Chat now with support
Chat with Support

Password Manager 5.14.3 - Administration Guide

About Password Manager Getting started Password Manager architecture
Password Manager components and third-party applications Typical deployment scenarios Password Manager in a perimeter network Management Policy overview Password policy overview Secure Password Extension overview reCAPTCHA overview User enrollment process overview Questions and Answers policy overview Password change and reset process overview Data replication Phone-based authentication service overview
Management policies
Checklist: Configuring Password Manager Understanding Management Policies Adding or cloning a new Management Policy Configuring access to the Administration Site Configuring access to the Password Manager Self-Service Site Configuring access to the Helpdesk Site Configuring Questions and Answers policy Workflow overview Custom workflows Custom activities Password Manager Self-Service Site workflows Helpdesk workflows Notification activities User enforcement rules
General Settings
General Settings overview Search and logon options Importing and exporting configuration settings Outgoing mail servers Diagnostic logging Scheduled tasks Web Interface customization Instance reinitialization Realm Instances Domain Connections Extensibility features RADIUS Two-Factor Authentication Internal Feedback Customizing help link URL Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable 2FA for administrators and helpdesk users Reporting Password Manager integration Accounts used in Password Manager Open communication ports for Password Manager Customization options overview Glossary

User enrollment process overview

To require users to register with Password Manager, you can use two enforcement rules: Invite users to create/update Q&A profiles and Remind users to create/update Q&A profiles.

To start the enrollment process, you need to enable and configure the Invite users to create/update Q&A profiles rule. This rule sends email notifications to the users specified in the rule’s scope, inviting them to create or update their Questions and Answers profiles. When configuring email notifications for this rule, you can insert a hyperlink to the Self-Service Site. To add the hyperlink, enter the required URL in the email notification body. For example, http://mydomain.com/user. Note that you cannot specify the hyperlink text.

To configure the Invite users to create/update Q&A profiles enforcement rule, you need to specify the conditions under which users should be notified. For example, users are not registered with Password Manager, users’ answers are shorter than required, or users have specified the same answers for several questions. These conditions correspond to the Q&A profile settings that are part of the Q&A policy. For more information, Configuring Q&A profile settings. For more information on configuring this enforcement rule, see Invite users to create/update profiles.

NOTE: Only one email notification is sent to each user. If you want to remind users that they should register with Password Manager or update their Q&A profiles and send multiple emails, enable and configure the Remind users to create/update Q&A profiles enforcement rule.

The Remind users to create/update Q&A profiles enforcement rule can notify users via email and via notification dialog displayed by Secure Password Extension installed on users’ computers. When configuring this rule, you can specify several notification scenarios. For each scenario, you should set the time period since the invitation date and notification option (email or Secure Password Extension).

For example, you can configure the following scenarios:

  • Users were invited 5 days ago: For this case, you may want to notify users by email only.

  • Users were invited 10 days ago: For this case, you may want to notify users via Secure Password Extension only. Note, that users will not receive any email notifications during this period.

  • Users were invited 20 days ago: For this case, you may want to notify users by email and via Secure Password Extension. So, starting from day 20 users will receive both emails and Secure Password Extension notifications.

For more information on configuring this enforcement rule, see Remind users to create/update profiles.

NOTE: If the user does not create or update his Q&A profile in the specified number of days, you can disable the user account. For more details see Forced enrollment.

If you want to configure different notification scenarios for different user groups, you can create several management policies, and within each Management Policy configure the Remind users to create/update Q&A profiles enforcement rule appropriately for different user groups.

Questions and Answers policy overview

Questions and Answers policy consists of secret questions and Questions and Answers profile settings. Secret questions are questions that users must answer to create their profiles and then use the profiles for authentication. You can create question lists in multiple languages. Each question list contains mandatory, optional, and Helpdesk questions. When creating profiles, users must answer all mandatory and Helpdesk questions, and a specified number of optional and user-defined questions. You can specify the required number of questions in the Q&A profile settings.

When authenticating on the Self-Service Site with Q&A profiles, users can use mandatory, optional, and user-defined questions from their profiles. When a Helpdesk operator authenticates users, the operator can use mandatory and Helpdesk questions from users’ profiles.

Q&A profile settings are a collection of settings that define the number of user-defined and optional questions required for registration, minimum length of answers, encryption setting for storing answers, and others.

Q&A Policy and authentication

When you configure the Questions and Answers policy, you should remember that the settings you specify may affect the authentication process. The following authentication activities use the Q&A policy settings:

  • Authenticate with Q&A profile (random questions): This activity is used in self-service workflows. It relies on the number of secret questions you specify in the activity. If a user’s profile contains fewer questions, you can select whether to authenticate the user or not. For more information, see Authenticate with Q&A profile (random questions).

  • Authenticate with Q&A profile (specific questions): This activity is used in self-service workflows. It relies on the specific secret questions you specify in the activity. If the specified questions cannot be found in a user’s profile, the user will not be authenticated. For more information, see Authenticate with Q&A Profile (specific questions).

  • Authenticate with Q&A profile (user-selected questions): This activity is used in self-service workflows. It relies on the number and type of secret questions you specify in the activity. Users will be able to choose questions to authenticate with from their profile's answered questions. If the user's profile contains fewer questions than the set minimum, you can select whether to authenticate the user or not. For more information, see Authenticate with Q&A Profile (User-selected questions)

  • Authenticate with Q&A profile: This activity is used in Helpdesk workflows. It relies on the specific secret questions you specify in the activity and on the Store answers using reversible encryption option that you specify in the Q&A profile settings. If the specified questions cannot be found in a user’s profile, the user will not be authenticated.

This activity uses mandatory and Helpdesk questions. Answers to Helpdesk questions are always stored using reversible encryption. Answers to mandatory questions are hashed, unless you select the Store answers using reversible encryption option in the Q&A profile settings.

NOTE: If answers to mandatory questions are hashed, you will not be able to use the activity option that specifies that Helpdesk operators verify user identity by comparing the answers provided by users with the displayed answers (the Answers to the specified questions (user’s answer is shown) option). For more information, see Authenticate with Q&A Profile.

Q&A policy and user enforcement

The Q&A profile settings affects the Invite users to create/update Q&A profiles enforcement rule. This rule has conditions that state when users should be notified to create or update their profiles. These conditions correspond to the Questions and Answers profile settings. For example, the User’s answers are shorter than required condition corresponds to the Minimum length of answers setting. So, when you change any of the Q&A profile settings, you can then select the corresponding condition in the rule and enforce users to create or update their profiles in accordance with the new settings. For more information, see Invite users to create/update profiles.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating