Regresar
-
Título
Is it possible to disable post-release reset? -
Descripción
Is it possible to prevent an account's password from being changed after the request has expired?
The "Change password after any release" (under Details | Management tab for an account) setting is no longer available in 2.5.915, 916 or 917. -
Resolución
By design, the default behavior of TPAM is to change the password after every release. This is for security reasons to ensure that a known password is not allowed to be used past the request period.
In previous versions, the "Change Password after any release" checkbox only controlled "ISA Duration". When enabled it set the default value to 2 hours, unchecking the option cleared the "ISA Duration"
In 2.5.915, setting the "Default duration for ISA releases of password" to zero is the same as unchecking the old "Change Password after any release" checkbox. To ensure the password is changed after any release set to a non zero value. For Automatic managed accounts, when the password is release (via non-ISA) the password will always been reset post release. It is not possible to prevent this occurring.
In the 2.5.918 a new “Do not change password after requests” option was added to the Password Profiles that will allow the post-release reset to be disabled. If selected, the password will NOT be automatically reset after a password request expires. Only a scheduled change or forced reset will change the password. For more details see the Password Profiles chapter of the TPAM Administrator Guide. This option was also added to AddProfile and UpdateProfile CLI commands.
In summary, if it is desired to disabled post-release resets for passwords, then upgrading to 2.5.918 or later is required.