Hi,
We’re working on setting up the password policy for few applications in Identity IQ.
We have a requirement seeing the condition that, if users of a specific workgroup(service desk group in our case) changes the password of a user, password generated should be a temporary password(one time login).
Any sort of information would be appreciated, which would lead us to achieve this.
Thanks,
Shivaleela
Hey,
you could override the default quicklink definition with your own:
> <?xml version='1.0' encoding='UTF-8'?>
> <!DOCTYPE QuickLink PUBLIC "sailpoint.dtd" "sailpoint.dtd">
> <QuickLink action="managePasswords" category="Access" cssClass="quicklink-manage-passwords"
> messageKey="quicklink_change_passwords" name="Manage Passwords" ordering="2" >
> <Description>quicklink_change_passwords_desc</Description>
> <QuickLinkOptions allowSelf="true">
> <DynamicScopeRef>
> <Reference class="sailpoint.object.DynamicScope" name="Self Service"/>
> </DynamicScopeRef>
> </QuickLinkOptions>
> <QuickLinkOptions allowOther="true">
> <DynamicScopeRef>
> <Reference class="sailpoint.object.DynamicScope" name="Manager"/>
> </DynamicScopeRef>
> </QuickLinkOptions>
> <QuickLinkOptions allowOther="true">
> <DynamicScopeRef>
> <Reference class="sailpoint.object.DynamicScope" name="Help Desk"/>
> </DynamicScopeRef>
> </QuickLinkOptions>
> </QuickLink>
You can crete new DynamicScope Objects for Self Service/ Manager/ Help Desk.
Hi @abartkowski,
Appreciate your response. May be I’ll rephrase my question. We’ve already have this quicklink in place where service desk have seperate dynamicscope configured.
Now the issue is, while configuring the “password_policy” for an application(as pasted below), we’re setting “pwdLastSet” to true for password to be generated should be a temporary/one time login pwd.
Now we need to ensure this attribute change in password_policy should only works for ServiceDesk group(“allow others”) but not end users(“allowself”).
Thanks,
Shivaleela Bathini
Hi @Shivaleela,
You can incorporate the following logic into your password change policy and check. This will configure the pwdLastSet attribute to false for end users and to true for the service desk.
<Script>
<Source>import java.util.List;
import sailpoint.api.ObjectUtil;
import sailpoint.object.*;
Identity workgroup = context.getObjectByName(Identity.class,"WorkGroupName");
log.error("workgroup :"+workgroup);
List wrkgmemnberList = new ArrayList();
if(workgroup.isWorkgroup()){
Iterator wrkGrpmembers = ObjectUtil.getWorkgroupMembers(context, workgroup, null);
while(wrkGrpmembers.hasNext()){
Object[] object = (Object[]) wrkGrpmembers.next();
Identity ids = (Identity) object[0];
wrkgmemnberList.add(ids.getName());
}
}
if(!wrkgmemnberList.contains(project.getRequester())){
return flase;
}
else{
return true;
}
</Source>
</Script>
</Field>
Check and confirm.
Regards,
Arun
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.