a connected system was associated with a policy and it is later added to a group, a message displays a warning such as: System <name> has <policy name> password policy associated with it. If it is to a group, the group’s password policy will replace the current policy.

This page is used to specify password content and other policies for each of the connected systems or connected system groups.

  • From the Admin UI  Systems tab  Function Menu, click Password Policies. The Manage Password Policies page displays.  Use policies to create rules for establishing user passwords on connected systems. Two default password policies, Standard Passwords and Complex Passwords, are created when Identity is installed.

    Policy Details

    To view policy details


Click a Policy Name on the Manage Password Policies The Password Policy Details page displays:



Elements and Descriptions

Name: Displays the name of the password policy.

Display Name: Displays the display name of the password policy.

Description: Displays the description of the password policy.

Standard Password Policy: Clicking the plus or minus expands/collapses this section. Check the box to enable the standard password policy rules. When enabled, the following rules of the standard policies can be modified.

Visible: Password rule should be visible if the check box is checked.

Conditional: Password Rule should be conditional if the check box is checked.

Length

Minimum: The minimum number of password characters to allow.

Maximum: The maximum number of password characters to allow.

Letters

Allow letters only: Only letters (no numerics or special characters) can be used in passwords.

Must start with a letter: Passwords must begin with an alphabetic character.

Minimum number of lettersThe lowest allowable number of letters to be used in passwords. A blank or zero (0) entry indicates that no letters are required.

Maximum number of lettersThe highest allowable number of letters to be used in passwords.

Require mixed caseRequires both upper case and lower case password characters.

Minimum number of upper case letter: The lowest allowable number of upper case letters to be used in passwords. A blank or zero (0) entry indicates that no upper case letters are required. The Require mixed case check box must be selected.

Minimum number of lower case lettersThe highest allowable number of upper case letters to be used in passwords. A blank or zero (0) entry indicates that no lower case letters are required. The Require mixed case check box must be selected.

Numbers

Allow numbers onlyOnly numbers (no letters or special characters) can be used in passwords.

Must start with a numberPasswords must begin with a numeric character.

Minimum number of numericsThe lowest allowable number of numerics to be used in passwords. A blank or zero (0) entry indicates that no numerics are required.

Maximum number of numericsThe highest allowable number of numerics to be used in passwords.

Dictionary

Disallow words found in dictionary when: Disallows using actual words (house, runner, etc.) in passwords. Password cracking programs attempt to guess passwords by trying words found in a dictionary. Dictionary word checking is case in- sensitive (i.e., "house", "hOUse", and "HOUSE" are treated as the same word). 

Note: Go to the Dictionary page to learn how to add words to the dictionary (thereby disallowing their use in passwords), and to remove words from the dictionary (thereby allowing their use in passwords).

Contained within password: Passwords cannot contain a word in the dictionary.

Contained within password (ignore non-letters in password)Dictionary: Passwords cannot contain an embedded word in the dictionary. For example, "h1o2u3se" is invalid because the password becomes "house" when the non-letters are removed, which is a word in the dictionary.

Password starts with wordPasswords cannot start with a word in the dictionary.

Password ends with wordPasswords cannot end with a word in the dictionary.

Minimum length of word to check against: The length of the smallest word that cannot be used in passwords.

Additional: Password cracking programs often attempt to guess passwords by trying known information about the user such as first name, last name, ID, etc.

Notes:

  • The Admin UI Add Profile feature does not enforce the user ID part of this rule.

  • The Self-Service Self-Registration feature only enforces the user ID part of this rule if the user ID attribute - primary is present as one of the fields in the Self-Registration UI.

  • This rule is only enforced for the Identity account and profile of the user.

Disallow repeating character sequences: Disallows repeating characters (11, xx, etc.) in passwords. Passwords with repeating characters are easier for password cracking programs to discover.

Minimum number of special characters: The lowest allowable number of special characters to be used in passwords. A blank or zero (0) entry indicates that no special characters are required.

Disallow characters: Special characters to disallow in passwords.

Maximum number of character pairs: The highest allowable number of character pairs (11, xx, etc.) to be used in passwords.

