Chat now with support
Chat with Support

Password Manager 5.14 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring access to the Administration Site Configuring access to the Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Third-party contributions Glossary

User enforcement rules

User enforcement rules allow you to force users to create and update their Q&A profiles and notify users about password expiration. Password Manager offers three user enforcement rules: Invite users to create/update Q&A profiles, Remind users to create/update Q&A profiles, and Remind users to change password.

Invite users to create/update profiles

By using this user enforcement rule you can configure Password Manager to invite users to register with Password Manager or update their Questions and Answers profiles. If you configure this enforcement rule, users will be notified by email.

The notification schedule is defined by the Invitation to Create/Update Profile scheduled task. Note that notification starts only after this scheduled task has run. For more information on the scheduled tasks, see Scheduled tasks.

IMPORTANT: If you disable the Invitation to Create/Update Profile scheduled task, users will not be enforced to create or update their profiles.

This enforcement rule is disabled by default. To enable the rule, on the Home page of the Administration Site, expand the required enforcement rules section, click Invite Users to Create/Update Profiles, then click Enable.

To configure this enforcement rule, you must specify a user scope, conditions when an email notification should be sent and an email notification text.

To configure this enforcement rule

  1. Connect to the Administration Site by typing the Administration Site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/PMAdmin/.

    NOTE: When prompted to log in, provide your domain user name in a domainname\username format.

  2. Select the Management Policy you want to modify.

  3. Expand the User Enforcement Rules section and click Invite Users to Create/Update Profiles.

  4. To set the user scope of this rule, click Configure under Configure the rule’s scope, specify the following settings and click Save:

    Table 5: Configure scope of rule

    Option

    Description

    Users from the user scope of the Management Policy

    Select this option to include all users from the Management Policy user scope to the enforcement rule scope.

    The following users

    Select this option to specify groups included to and excluded from the enforcement rule scope.

    Users included both in the Management Policy user scope and the following groups

    Specify groups included in the enforcement rule scope.

    NOTE: Only users belonging both to the Management Policy user scope and the specified groups will be included in the enforcement rule scope. To browse for groups, click Add, select the required groups and click Save.

    Users excluded from the rule’s scope

    Specify groups excluded from the enforcement rule scope. To browse for groups, click Add, select the required groups and click Save.

  5. To specify the conditions under which users should be notified to create or update their Q&A profiles, click Configure under Notify users who meet the following condition, select one or more of the following options and click OK:

    Table 6: User notifications

    Option

    Description

    User is not registered with Password Manager

    Select to force users to register with Password Manager by creating Q&A profiles, if users are not registered with Password Manager.

    The question user answered to register was modified or deleted

    Select to have users update their Q&A profiles if one or more questions which users answered to register were modified or deleted.

    User's Q&A profile contains fewer questions than required for registration

    Select to have users update their Q&A profiles if you have added one or more questions required for registration, thus making the list of such questions longer than it was before users’ profiles were last updated.

    User’s answers are shorter than required

    Select to have users update their Q&A profiles if any of users' answers contain fewer characters than the current settings require.

    User-defined questions are shorter than required

    Select to have users update their Q&A profiles if any of the user-defined questions contain fewer characters than the current settings require.

    User has specified the same answer for several questions

    Select to have users update their Q&A profiles if Q&A profiles contain the same answer for different questions if the current settings specify the opposite.

    Settings for encrypting user's answers have been changed since Q&A profile creation

    Select to have users update their Q&A profiles if the current encryption setting (defined by the Store answers using reversible encryption option in the Q&A profile settings) has been changed since Q&A profile creation. For example, when users created their profiles, the option was disabled, and later the option became enabled, and vice versa.

    The question list users answered to create Q&A profile was removed or disabled

    Select to have users update their Q&A profiles if the question list they used when registering was deleted or disabled. For example, if the question list in a particular language was deleted.

    User's Q&A profile is older than the specified value

    Select to force users to update their Q&A profiles if their last update exceeds the specified maximum value (in days).

  6. To edit the notification template, use a WYSIWYG editor in the Configure email notification section.

  7. To define the default notification language, click the language link next to the Default language option and select the required language.

  8. To specify the notification text in another language, click Add new language and select the required language. Notification templates in 17 languages are available out of the box (English, Chinese (Simplified), Chinese (Traditional), Danish, Dutch, French, German, Italian, Japanese, Korean, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Polish, Czech, Swedish). The language of the notification message corresponds to the language of a user’s Q&A profile. If the corresponding language is not available, the notification message is sent in the default language.

  9. To specify the daily number of new users who will be invited to create or update their Q&A profiles, enter the number in the Set the daily number of users to be invited spin box. Use this option to reduce server load and enhance performance.

  10. Click Save.

IMPORTANT: To send email notifications to users, you must specify an outgoing mail server (SMTP server). For more information on how to configure the SMTP server, see Outgoing mail servers.

Remind users to create/update profiles

The enforcement rule is disabled by default. To enable the rule, on the Home page of the Administration Site, expand the required enforcement rules section, click Remind Users to Create/Update Profiles, and then click Enable.

To configure this enforcement rule, you must specify a user scope and the required number of notification scenarios.

To configure the enforcement rule user scope

  1. Connect to the Administration Site by typing the Administration Site URL in the address bar of your web browser. By default, the URL is http://<ComputerName>/PMAdmin/.

    NOTE: When prompted to log in, provide your domain user name in a domainname\username format.

  2. Select the Management Policy you want to modify.

  3. Expand the User Enforcement Rules section and click Remind Users to Create/Update Profiles.

  4. To set the user scope of this rule, click Configure under Configure the rule’s scope, specify the following settings and click Save:

Table 7: Configure the scope of the rule

Option

Description

Users from the user scope of the Management Policy

Select this option to include all users from the Management Policy user scope to the enforcement rule scope.

The following users

Select this option to specify groups included to and excluded from the enforcement rule scope.

Users included both in the Management Policy user scope and the following groups

Specify groups included in the enforcement rule scope.

NOTE: Only users belonging both to the Management Policy user scope and the specified groups will be included in the enforcement rule scope. To browse for groups, click Add, select the required groups and click Save.

Users excluded from the rule’s scope

Specify groups excluded from the enforcement rule scope. To browse for groups, click Add, select the required groups and click Save.

To configure notification scenarios

  1. Connect to the Administration Site by typing the Administration Site URL in the address bar of your web browser. By default, the URL is http://<ComputerName>/PMAdmin/.

    NOTE: When prompted to log in, provide your domain user name in a domainname\username format.

  2. Select the Management Policy you want to modify.

  3. Expand the User Enforcement Rules section and click Remind Users to Create/Update Q&A Profiles.

  4. To add a new notification scenario, click Add, or to modify an existing notification scenario click Edit in the Apply the following notification scenarios to users from the rule’s scope section.

  5. Select the condition for applying this enforcement rule. Use the User is not registered and not invited to create Q&A profile option to apply this rule to users who are not registered with Password Manager and have not been invited to create Q&A profile. Select the User was invited to create/update Q&A profile N days ago option and enter the required number of days to apply this enforcement rule to users who were invited to register with Password Manager or update their Q&A profiles the specified number of days ago.

    IMPORTANT: If you select the User is not registered and not invited to create Q&A profile option, such users will be immediately notified through a dialog displayed on their desktop screens. The Reminder to Create/Update Profile scheduled task is not required to carry out such notification scenario. Use this option with caution when the number of users managed by Password Manager is large. Immediate enforcement of a large number of users may drastically decrease the performance of your production environment.

    NOTE: If you select the User is not registered and not invited to create Q&A profile option, such users can be notified only with Secure Password Extension dialog. Email notification option is not available for such notification scenario.

  6. To configure email notification, select the Notify users by email check box. To configure notification by a dialog, select the Notify users via Secure Password Extension check box. Click Next.

  7. If you selected the Notify users by email check box, edit the notification template if necessary. Specify the following settings if required and click Next:

    • To define the default notification language, click the language link next to the Default language option and select the required language.

    • To specify the notification text in another language, click Add new language and select the required language. Notification templates in 16 languages are available out of the box (English, Chinese (Simplified), Chinese (Traditional), Danish, Dutch, French, German, Japanese, Korean, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Polish, Czech, Swedish).

  8. If you selected the Notify users via Secure Password Extension check box, configure the postpone options that will be available to users on the notification dialog: select check boxes with required time intervals and click OK.

IMPORTANT: To send email notifications to users, you must specify an outgoing mail server (SMTP server). For more information on how to configure the SMTP server, see the Administrator Guide.

NOTE: If the user does not create or update his Q&A profile in the specified number of days, you can disable the user account. For more details see Forced enrollment.

Forced enrollment

This option is used to force users to enroll to Password Manager. If users do not create or update their Q&A profiles after a series of reminders, their accounts will be disabled. They will receive the notification either by email or through the Secure Password Extension (notification dialog). The accounts can be enabled with a customized Enable Account workflow.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating