Topic
8 replies Latest Post - ‏2013-10-08T08:56:00Z by Shailesh Malkar
Shailesh Malkar
Shailesh Malkar
58 Posts
ACCEPTED ANSWER

Pinned topic ISIM Account Password Expiration

‏2013-09-26T14:31:45Z |

Hi All,

I am new to ISIM. I am working on one issue where in I stuck at one decision point, i.e. when ISIM account of any person get expired by the policy (which we set in Set System Security->Set Security Properties {Identity account password expiration period in days}), whether all his/her accounts will also get expired. If yes then which operation get called for each account (changePassword,suspend or modify). and if no then if I have to create such logic to expire users account by which he/her should not be allowed to log-in to that application even if it is not web based application like SAP Log-on.

Thanks,

Shailesh S. Malkar

Updated on 2013-09-26T14:39:20Z at 2013-09-26T14:39:20Z by Shailesh Malkar
  • goonitsupport
    goonitsupport
    96 Posts
    ACCEPTED ANSWER

    Re: ISIM Account Password Expiration

    ‏2013-09-26T15:49:48Z  in response to Shailesh Malkar

    The password expiration only applies to the ISIM user account. Each platform that ISIM manages is responsible for expiring its own passwords.

    ITIM can manage user expiration setting such as maxdays on a user account but it is down to the target application or system to manage the expiration locally.

    I have never heard of using ISIM to achieve this and wouldn't recommend it (could possibly be hacked into lifecycle rules but not a great idea).

    Best regards,

    Vincent Cassidy

    • Shailesh Malkar
      Shailesh Malkar
      58 Posts
      ACCEPTED ANSWER

      Re: ISIM Account Password Expiration

      ‏2013-09-28T07:33:09Z  in response to goonitsupport

      Hi Vincent,

      I do understand the concern behind it. But we have a requirement to suspend users respective accounts including SAP Log-on, when password expiration happens, by which we want to achieve single point of check for all accounts. So if you can suggest anything in that direction will be great help for us.

      Thanks,

      Shailesh S. Malkar

      • goonitsupport
        goonitsupport
        96 Posts
        ACCEPTED ANSWER

        Re: ISIM Account Password Expiration

        ‏2013-10-03T05:47:42Z  in response to Shailesh Malkar

        Do all your applications record the date a password was last changed? For instance LDAP doesn't. If the target platforms record the date the password was changed and this information is reconciled into ISIM then I would say it is possible to acheive this with a lifecycle rule and a custom operation.

        If the reason for doing this is that these systems do not record this information then ISIM can't help. In this case I would implement password synchronisation from AD and perhaps an external facing security system such as Access Manager. This will ensure all active users will change all their passwords regularly. With password synchronisation in place you then only need a Lifecycle rule to check 1 account to see whether it's password has changed within n days and then suspend the Person which will suspend all accounts.

        Best regards

        Vincent Cassidy

        • Padam Khatana
          Padam Khatana
          15 Posts
          ACCEPTED ANSWER

          Re: ISIM Account Password Expiration

          ‏2013-10-05T11:12:21Z  in response to goonitsupport

          Password synchronization should be enabled in ITIM and LCR needs to be written for suspension of person and all his account based on password expiry days. I believe this will cover the requirement here.

          HTH

          Regards,

          Padam Khatana

          • yn2000
            yn2000
            1068 Posts
            ACCEPTED ANSWER

            Re: ISIM Account Password Expiration

            ‏2013-10-06T04:33:13Z  in response to Padam Khatana

            I changed my AD password 2 days ago. I changed my SAP password yesterday. And today, ISIM is suspending my AD account and SAP account, just because I changed ISIM password 90 days ago? And then, I have to call my help desk, because my account is suspended? Yeah... yeah... you can say that I can do forgot password facility to restore all of my accounts. But that means that, the company cannot block me to use SAP, when I abuse SAP, just because I can restore all of my accounts... my self.

            I dramatize the situation, but "...a requirement to suspend users respective accounts including SAP Log-on,.." is a bad requirement regardless how you do it.

            I would tell the customer to use Vincent's idea... sync and control it with AD.

            Rgds. YN.

            • Padam Khatana
              Padam Khatana
              15 Posts
              ACCEPTED ANSWER

              Re: ISIM Account Password Expiration

              ‏2013-10-06T19:05:58Z  in response to yn2000

              Password sync should be enabled so that same password will flow to all accounts and have common password expiration policy.

              In this case all the password will expiry on the same day, and will ask for password reset. otherwise all the accounts of person will be suspended including SAP.

              Thanks,

              Padam Khatana

               

               

              • yn2000
                yn2000
                1068 Posts
                ACCEPTED ANSWER

                Re: ISIM Account Password Expiration

                ‏2013-10-07T03:46:29Z  in response to Padam Khatana

                You are talking about Password Sync that you enable from TIM Admin Console, right? That TIM Password Sync works only if you change the password from TIM Admin Console. If you want to change the password in AD and you want that password to be distributed to all accounts, then you have to install AD Password Sync, aka Password Interceptor for AD. I don't think IBM produce SAP Password Sync, aka Password Interceptor for SAP. So, how do you know if someone change the password in SAP, if you do not have Password Interceptor there?

                How about Password Interceptor in other applications? Do you want to block anybody to change password at anyplace but TIM?

                Rgds, YN.

        • Shailesh Malkar
          Shailesh Malkar
          58 Posts
          ACCEPTED ANSWER

          Re: ISIM Account Password Expiration

          ‏2013-10-08T08:56:00Z  in response to goonitsupport

          HI Vincent,

          Sorry to trouble you again. But I have one more concern, If I suspend person it will suspend all of his accounts including his AD account which will not allow user to log in into his (desktop/laptop) machine. This thing we want to avoid. By this I mean that, we want to suspend only few accounts and not all. So how can we achieve this, if it is possible

          One more question - Which operation or workflow will get call when password expiry happen for user.

          Thanks,

          Shailesh S. Malkar