Maximum number of character occurrences: The highest allowable number of occurrences of a single character to be used in passwords.

User Related: Password cracking programs often attempt to guess passwords by trying known information about the user such as first name, last name, ID, etc. Testing is case insensitive. Names, user IDs, and passwords are converted to lowercase before testing.

Notes:

  • The Admin UI Add Profile feature does not enforce the user ID part of this rule.

  • The Self-Service Self-Registration feature only enforces the user ID part of this rule if the user ID attribute primary is present as one of the fields in the Self-Registration UI.

  • This rule is only enforced for the Identity account and profile of the user.

Disallow the user attributes: Use PICK button to select user attributes. Passwords cannot use these attributes value.

Disallow reverse or circular shift of user attribute: 

Disallows using:

  • Reverse of the selected user attributes value or ID for passwords (e.g., 14nhoj

  • password for john41 user name).

  • Circular shift of the selected user attributes value or ID for passwords (e.g., 1john4

  • password for john41 user name).

Disallow rearrangement of user attribute: Passwords cannot use a rearrangement of selected user attributes value (e.g.,j1h4on password for john41 user name).

Length of user attribute to disallow: The lowest allowable number of characters of the selected user attributes value to disallow in passwords.

Disallow the Identity User ID: Passwords cannot use the Identity user ID.

Disallow reverse of Identity User ID: Passwords cannot use the reverse of the Identity user ID. 

Disallow rearrangement of Identity User ID: Passwords cannot use a rearrangement of the Identity user ID.

Length of Identity User ID to disallow: The lowest allowable number of characters of the Identity user ID to be used in passwords.

Password Reuse and Age

Allow Password Reuse Allows users to use previous passwords when changing their password.

Number of passwords to remember: The number of old passwords to remember (and allow) if the Allow Password Reuse check box is selected. For security reasons, a value of 3 or greater should be used.

Minimum Password Age: After a password reset, Identity users should not be allowed to change their password before the number of days set in this field. This rule is enforced for Identity users during password reset from Self-Service and Kiosk pages. This rule is not applicable for password reset from Admin UI and also password reset by OBO users.

Maximum Password Age: The maximum number of days to allow passwords to be used:

  • Standard Passwords - The default is 90
  • Complex Passwords - The default is 30 days.

Quorum for conditional

Minimum Number of conditional rules to be satisfied: User can specify the number of conditional rules to be satisfied.

Custom Password Policy

Clicking the plus or minus expands/collapses this section.

Check the box if the standard policy settings are not sufficient for your password policy requirements. This policy will be enforced by Identity Password Manager at runtime during reset password operations.


The custom policy must be written in JavaScript. Any text editor such as Notepad can be used to create it and then copy/paste the data into the Policy Script field. These are the requirements of custom policies:

  • Must be written using JavaScript.
  • Must return the string "true" or Boolean "True" if the password policy validation succeeded,
  • If the custom password policy validation fails, it must return the error message as a string or the Boolean "False".

See Custom Password Policy for an example of how a policy can be written.

Description: Enter the description of the Custom Password Policy. Select the preferred language from the drop-down list (the default is English). The description is used in these instances:

  • When the View password policy link is clicked and the custom password policy is enabled.
  • When the custom password validation fails. The description should contain the "{0}" characters to indicate where in the description the error message is to be inserted, if it fails. For example, a description might be: Custom policy: {0}

Function Name: The name of the JavaScript function that implements the custom policy.

Policy Script: Enter the Custom Password Policy script.

Update: Saves the changes made to this page and returns to the previous page. Note: This button does not display for system defined password policies.

Category: Displays the Object Category Association page listing the default object category associations. Note: This button does not display for system defined password policies.
Test: Tests the password policy against the test password to ensure that it is working as expected. The Test button executes the JavaScript function entered above if the Custom Password Policy check box is selected. On the Test Password Policy page, enter the password to be tested against the password policy then click the Test button. If the given password is not valid, the rule results display.

* Denotes required fields.

Custom Password Policy


Note that this example uses testPassword as the Function Name; any other name can be used.

