Simple IDM eDir driver rule assistance needed


GREETINGS,

HOPING THIS IS AN EASY QUESTION....

I'M USING IDM 3.6.1
  • What have you tried so far, and how has it not worked? Using the password
    expiration time is probably the best way I can think of to do this without
    using something like Novell/NetIQ Sentinel to detect a password rest sent
    via auditing functionality which may be a slightly better way of handling
    this, but is not related to IDM necessary and since you have IDM this
    should work. All you should need to do is compare the expiration time and
    see if it is within a few seconds of the present (or anytime in the past)
    and then send the e-mail, but knowing what you have currently, and having
    the trace from your attempts, will help us help you better.

    Good luck.
  • On 09.04.2013 01:58, ab wrote:
    > What have you tried so far, and how has it not worked? Using the password
    > expiration time is probably the best way I can think of to do this without
    > using something like Novell/NetIQ Sentinel to detect a password rest sent
    > via auditing functionality which may be a slightly better way of handling
    > this, but is not related to IDM necessary and since you have IDM this
    > should work. All you should need to do is compare the expiration time and
    > see if it is within a few seconds of the present (or anytime in the past)
    > and then send the e-mail, but knowing what you have currently, and having
    > the trace from your attempts, will help us help you better.


    This is what we have used (on IDM 3.6.1):

    1. Password Expiration Time as Subscriber Notify in the driver filter.

    2. The following policy.

    <rule>
    <description>Password Expiration Detection</description>
    <conditions>
    <and>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    <if-operation mode="case" op="equal">modify</if-operation>
    <if-op-attr mode="regex" name="Password Expiration Time"
    op="changing-to">\d </if-op-attr>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="currentTime" scope="policy">
    <arg-string>
    <token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="1"
    offset-unit="second" src-format="!CTIME" src-tz="UTC">
    <token-time format="!CTIME" tz="UTC"/>
    </token-convert-time>
    </arg-string>
    </do-set-local-variable>
    <do-if>
    <arg-conditions>
    <or>
    <if-op-attr mode="numeric" name="Password Expiration Time"
    op="lt">$currentTime$</if-op-attr>
    </or>
    </arg-conditions>
    <arg-actions>
    <do-trace-message>
    <arg-string>
    <token-text xml:space="preserve">act on an admin password
    reset</token-text>
    </arg-string>
    </do-trace-message>
    </arg-actions>
    <arg-actions/>
    </do-if>
    </actions>
    </rule>

    This policy could be improved to as Aaron suggests check that the
    password expiration occurred sometime in the very recent past (rather
    than just checking that the password eexpiration was set to a value in
    the past) - that wouldn't be too hard to add in.

    We used this rule to force accounts in other connected systems to
    require password change on first logon when the administrator reset the
    password in IDM.

    --
    ----------------------------------------------------------------------
    Alex McHugh
    NetIQ Knowledge Partner http://forums.netiq.com

    Please post questions in the forums. No support is provided via email.