Displaying user-specific processes in the Web Portal
A user-specific process is a process that is specifically configured for tracing by the user. It enables status tracking and confirmation of a processing result to the Web Portal.
A user who is logged on to the Web Portal can see all processes that they have initiated. The value in the XUserInserted column corresponds to the user who is currently logged on. A process can only be generated from within a session of the current logged on user if it is to be identified as a user-specific process.
The user-specific processes are displayed in the Web Portal in the My Processes view. For more detailed information, see the One Identity Manager Web Designer Web Portal User Guide.
This section only covers the configuration for displaying the process information in the Web Portal. For more detailed information about process monitoring, recording process information, and the configuration of processes and process steps, see the One Identity Manager Configuration Guide.
Configuration recommendations for the recording of user-specific processes
- In the Designer, check the Common | ProcessState configuration parameter. The configuration parameter must be set.
-
In the Designer, check the Common | ProcessState | JobHistory configuration parameter. The configuration parameter must be set. As a value for the configuration parameter, select ERRORorSELECTED or SELECTED.
NOTE: The value ALL also takes into account the notifications from the process history. However, this setting can lead to an extremely large data volume.
- In the Designer, check the Common | ProcessState | ProgressView configuration parameter. The configuration parameter must be set and should have the value 2.
- In the Designer, check the Common | ProcessState | ProgressView | LifeTime and Common | ProcessState | JobHistory | LifeTime configuration parameters. These configuration parameters define the retention time of the process information and notifications in the process history. The configuration parameters must be set. Adjust the retention times if necessary. By default, the information is stored for 30 days before it is removed from the database.
- In the Designer, configure the processes and process steps for recording process information.
- In the Process information property for a process, select the value Web Portal tracking.
- In the Process information property for the process steps, select the value Web Portal tracking. Enable the Process history option.
- Use user-friendly informative display values for the processes and process steps. To do this, enter the formatting rules for the process information of processes and process steps.
Configuring self-registration of new users
Users who are not yet registered have the option to register themselves to use the Web Portal. Users who self-register, receive a verification email with a link to a verification page. On this page, users can complete registration themselves and then set their initial login password.
NOTE: To user this functionality, new users must supply an email address, otherwise the verification email cannot be sent.
NOTE: For more information about self-registration of new users in the Web Portal and associated attestation process, see the One Identity Manager Attestation Administration Guide.
To configure self-registration
-
Start the Designer.
-
Configure the following configuration parameters:
NOTE: For more information about editing configuration parameters in the Designer, see the One Identity Manager Configuration Guide.
-
QER | WebPortal | PasswordResetURL: Specify the Password Reset Portal's web address. This URL is used, for example, in the email notification to new users.
-
QER | Attestation | MailTemplateIdents | NewExternalUserVerification:
By default, the verification message and link is sent with the Attestation - new external user verification link mail template.
To use another template for this notification, change the value in the configuration parameter.
TIP: In the Designer, you can configure the current mail template in the Mail templates > Person category. For more information about mail templates, see the One Identity Manager Operational Guide.
-
QER | Attestation | ApproveNewExternalUsers: Specify whether self-registered users must be attested before they are activated. A manager then decides whether to approve the new user's registration.
-
QER | Attestation | NewExternalUserTimeoutInHours: For new self-registered users, specify the duration of the verification link in hours.
-
QER | Attestation | NewExternalUserFinalTimeoutInHours: Specify the duration in hours, within which self-registration must be successfully completed.
-
Assign at least one employee to the Identity & Access Governance | Attestation | Attestor for external users application role.
Configuring the four eyes principle for issuing a passcode.
You can control whether passcodes generated by the help desk are divided into two parts. One half of the passcode is issued to the help desk staff and the other half is sent to the employee's manager. The employee must ask the manager for the second half of the passcode. This procedure increases the security for issuing passcodes.
To configure the four eye principle for issuing passcodes
-
Start the Designer.
-
Set the QER | Person | PasswordResetAuthenticator | PasscodeSplit configuration parameter.
NOTE: For more information about editing configuration parameters in the Designer, see the One Identity Manager Configuration Guide.
-
Set the QER | WebPortal | MailTemplateIdents | InformManagerAboutSecondHalfOfPasscode configuration parameter.
By default, the second half of the passcode is sent with the Employee - manager half of passcode for password reset mail template.
To use another template for this notification, change the value in the configuration parameter.
TIP: In the Designer, you can configure the current mail template in the Mail templates > Person category. For more information about mail templates, see the One Identity Manager Operational Guide.
Configuring password questions
If Web Portal users forget their password, they can set a new one with the help of the password questions.
To configure the use of password questions.
-
Start the Designer.
-
Configure the following configuration parameters:
NOTE: See the One Identity Manager Configuration Guide, to find out how to edit configuration parameters in the Designer.
-
QER | Person | PasswordResetAuthenticator | QueryAnswerDefinitions: Specify how many password questions and answers users must enter. Users who do not enter enough or any questions and answers, cannot reset their password.
NOTE: The value must not be less than the value in the QueryAnswerRequests configuration parameter.
-
QER | Person | PasswordResetAuthenticator | QueryAnswerRequests: Specify how many password questions users have to answer before they can reset their password.
NOTE: The value must not be higher than the value in the QueryAnswerDefinitions configuration parameter.
-
QER | Person | PasswordResetAuthenticator | InvalidateUsedQuery: Specify whether users must enter new password questions and answers after successfully resetting their password. In this case, correctly answered questions are deleted.