/*
  *  testPassword() - invoked to see if the password conforms to a user defined policy.
  *        Called whenever a user's password is reset.
  *
  * Parameters
  *
  *     password - the password to be tested.
  *     locale - the preferred locale of any error message.
  *
  * Output;
  *    The function should return true if the password meets the user defined password policy.
  *     If the password does not meet the user defined policy, then the function should return
  *     a string that describes what is wrong with the proposed

*

*/

function testPassword( password, locale)

{

        if (password == 'test')

        {

               if (locale.substr( 0, 2) == 'de')

                      return 'Das Passwort kann nicht getestet werden!';
               else if (locale.substr( 0, 2) == 'es')

                      return 'Contrase?a no puede ser prueba!';

               else

                      return 'Password cannot be test!';

        }

        /*

          * The getAttribute( attribute) function is available to access any FUP mapped profile
          * attributes of the user. If the attribute is not mapped, or is not set, then
          * getAttribute() will return null.

          */

         if (getAttribute('Job-Department') == 'Sales' && password.indexOf( 'Sales') != -1)
            return 'Password cannot contain Sales.';

         else

           return true;

}

 /*

   * generatePassword() - invoked when the generate password button is clicked in the
   *          Admin UI
   *

   * Parameters:

*

   * password - contains the password generated by the standard password policy rules
   *         for this policy. The generatePassword() function can use this password as
   *         a starting point.
   *
   * Output:

 *        Standard Password Policy rules are enabled, the password must also conform to *        The function should return a password that meets the custom password policy. If

 *        those rules

*

*/

function generatePassword( password)

{

        // override any generated password and return a random number between 0 and 1.
         password = Math.random();

         return password;

}

To create this policy

  1. Select the Custom Password Policy check box on the Password Policy Details Enter the description and function name.

  2. Copy and paste your JavaScript code into the custom Policy Script field.
  3. Test the custom policy by clicking the Test button.

  4. On the Test Password Policy page, enter the password to be tested against the custom policy then click the Test button:
  • If policy validation succeeds, the message Password is valid displays. The entered password met the requirements in the custom JavaScript policy.
  • If policy validation fails, the message displayed is based on the JavaScript logic and error message in the JavaScript code.

Post Password Reset

The Post Password Reset feature enables organizations to configure workflows that are to be called after a password reset has occurred. This includes resets from Self-Service, the Admin UI, as well as resets that originate from the Active Directory Password Filter. This feature provides additional flexibility and controls to specify whether the workflow should run on password reset success, failure, or always. It also allows multiple systems to be associated with the workflow. If multiple systems are associated with a single workflow, at the time of password reset, the workflow will be initiated once with information on the systems (and accounts) that were associated with that workflow.

The data passed from Identity to the Provisioning workflow is in XML (root/entry) format. Multiple entries may be present in the XML depending on the number of accounts for which the password has been reset.

The following information is included in the XML data:

  • Profile information (product attributes mapped to profile columns) of the Identity
  • Product attributes listed below regardless of whether they are mapped:
    • Account-ID - Account ID of the account for which the password was reset.
    • Account-UserName - Account user name of the account for which the password was reset.
    • Account-SystemID - ID of the connected system in which the account exists. 
    • Account-SystemName - Name of the connected system in which the account exists.
    • Account-PasswordEncrypted - Encrypted user password. Note: The password is encrypted in a fashion similar to the Data Mapper rule Encrypt Data.
    • Account-PasswordResetBy - PBWUSERID of the user who reset the passeord.
    • Transaction-Status - Status of the password reset operation: 5 for Success, 6 for Failed.
    • Transaction-StatusMessage - Empty, if password reset is a success; error message on failure.
    • Transaction-ProcessEntry - The value 1 will always be sent.

There can be multiple Post Password Reset configurations created representing various systems and workflow combinations. For example, define Post Password Reset Config 1 and associate system A, B, and C with one workflow; and define Post Password Reset Config 2 and associate systems B, C, and D with another workflow.

Note: This is an organization specific feature, so each organization has its own list of configurations. Master Administrators of both the Master Organization and Client Organizations, and Connected System Administrators of both the Master Organization and Client Organizations can see and manage Post Password Reset configurations.

