Topic
  • 8 replies
  • Latest Post - ‏2013-10-08T08:56:00Z by Shailesh Malkar
Shailesh Malkar
Shailesh Malkar
58 Posts

Pinned topic ISIM Account Password Expiration

‏2013-09-26T14:31:45Z |

Hi All,

I am new to ISIM. I am working on one issue where in I stuck at one decision point, i.e. when ISIM account of any person get expired by the policy (which we set in Set System Security->Set Security Properties {Identity account password expiration period in days}), whether all his/her accounts will also get expired. If yes then which operation get called for each account (changePassword,suspend or modify). and if no then if I have to create such logic to expire users account by which he/her should not be allowed to log-in to that application even if it is not web based application like SAP Log-on.

Thanks,

Shailesh S. Malkar

Updated on 2013-09-26T14:39:20Z at 2013-09-26T14:39:20Z by Shailesh Malkar
  • goonitsupport
    goonitsupport
    116 Posts

    Re: ISIM Account Password Expiration

    ‏2013-09-26T15:49:48Z  

    The password expiration only applies to the ISIM user account. Each platform that ISIM manages is responsible for expiring its own passwords.

    ITIM can manage user expiration setting such as maxdays on a user account but it is down to the target application or system to manage the expiration locally.

    I have never heard of using ISIM to achieve this and wouldn't recommend it (could possibly be hacked into lifecycle rules but not a great idea).

    Best regards,

    Vincent Cassidy

  • Shailesh Malkar
    Shailesh Malkar
    58 Posts

    Re: ISIM Account Password Expiration

    ‏2013-09-28T07:33:09Z  

    The password expiration only applies to the ISIM user account. Each platform that ISIM manages is responsible for expiring its own passwords.

    ITIM can manage user expiration setting such as maxdays on a user account but it is down to the target application or system to manage the expiration locally.

    I have never heard of using ISIM to achieve this and wouldn't recommend it (could possibly be hacked into lifecycle rules but not a great idea).

    Best regards,

    Vincent Cassidy

    Hi Vincent,

    I do understand the concern behind it. But we have a requirement to suspend users respective accounts including SAP Log-on, when password expiration happens, by which we want to achieve single point of check for all accounts. So if you can suggest anything in that direction will be great help for us.

    Thanks,

    Shailesh S. Malkar

  • goonitsupport
    goonitsupport
    116 Posts

    Re: ISIM Account Password Expiration

    ‏2013-10-03T05:47:42Z  

    Hi Vincent,

    I do understand the concern behind it. But we have a requirement to suspend users respective accounts including SAP Log-on, when password expiration happens, by which we want to achieve single point of check for all accounts. So if you can suggest anything in that direction will be great help for us.

    Thanks,

    Shailesh S. Malkar

    Do all your applications record the date a password was last changed? For instance LDAP doesn't. If the target platforms record the date the password was changed and this information is reconciled into ISIM then I would say it is possible to acheive this with a lifecycle rule and a custom operation.

    If the reason for doing this is that these systems do not record this information then ISIM can't help. In this case I would implement password synchronisation from AD and perhaps an external facing security system such as Access Manager. This will ensure all active users will change all their passwords regularly. With password synchronisation in place you then only need a Lifecycle rule to check 1 account to see whether it's password has changed within n days and then suspend the Person which will suspend all accounts.

    Best regards

    Vincent Cassidy

  • Padam Khatana
    Padam Khatana
    15 Posts

    Re: ISIM Account Password Expiration

    ‏2013-10-05T11:12:21Z  

    Do all your applications record the date a password was last changed? For instance LDAP doesn't. If the target platforms record the date the password was changed and this information is reconciled into ISIM then I would say it is possible to acheive this with a lifecycle rule and a custom operation.

    If the reason for doing this is that these systems do not record this information then ISIM can't help. In this case I would implement password synchronisation from AD and perhaps an external facing security system such as Access Manager. This will ensure all active users will change all their passwords regularly. With password synchronisation in place you then only need a Lifecycle rule to check 1 account to see whether it's password has changed within n days and then suspend the Person which will suspend all accounts.

    Best regards

    Vincent Cassidy

    Password synchronization should be enabled in ITIM and LCR needs to be written for suspension of person and all his account based on password expiry days. I believe this will cover the requirement here.

