Chat now with support
Chat with Support

Identity Manager 9.3 - Web Application Configuration Guide

About this guide Managing the API Server Configuring API projects and web applications
General configuration Configuring the Administration Portal Configuring the Application Governance Module Configuring the Password Reset Portal Configuring the Web Portal
Configuring departments Configuring address books Ansichten konfigurieren Configuring application roles Configuring the Application Governance Module Configuring attestation Configuring authentication by accepting the terms of use Configuring request functions Configuring delegation Configuring your own API filter Configuring your own filters Configuring recommendations for adding entitlements to objects Configuring devices Configuring business roles Configuring the help desk module/tickets Configuring hyperviews Configuring identities Configuring password questions Configuring cost centers Configuring service items Program functions for the Web Portal Configuring software Configuring locations Configuring statistics Configuring system roles Skip table sorting Configuring team roles Configuring the four eyes principle for issuing a passcode. Configuring WebAuthn security keys
Configuring the Operations Support Web Portal
Recommendations for secure operation of web applications

Configuring Password Reset Portal login with password questions

If Web Portal users forget their password, they can login in to the Password Reset Portal with the help of the password questions and set a new password.

Required configuration keys:

  • Login with password questions (EnablePasswordProfileLogin): Specifies whether users can login by answering their password questions.

  • Password questions can be managed (VI_MyData_MyPassword_Visibility): Specifies whether users can manage their password questions and answers.

To configure password questions

  1. Log in to the Administration Portal (see Logging in to the Administration Portal).

  2. In the navigation, click Configuration.

  3. On the Configuration page, in the Show configuration for the following API project drop-down, select the Password Reset Portal API project.

  4. Expand the Login with password questions configuration key.

  5. Select the Login with password questions check box.

  6. On the Configuration page, in the Show configuration for the following API project drop-down, select the Web Portal API project.

  7. Expand the Password questions can be managed configuration key.

  8. Select the Password questions can be managed check box.

  9. Click Apply.

  10. Perform one of the following actions:

    • If you want to apply the changes locally only, click Apply locally.

    • If you want to apply the changes globally, click Apply globally.

  11. Click Apply.

  12. Start the Designer program.

  13. Connect to the relevant database.

  14. Configure the following configuration parameters:

    TIP: To find out how to edit configuration parameters in Designer, see the One Identity Manager Configuration Guide.

    • QER | Person | PasswordResetAuthenticator | QueryAnswerDefinitions: Specify how many password questions and answers users must enter. Users who do not enter enough or any questions and answers, cannot log in to the Password Reset Portal using their password questions.

      NOTE: The value must not be less than the value in the QueryAnswerRequests configuration parameter.

    • QER | Person | PasswordResetAuthenticator | QueryAnswerRequests: Specify how many password questions users have to answer before they can log in to the Password Reset Portal.

      NOTE: The value must not be higher than the value in the QueryAnswerDefinitions configuration parameter.

    • QER | Person | PasswordResetAuthenticator | InvalidateUsedQuery: Specify how many new password questions and answers users must enter after they have successfully logged in to the Password Reset Portal. If this option is enabled, correctly answered password questions are deleted after logging in to Password Reset Portal.

Excluding passwords from being reset

To prevent users from setting unwanted passwords, you can use the QER_PasswordWeb_IsAllowSet script to exclude certain passwords from being reset. User cases for this may be passwords that are calculated from other values or passwords for target systems that are only connected as read-only.

For more information about scripts, see the One Identity Manager Configuration Guide.

NOTE: In the QER_PasswordWeb_IsAllowSet script, the system user is prevented from resetting the password by default in the following cases:
  • If external password management is enabled.
  • If the system user is enabled as service account.
  • If the system user is used for the automatic software update of One Identity Manager web applications.

To exclude passwords from being reset

  1. Start the Designer program.

  2. Connect to the relevant database.

  3. Copy the QER_PasswordReset_IsAllowSet script and customize the copy as required. Use the following parameters for this:

    • UID_Person of the logged in user

    • Key (ObjectKey) of the object to have the password reset option

    • Column names of the password

  4. Save the changes.

  5. Compile the script.

Settable passwords

Users can set the following default passwords.

Table 1: Password overview

User

Password

Table / Column

Everyone

Own password

Person.DialogUserPassword

Everyone

User account password, which is

  1. Directly assigned to the logged in identity.

- OR -

  1. Assigned to a sub-identity of the logged in identity.

- OR -

  1. Assigned to a sponsored identity, service identity, or group identity of the logged in identity.

- OR -

  1. Assigned to a shared user account of the logged in identity.

AADUser.Password

ADSAccount.UserPassword

CSMUser.Password

EBSUser.Password

GAPUser.Password

LDAPAccount.UserPassword

NDOUser.Password

SAPUser.Password

UNSAccountB.Password

UNXAccount.UserPassword

Members of the application role Base roles | Administrators

Password for individual system users

DialogUser.Password

NOTE: The system user is not suggested for resetting the password in the following cases:

  • If external password management is enabled for the system user.
  • If the system user is enabled as service account.
  • If the system user is used for automatic software updating of One Identity Manager web applications.

These cases are implemented in the QER_PasswordWeb_IsAllowSet script, which can be overwritten.

  • If the system user is used for role-based login.

In this case, the system user is not accepted by the Password Reset Portal.

 

Central password

Apart from setting individual passwords in the Password Reset Portal, users can also set the central password. Each user has a central password, with which other passwords can be managed depending on the configuration of the target system.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating