Anonymous_User Absent Member.
Absent Member.
161 views

Block password sync on select user objects


Is there a way to allow password sync on an Active Directory driver but
block password sync for a few select accounts on this driver? We would
want to allow other attributes for the select accounts to flow across
the driver.


--
tltittle
------------------------------------------------------------------------
tltittle's Profile: https://forums.netiq.com/member.php?userid=2739
View this thread: https://forums.netiq.com/showthread.php?t=52662

Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: Block password sync on select user objects

tltittle wrote:

> Is there a way to allow password sync on an Active Directory driver but
> block password sync for a few select accounts on this driver? We would
> want to allow other attributes for the select accounts to flow across
> the driver.


Sure it is, depends on which direction (or both) you want to not sync
passwords. To block PW sync on the subscriber channel, add an output tranform
rule that vetoes modify-password operations for those users. To prevent
password publishing to the ID Vault strip the attribute nspmDistributionPassord
off the current operation in the very last publisher command transform (after
the NetIQ Password Handling policies).
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Block password sync on select user objects


can it be done blocked based on group membership or would each account
need to be specified or an OU?


--
tltittle
------------------------------------------------------------------------
tltittle's Profile: https://forums.netiq.com/member.php?userid=2739
View this thread: https://forums.netiq.com/showthread.php?t=52662

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Block password sync on select user objects

tltittle wrote:

> can it be done blocked based on group membership or would each account
> need to be specified or an OU?


Group membership in AD or IDVault?

If IDVault, I would use something else (an attribute, a role, or entitlement) in the IDVault rather than group membership.

If AD groups, of course you can query a user's direct membership in a specified group., but I would suggest you push for an IDV attribute/role/etc instead (cleaner design)
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Block password sync on select user objects

On Mon, 26 Jan 2015 22:24:01 +0000, tltittle wrote:

> can it be done blocked based on group membership or would each account
> need to be specified or an OU?


IDM doesn't have a simple "if member of..." token, but yes, you can do
this. Something like:


<rule>
<description>Password Sync Filter</description>
<conditions>
<or>
<if-operation mode="case" op="equal">modify-password</if-operation>
</or>
</conditions>
<actions>
<do-set-local-variable name="Groups" scope="policy">
<arg-node-set>
<token-src-attr name="Group Membership"/>
</arg-node-set>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">$Groups[contains(.,'Path\To\Groups\No-Password-
Sync-Group')]</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Blocking password synchronization
for </token-text>
<token-src-name/>
<token-text xml:space="preserve"> due to Group Membership.</token-
text>
</arg-string>
</do-trace-message>
<do-strip-op-attr name="nspmDistributionPassword"/>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>


would do the job. You'll need to test this, and probably modify it
slightly, but it should get you close.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.