    HTH

    Regards,

    Padam Khatana

  • yn2000
    yn2000
    1112 Posts

    Re: ISIM Account Password Expiration

    ‏2013-10-06T04:33:13Z  

    Password synchronization should be enabled in ITIM and LCR needs to be written for suspension of person and all his account based on password expiry days. I believe this will cover the requirement here.

    HTH

    Regards,

    Padam Khatana

    I changed my AD password 2 days ago. I changed my SAP password yesterday. And today, ISIM is suspending my AD account and SAP account, just because I changed ISIM password 90 days ago? And then, I have to call my help desk, because my account is suspended? Yeah... yeah... you can say that I can do forgot password facility to restore all of my accounts. But that means that, the company cannot block me to use SAP, when I abuse SAP, just because I can restore all of my accounts... my self.

    I dramatize the situation, but "...a requirement to suspend users respective accounts including SAP Log-on,.." is a bad requirement regardless how you do it.

    I would tell the customer to use Vincent's idea... sync and control it with AD.

    Rgds. YN.

  • Padam Khatana
    Padam Khatana
    15 Posts

    Re: ISIM Account Password Expiration

    ‏2013-10-06T19:05:58Z  
    • yn2000
    • ‏2013-10-06T04:33:13Z

    I changed my AD password 2 days ago. I changed my SAP password yesterday. And today, ISIM is suspending my AD account and SAP account, just because I changed ISIM password 90 days ago? And then, I have to call my help desk, because my account is suspended? Yeah... yeah... you can say that I can do forgot password facility to restore all of my accounts. But that means that, the company cannot block me to use SAP, when I abuse SAP, just because I can restore all of my accounts... my self.

    I dramatize the situation, but "...a requirement to suspend users respective accounts including SAP Log-on,.." is a bad requirement regardless how you do it.

    I would tell the customer to use Vincent's idea... sync and control it with AD.

    Rgds. YN.

    Password sync should be enabled so that same password will flow to all accounts and have common password expiration policy.

    In this case all the password will expiry on the same day, and will ask for password reset. otherwise all the accounts of person will be suspended including SAP.

    Thanks,

    Padam Khatana

     

     

  • yn2000
    yn2000
    1112 Posts

    Re: ISIM Account Password Expiration

    ‏2013-10-07T03:46:29Z  

    Password sync should be enabled so that same password will flow to all accounts and have common password expiration policy.

    In this case all the password will expiry on the same day, and will ask for password reset. otherwise all the accounts of person will be suspended including SAP.

    Thanks,

    Padam Khatana

     

     

    You are talking about Password Sync that you enable from TIM Admin Console, right? That TIM Password Sync works only if you change the password from TIM Admin Console. If you want to change the password in AD and you want that password to be distributed to all accounts, then you have to install AD Password Sync, aka Password Interceptor for AD. I don't think IBM produce SAP Password Sync, aka Password Interceptor for SAP. So, how do you know if someone change the password in SAP, if you do not have Password Interceptor there?

    How about Password Interceptor in other applications? Do you want to block anybody to change password at anyplace but TIM?

    Rgds, YN.

  • Shailesh Malkar
    Shailesh Malkar
    58 Posts

    Re: ISIM Account Password Expiration

    ‏2013-10-08T08:56:00Z  

    Do all your applications record the date a password was last changed? For instance LDAP doesn't. If the target platforms record the date the password was changed and this information is reconciled into ISIM then I would say it is possible to acheive this with a lifecycle rule and a custom operation.

    If the reason for doing this is that these systems do not record this information then ISIM can't help. In this case I would implement password synchronisation from AD and perhaps an external facing security system such as Access Manager. This will ensure all active users will change all their passwords regularly. With password synchronisation in place you then only need a Lifecycle rule to check 1 account to see whether it's password has changed within n days and then suspend the Person which will suspend all accounts.

    Best regards

    Vincent Cassidy

    HI Vincent,

    Sorry to trouble you again. But I have one more concern, If I suspend person it will suspend all of his accounts including his AD account which will not allow user to log in into his (desktop/laptop) machine. This thing we want to avoid. By this I mean that, we want to suspend only few accounts and not all. So how can we achieve this, if it is possible

    One more question - Which operation or workflow will get call when password expiry happen for user.

    Thanks,

    Shailesh S. Malkar