Topic
3 replies Latest Post - ‏2013-07-04T18:56:47Z by franzw
frisalde
frisalde
42 Posts
ACCEPTED ANSWER

Pinned topic Provisoning RACF account without password

‏2013-07-03T17:40:42Z |

Hi everybody,

I am trying to create a RACF account without password.

I have defined a Automatic Provisioning Policy where the entitlements are defined, except the password attribute. By means of granting the role to an user, I am able to trigger the automatic provisioning. Ie, a RBAC based model.

Nevertheless, as you can see on the screenshot the password attribute is passed to the adapter. Neither adapter documentation nor service.def profile says password is required.

Any clue?

 

Attachments

  • franzw
    franzw
    324 Posts
    ACCEPTED ANSWER

    Re: Provisoning RACF account without password

    ‏2013-07-03T19:16:39Z  in response to frisalde

    IIRC the only way you can avoid a password on provisioning is by removing the erpassword attribute from the profile....

    The way it works OOB is that the system generates a password based on the PASSWORD policy - if you include the password in the PROVISIONING policy that will override the password.

    There are some settings on the profile that governs the password on restore :

    com.ibm.itim.remoteservices.ResourceProperties.PASSWORD_NOT_ALLOWED_ON_RESTORE
    com.ibm.itim.remoteservices.ResourceProperties.PASSWORD_NOT_REQUIRED_ON_RESTORE

    You can look the finer detail up in the formal documentation.

    HTH

    Regards

    Franz Wolfhagen

    • frisalde
      frisalde
      42 Posts
      ACCEPTED ANSWER

      Re: Provisoning RACF account without password

      ‏2013-07-04T17:37:55Z  in response to franzw

      Thanks Franz for your reply.

      As far as I know this behaviour is new in ITIM 5.0. On previous releases I don't think it worked as now. Besides, the adapter documentation should be amended, as you can see on the screenshot, the password is not required :-0

      On the other hand, I have just realized that when a password is provisioned by a provisioning policy, the adapter checks if it is compliance with the password policies, isn't it?

      Regarding the password on restore setting, I don0't think it take effect in the add acount process. :-(

       

      Attachments

      • franzw
        franzw
        324 Posts
        ACCEPTED ANSWER

        Re: Provisoning RACF account without password

        ‏2013-07-04T18:56:47Z  in response to frisalde

        I am pretty sure this is behavior is consistent since 4.5 - but no reason to argue about that :-)

        Passwords are IIRC never required -. this would not make sense as you would need to enter them on any account change - and this would require that the administrator should know the password or it would be changed on every account change - this behavior you can test as it is how services normally is set up...

        I am also pretty sure that the adapter NEVER checks the password - if it is checked this is part of the workflow - the adapter knows nothing about the policies. I normally recommend NOT to provision the password like this - it is much better to send the password (or use another secure method) to the user - when the password is created by the password policy it is ensured compliant and (relatively) random.

        The password on restore settings was just to show the only (to me) known behavioral password settings - and to make them know to whoever reads these forums :-)

        Regards

        Franz Wolfhagen