Anonymous_User Absent Member.
Absent Member.
249 views

Need to Assign Universal Password Policy to Individual Users


Hello!

I have several Universal Password policies. Based on rules, I need to
assign one of them to an individual user object. I don't see a way of
doing this, after Googling and reading Geoff's Definitive Guide.

Setting up a container structure and moving users is not an option.

Any ideas?


--
mjstew
------------------------------------------------------------------------
mjstew's Profile: https://forums.netiq.com/member.php?userid=10214
View this thread: https://forums.netiq.com/showthread.php?t=54027

Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Need to Assign Universal Password Policy to Individual Users

mjstew <mjstew@no-mx.forums.microfocus.com> wrote:
> Hello!
>
> I have several Universal Password policies. Based on rules, I need to
> assign one of them to an individual user object. I don't see a way of
> doing this, after Googling and reading Geoff's Definitive Guide.


Do you need to assign the UP or just generate a password that meets a
specific UP?

Mixing UPs in the same container in the IDVault sounds like a recipe for
problems.

To answer your actual question. Think you can do this via setting the
relevant attributes that link a UP to a user. This could be easily done in
a null driver for example. You can work out which attributes by observing
before/after UP assignment on test user in iManager.

> Setting up a container structure and moving users is not an option.
>





--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Need to Assign Universal Password Policy to Individual Users

On 08/11/2015 02:39 PM, Alex McHugh wrote:
> Mixing UPs in the same container in the IDVault sounds like a recipe for
> problems.


There could be some, but they're all human problems, meaning problems we
humans having understanding which rules apply to use. If things like SSPR
are used properly, the individual's rules will be seen when they try to
change their own password, which is what really matters.

> To answer your actual question. Think you can do this via setting the
> relevant attributes that link a UP to a user. This could be easily done in
> a null driver for example. You can work out which attributes by observing
> before/after UP assignment on test user in iManager.


The way assignment works is that NMAS checks assignment in the following
order, and of course first match wins:

User's direct parent container (ou, dc, etc.)
User's direct partition root (the container where the user's own partition
is defined, which may be the user's parent container as well in some
cases, or may be the tree [root], or something in between).
The 'Login Policy.Security' object.

With that understood, NMAS only checks the nspmPasswordPolicyDN attribute
at those levels, so if you set it (as Alex said, with a Null driver action
or something) then that's all you need to do. You MAY want to update the
reciprocal attribute on the policy itself (nsimAssignments) with the DN of
the user being assigned, but keep in mind that this becomes a
heavily-multi-valued attribute if you do this a lot, which can impact
performance when you try to view it. It really has no purpose other than
to be a convenient place for admins to see all assignments of a policy,
but in your case that may not matter.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Need to Assign Universal Password Policy to Individual Users

On 11.08.2015 22:54, ab wrote:

1.) check the users' nspmPasswordPolicyDN (assigned to the user directly)
> User's direct parent container (ou, dc, etc.)
> User's direct partition root (the container where the user's own partition
> is defined, which may be the user's parent container as well in some
> cases, or may be the tree [root], or something in between).
> The 'Login Policy.Security' object.
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Need to Assign Universal Password Policy to Individual Users

On 11.08.2015 22:54, ab wrote:

1.) check the users' nspmPasswordPolicyDN (assigned to the user directly)
> User's direct parent container (ou, dc, etc.)
> User's direct partition root (the container where the user's own partition
> is defined, which may be the user's parent container as well in some
> cases, or may be the tree [root], or something in between).
> The 'Login Policy.Security' object.
>


0 Likes
Knowledge Partner
Knowledge Partner

Re: Need to Assign Universal Password Policy to Individual Users


mjstew;259674 Wrote:
> Hello!
>
> I have several Universal Password policies. Based on rules, I need to
> assign one of them to an individual user object. I don't see a way of
> doing this, after Googling and reading Geoff's Definitive Guide.
>
> Setting up a container structure and moving users is not an option.
>
> Any ideas?


Hi mjstew,
You can set specific Universal Password policy based on your business
logic.
You have to populate Password policy DN to *nspmPasswordPolicyDN*
attribute

nspmPasswordPolicyDN: cn=Sample Password Policy,cn=Password
Policies,cn=Security

Password policy has correspondent "reference" attribute
*nsimAssignments* (something similar to User/Group relations)

You can use IDM *reciprocal* functionality.
Your policy will set/remove link to the right Password policy and IDM
will set "back-link" from policy to the user for you.

Alex


--
If you find this post helpful, please show your appreciation by clicking
on the star below :cool:
------------------------------------------------------------------------
al_b's Profile: https://forums.netiq.com/member.php?userid=209
View this thread: https://forums.netiq.com/showthread.php?t=54027

0 Likes
Knowledge Partner
Knowledge Partner

Re: Need to Assign Universal Password Policy to Individual Users

On 8/11/2015 4:24 PM, mjstew wrote:
>
> Hello!
>
> I have several Universal Password policies. Based on rules, I need to
> assign one of them to an individual user object. I don't see a way of
> doing this, after Googling and reading Geoff's Definitive Guide.
>
> Setting up a container structure and moving users is not an option.


Muhaha! I claim you did not read the book right! It was obvious in
there. 🙂 (Or not...)

Actually just added an even neater twist at a customer...

We did a Loopback driver, that defined an Entitlement for Password
Policies. Thus you could define a 90 Day Password role, which assigned
the Resource, which assigned the Entitlement of the Password policy you
built as 90 days.

And so on...

As Aaron says, it is just two attributes. nspmPasswordPolicyDN on the
user. And nsimAssignments on the password policy object.

LIke Group Membership/member.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Need to Assign Universal Password Policy to Individual Users


Hi Geoff!

I scoured your book using keywords "polic" and "universal password". I
saw no reference to those attributes, but I didn't know about them, so
they may be in there but I wouldn't have known to look for them.

I'll run that entitlement idea past the crew. Thanks for the idea!

Jack


--
mjstew
------------------------------------------------------------------------
mjstew's Profile: https://forums.netiq.com/member.php?userid=10214
View this thread: https://forums.netiq.com/showthread.php?t=54027

0 Likes
Knowledge Partner
Knowledge Partner

Re: Need to Assign Universal Password Policy to Individual Users

On 8/12/2015 1:45 PM, mjstew wrote:
>
> Hi Geoff!
>
> I scoured your book using keywords "polic" and "universal password". I
> saw no reference to those attributes, but I didn't know about them, so
> they may be in there but I wouldn't have known to look for them.


I was joking. The book is about how to use the various tokens, with
examples. I do not think I used that specific example.

> I'll run that entitlement idea past the crew. Thanks for the idea!


It just makes it fit the RBPM model so much more nicely.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.