지금 지원 담당자와 채팅
지원 담당자와 채팅

Password Manager 5.14.3 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in a perimeter network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring Access to the Administration Site Configuring Access to the Password Manager Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Password Manager Self-Service Site workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Password Policies Enable 2FA for Administrators and Enable 2FA for HelpDesk Users Reporting Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Customization Options Overview Glossary

Workflow states

Workflow states determine how Password Manager for AD LDS ran a workflow and which activities of the workflow it initiated. Workflows have 3 states:

  • Success is the state of the workflow if no errors occur when running a workflow. In this state, Password Manager for AD LDS performs all workflow activities, except the following:

    • Email user if workflow fails

    • Email administrator if workflow fails

    • Lock Q&A profile

    • Restart workflow if error occurs

  • Failure is the state of the workflow if an error occurs when running a workflow activity. If any errors occur during the workflow, Password Manager for AD LDS performs only the following activities:

    • Email user if workflow fails

    • Email administrator if workflow fails

    • Lock Q&A profile

    • Restart workflow if error occurs

      NOTE: The Restart workflow if error occurs activity resets the workflow state to Success and runs the workflow from the beginning.

  • Critical Error is the state of the workflow if a critical error occurs (for example, locking a user account or a Q&A profile). If any critical errors occur when running the workflow, Password Manager for AD LDS performs only the following activities:

    • Email user if workflow fails

    • Email administrator if workflow fails

Workflow settings

For each workflow, you can set 3 options:

  • Language settings specify a custom name and description for the selected workflow on the Password Manager Self-Service Site or Helpdesk Site, either in the default language, or in additional languages.

  • Availability settings specify if the workflow must appear on the Password Manager Self-Service Site or in the Helpdesk Site.

  • Customization settings specify a custom icon for the workflow and a possible grouping key.

NOTE: You can specify custom names and descriptions only for the languages for which localization is available on the Password Manager Self-Service Site and Helpdesk Site.

To set the language settings

  1. On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of the management policy you want to configure.

  2. On the page of the configured workflow, click Workflow settings.

  3. Under Workflow Settings > Languages, edit the workflow name and the workflow descriptions in the default language, then click OK.

  4. To edit the workflow name and the workflow description in other languages, click Add new language, select a language, then enter the workflow name and workflow descriptions in the selected language.

  5. To apply your changes, click OK.

To set the availability settings

  1. On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of the management policy you want to configure.

  2. On the page of the configured workflow, click Workflow settings.

  3. Under Workflow Settings > Availability > Enable the workflow, select the availability option of your workflow:

    • Always: The workflow is always enabled for users on the Password Manager Self-Service Site or for operators on the Helpdesk Site.

    • Never: The workflow is always disabled on the Password Manager Self-Service Site or Helpdesk Site.

    • Depending on the current user status: The availability of the configured workflow depends on the user status.

      The default criteria for enabling or disabling workflows on the Password Manager Self-Service Site are the following:

      • For unregistered users, only the Register workflow is enabled.

      • For registered users, the Forgot My Password and Manage My Passwords workflows are enabled.

      • Both for registered and unregistered users, the I Have a Passcode workflow is enabled only if a helpdesk user performs an Assign Passcode workflow for them.

      • For registered users with a locked account, only the Forgot My Password and Unlock My Account workflows are enabled.

      • For users with a locked Q&A profile, no workflows are enabled on the Password Manager Self-Service Site. Users must contact the helpdesk in this case.

      The default criteria for enabling or disabling workflows on the Password Manager Helpdesk Site are the following:

      • For unregistered users, the Reset Password, Unlock Account and Assign Passcode workflows are enabled.

      • For registered users with a locked Q&A profile, all Helpdesk workflows are enabled.

      IMPORTANT: If an unregistered user registers the first time, and enters an incorrect password beyond the specified limit, their profile will be locked. The user then must wait for the duration configured with the Reset lockout account setting.

  4. Under Show the workflow, specify the visibility of the configured workflow on the Password Manager Self-Service Site or Helpdesk Site for users:

    • Always: The workflow is always visible, regardless of whether it is enabled or disabled for the current user.

    • Never: The workflow is always hidden, regardless of whether it is enabled or disabled for the current user.

    • Only if the workflow is enabled: The workflow appears only if it is enabled for the current user.

  5. To apply your changes, click OK.

NOTE: Custom workflows appear on the Password Manager Self-Service Site for users even if the Enable the workflow setting is set to Depending on the current user status and the Show the workflow setting is set to Only if the workflow is enabled.

