Configuration of minimum password age rule

An administrator can configure a minimum password age rule to limit how frequently users can change the password on their account. This rule is provided in the password policy. By default, the rule is disabled.

The following points describe the limitations, scenarios, and configuration information about the minimum password age rule.

  • The rule accepts only integer values. A user with permissions to define or edit a password policy can specify the minimum period, in hours, for a password change. A user cannot change the password on that account again within the specified period.
  • IBM Verify Identity Governance interprets the specified integer value for the rule in hours. IBM Verify Identity Governance does not evaluate the rule when a user specifies a negative value, 0, or no value. In other words, users can change the password on their accounts immediately.
  • IBM Verify Identity Governance can evaluate the rule only in these conditions:
    • When users try to change the password on any of the accounts owned by them.
    • When the previous password change on those accounts was successfully run by the same users (owners of the accounts).
    In other words, IBM Verify Identity Governance does not evaluate the rule if users other than owners of the accounts made the previous account password change. For example, help desk or system administrators.
  • IBM Verify Identity Governance does not evaluate the rule when users change the password on accounts that are not owned by them. For example, Identity Manager Service Center does not evaluate the rule when help desk or system administrators change the password on some other user accounts. Identity Manager Service Center does not evaluate the rule if the password change is initiated by the system. For example, a password change initiated by the lifecycle rule or an automatic provisioning request workflow.
  • IBM Verify Identity Governance maintains this information in IBM® Security Directory Server:
    • Users who ran the last password change on each account object.
    • Time when the password change was run on each account object.
    For some reasons, if this information is corrupted or these attributes are wiped off from the account object, then IBM Verify Identity Governance does not evaluate the rule correctly.
  • Identity Manager Service Center stores the password change information only when the password change is initiated by using one of these resources:
    • IBM Verify Identity Governance console
    • IBM Verify Identity Governance Self Service or the Identity Manager Service Center user interface
    • IBM Verify Identity Governance APIs
    Therefore, any information about password changes done directly on the resource or by using some other tool is not used to evaluate the rule.