Users can set the following default passwords.
Table 12: Password overview
Everyone |
Own password |
Person.DialogUserPassword |
Everyone |
User account password, which is:
- Directly assigned to the logged in identity.
- OR -
- Assigned to a sub-identity of the logged in identity.
- OR -
- Assigned to a sponsored identity, service identity, or group identity of the logged in identity.
- OR -
- Assigned to a shared user account of the logged in identity.
|
AADUser.Password
ADSAccount.UserPassword
CSMUser.Password
EBSUser.Password
GAPUser.Password
LDAPAccount.UserPassword
NDOUser.Password
SAPUser.Password
UNSAccountB.Password
UNXAccount.UserPassword |
Members of the application role Base roles | Administrators |
Password for individual system users |
DialogUser.Password |
NOTE: The system user is not suggested for resetting the password in the following cases:
- If external password management is enabled for the system user.
- If the system user is enabled as service account.
- If the system user is used for automatic software updating of One Identity Manager web applications.
These cases are implemented in the QER_PasswordWeb_IsAllowSet script, which can be overwritten.
- If the system user is used for role-based login.
In this case, the system user is not accepted by the Password Reset Portal.
Table 13: Script for resetting passwords
QER_PasswordReset_IsAllowSet |
Specifies whether resetting a password in the Password Reset Portal is allowed. |
To prevent users from setting passwords by mistake, you can exclude certain password from being reset.
User cases for this may be passwords that are calculated from other values or passwords for target systems that are only connected as read-only.
NOTE: In "QER_PasswordWeb_IsAllowSet", the system user is prevented, by default, from resetting the password in the following cases.
- If external password management is enabled.
- If the system user is enabled as service account.
- If the system user is used for automatic software updating of One Identity Manager web applications.
To exclude passwords from being reset
- Open the Designer.
- Find "QER_PasswordReset_IsAllowSet".
- Use "QER_PasswordReset_IsAllowSet" as the basis for an overrideable script with the following parameters.
- Current user's UID_Person.
- Object's key (ObjectKey) offered for password reset.
- Password column name.
- Save the setting in the Designer.
- Compile the Password Reset Portal.
Apart from setting individual passwords in the Password Reset Portal, you can also set the central password. Each user has a central password, with which other passwords can be managed depending on the configuration of the target system.
Detailed information about this topic
By defining password dependencies, you specify which passwords are managed through the central password.
Table 14: Script for declaring passwords
QER_PasswordWeb_IsByCentralPwd |
By default, the script checks whether QER | Person | UseCentralPassword is set. If the configuration parameter is set, the identity's central password is mapped to the password column of the identity's user account. A user account must be linked to the current user, it cannot be a privileged account. The script can be overwritten. |
To define password dependencies
- Open the Designer.
- Search QER_PasswordWeb_IsByCentralPwd.
- Use "QER_PasswordWeb_IsByCentralPwd" as the basis for an overrideable script with the following parameters.
- Current user's UID_Person.
- Object's key (ObjectKey) offered for password reset.
- Password's column name.
Using this input parameter, the script must return the information regarding whether or not a password is managed by the central password.
- Save the setting in the Designer.
- Compile the Password Reset Portal.