Password management

User accounts

The way users manage their passwords depends on whether your subscription uses your company Identity Provider (IdP) for Security Assertion Markup Language (SAML) based authentication.

IdP authentication

User authentication is delegated to your Identity Provider (IdP), which is connected as a SAML federated partner in Cloud Pak for Business Automation as a Service. When a user logs in to the subscription, the login is redirected to your IdP for user authentication. If the authentication is successful, access is granted to the cloud subscription. Users maintain passwords in your company IdP.

When the user logs out, the subscription session is terminated, and the user is redirected to the login page and subsequently to your IdP.

Non-IdP authentication

When a user activates their account, they specify a password that conforms to the Cloud Pak for Business Automation as a Service password rules. If a user has access to several subscriptions, the same password applies across all subscriptions.

Tools authentication

The following capabilities and tools require additional authentication:

• Content Platform Engine Desktop tools
• IBM® Salesforce Connector App
• IBM Navigator administration console
• Enterprise Records Administration Client: scheduling and running sweeps

How users set the password for accessing these tools depends on whether your subscription is set up for IdP- or non-IdP authentication:

IdP authentication

Users must explicitly set a tools password by going to the user menu and selecting Set Tools Password. If users have access to several subscriptions, they must set a tools password on one subscription and then activate it on each of their other subscriptions.

Non-IdP authentication

Users must activate their login password as their tools password by going to the user menu and selecting Activate Tools Password. If users have access to several subscriptions, they must activate their tools password on each of their other subscriptions.

Changing non-IdP passwords

All passwords are valid for 90 days. An email is automatically sent to users a week before the password expiry date and again on the day the password expires. Users can manage passwords by going to their user menu and selecting Change Password. When users change passwords, they can also choose to terminate all their active sessions, for example, if they think their user account has been compromised. If sessions are terminated, the user account is also locked for a short time. After a few minutes, the user can log in again with their new password. If a user also has a tools password and they have access to several subscriptions, they must activate their new login password as their tools password on each of their other subscriptions.

After a password expires, users have three attempts to log in to change their password. If users forget their password or they are locked out of their account because they exceeded five failed login attempts, they can request a password reset from the login page. If a user also has a tools password, they must activate their new login password as their tools password on each of their subscriptions.

Service accounts

For service accounts, the password is a randomly generated character string that is sufficiently long and complex to be considered safe against brute-force attacks. Password expiry is not enforced for service accounts; you decide how long passwords remain valid before you change them.

If there are more than 100 failed login attempts with the account functional ID, the service account is locked for 60 minutes.