To force these settings for custom workflows

  1. Stop the Password Manager Service.

  2. Open the C:\ProgramData\One Identity\Password Manager\Shared.storage file.

  3. Replace the <DisabledReasons /> line with the following entry:

    <disabledReasons>
      <reason name="userRegistered" value="DisableIfFalse" />
    </disabledReasons>
  4. Save the file, then restart the Password Manager Service.

To set the customization settings

  1. On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of a management policy you want to configure.

  2. On the page of the configured workflow, click Workflow settings.

  3. Under Workflow Settings > Customization > Choose an icon for the workflow, select the desired icon for your workflow.

  4. Under Workflow group name, specify a group name that acts as a grouping key for workflows.

    NOTE: Workflows that have the same group name will be grouped together in the Password Manager Self-Service Site. Leave Workflow group name empty if no grouping is desired for the current workflow.

    If no translation is defined for the current language, Workflow group name will appear as entered in the Password Manager Self-Service Site.

  5. To define translations for Workflow group name, edit the following file by adding a new key-value pair as "<workflow-group-name>":"<translated-workflow-group-name>" inside the opening and closing braces:

    <PasswordManager-installation-folder>\One Identity\Password Manager\Web\SelfService\assets\i18n\<language>.json

    NOTE: Workflow groups are displayed on Password Manager Self-Service Site in a way that is visually slightly different from that of workflows. Also, workflow groups are ordered before the non-grouped workflows. A maximum of 4 icons from a workflow group are presented as a workflow group icon.

  6. To apply your changes, click OK.

Custom workflows

To extend and customize the functionality provided by built-in workflows for your organization, create custom workflows. Similar to the built-in workflows, you can create 2 types of custom workflows: Self-Service and Helpdesk workflows.

To create a custom workflow

  1. To open the Add New Workflow dialog, in the Password Manager Administration Site, under Home > <management-policy>, click New Workflow at the heading of the management policy for which you want to configure the new workflow.

  2. In the Select the workflow type drop-down list, select the site where the workflow must appear (Self-Service Site or Helpdesk Site).

  3. Enter the Workflow name.

  4. Enter a Workflow description.

  5. To apply your changes, click Save.

TIP: Consider the following when creating a new workflow:

  • When you add a new custom workflow, it does not contain any activities. To add activities, click the workflow to open the Workflow Designer.

  • You must specify the name and description for each workflow in the default language used on the Self-Service Site or Helpdesk Site. However, in addition, you can also specify the workflow name and description in other languages, as long as localization for those languages is available in the Self-Service Site and Helpdesk Site). For more information on configuring language settings, see Workflow settings.

NOTE: Custom workflows appear on the Password Manager Self-Service Site for users even if the Enable the workflow setting is set to Depending on the current user status and the Show the workflow setting is set to Only if the workflow is enabled.

To force these settings for custom workflows

  1. Stop the Password Manager Service.

  2. Open the C:\ProgramData\One Identity\Password Manager\Shared.storage file.

  3. Replace the <DisabledReasons /> line with the following entry:

    <disabledReasons>
      <reason name="userRegistered" value="DisableIfFalse" />
    </disabledReasons>
  4. Save the file, then restart the Password Manager Service.

Importing and exporting workflows

To share your configured workflows among management policies, import and export the workflows between them.

Prerequisites

Importing and exporting workflows between management policies is available only if you enable extensibility features.

To enable extensibility features

  1. On the Password Manager Administration Site, navigate to General Settings > Extensibility.

  2. Select Extensibility on.

  3. To apply your changes, click Save.

To export a workflow

  1. On the Password Manager Administration Site, under Home > <management-policy>, click the workflow of a management policy you want to export.

  2. On the page of the workflow, click Export workflow. Depending on the browser settings, the workflow is then either downloaded to the default download folder, or you can specify the download location.

To import a workflow

IMpORTANT: Before importing a workflow, consider the following:

  • If you import a workflow, Password Manager will replace existing workflows with the same name. To avoid accidental overwrites, One Identity recommends backing up existing workflows by exporting them when prompted.

  • One Identity strongly recommends auditing scripts of custom activities in imported workflows before using them in a production environment. This is required because attackers could potentially access sensitive information via PowerShell scripts in a custom activity. Make sure you import workflows from a trusted source only.

  • If the imported workflow contains activities that are missing from the current configuration, import the missing activities first (from the same workflow archive file), then import the workflow.

  1. On the Password Manager Administration Site, under Home > <management-policy>, navigate to the management policy for which you want to import a new workflow, then click Import Workflow.

  2. To select the workflow archive file, in the Import Workflow dialog, click Upload, then click OK.

  3. To perform the import, click OK. If the import procedure would overwrite an existing workflow with the same name, click the link to export the affected workflow.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택