To manage Post Password Reset configurations

  1. From the Admin UI  Systems tab  Function Menu, click Post Password Reset. The Post Password Reset Configuration page displays:



  2. To create a new Post Password Reset configuration, click the Add/Copy The Post Password Reset Configuration Detail (Add) page displays:




  3. Enter this information:

    Elements and Descriptions

    Name*: Configuration names are unique and should not be repeated while creating other configurations within the same organization. Name can contain only alphanumerics, hyphens, and underscores. This is mandatory and can have a maximum of 255 characters.

    Description: The description or purpose of the configuration. This is optional and can have a maximum of 512 characters.

    Enable: To enable the configuration, check this box (default: unchecked).

    Note: Individual Post Password Reset configurations can be enabled or disabled if required. Disabling a particular configuration will prevent the workflows from being called.

    Systems*: Lists the selected connected systems. When the password reset occurs on these systems, Identity will initiate the workflow specified in the Workflow section.

    Add - Displays the Connected System View page. This lists only those connected systems that are configured for password rest by either Users and OBO User or OBO User Only.

    Remove - Removes the selected connected system from the list.

    Note: To create a Post Password Reset configuration, at least one connected system must be selected.

    Workflow*: Displays the selected workflow that will be launched when password reset occurs on any one of the connected systems listed in the Systems section. The workflow Name and Description if any, are shown in one field with the description in parenthesis.

    Select - Displays the Deployed Workflow List page. This lists deployed workflows that begin with the ProvisioningHub and that are of type Normal and Resource.

    For example, the Simulated Login Framework (SLF) feature allows users to single sign-on to Web applications by using the password received from the IdP. This password is stored encrypted as an attribute in the IdP’s LDAP store. If the end user uses Identity to change the password on the target application, the IdP’s LDAP attribute that stores the password is not updated and the SLF process will fail. Therefore, a workflow can be created so that the IdP’s LDAP attribute that stores the password can be updated after the password reset process in Identity.

    Execute Workflow On Password Reset: Specify when the workflow should run on password reset: Always (default), Success, or Failure.

    Add: Creates a new Post Password Reset configuration with specified connected system(s) and workflow.

    * Denotes required fields.

  4. To view/modify the details of a Post Password Reset configuration, click the Name hyperlink.The Post Password Reset Configuration Detail (Update) page displays, where the details (except the name) can be modified.

  5. To delete a Post Password Reset configuration, check the box corresponding to the configuration, and click the Delete button.

HPAM

See the High Privilege Accounts for detailed information on requesting and approving accounts with high privilege.

Dictionary

This page is used to add or remove words from a dictionary to disallow/allow their use in passwords. For example, selecting Disallow words found in dictionary in a password policy, and "house" is in the dictionary, disallows usage of "house" as a password in the policy.

To add or remove words from a dictionary

  1. From the Admin UI  Systems tab  Function Menu, click Dictionary. The Password Policy Dictionary page displays:



    Elements and Descriptions

    Use Standard Dictionary in addition to Custom Dictionary: Use both the standard dictionary included in Identity and the custom dictionary established on this page.

    Contents: Displays words that are in the custom dictionary. Words in this field can be deleted from the custom dictionary.

    Remove: Removes a custom dictionary word after selecting it in the Contents field.

    Enter Words Separated by Space: Select to add words to the custom dictionary.

    Word: Enter words to be added to the custom dictionary. Note: Words must be separated by spaces.

    Add Words From File: Select to add words from a text file to the custom dictionary.

    File Path: Click Browse and select a file. The file is uploaded to the server and the words in the file are added to the custom dictionary.

    Note: Words must be separated by spaces or new lines.
    Add To Dictionary: Creates the new custom dictionary entry.
  2. To remove words from the custom dictionary, select one or more words in the Contents field, and click the Remove button.

  3. To add words to the custom dictionary, perform one of these procedures:

    • Select the Enter Comma Separated Words option button, enter the word(s) to add, and click

    Or

    • Select the Add Words From File option button, click Browse, select a file, and click Add To Dictionary.

    A message displays indicating how many words were added to the custom dictionary. A warning message may display if one or more words already exist in the standard or custom dictionary.

Was this article helpful?