Anonymous_User Absent Member.
Absent Member.
263 views

User Application > Self-Service > Password Management


Hi all,

I have a doubt regarding the option *"Password Sync Status"* on *User
Application interface >> Identity Self-Service >> Password Management*.
When I try to check my password sync status I get "Success", "Warning"
and "Unchecked" status for my SAP drivers.

-_My_questions_are:_-
How does User Application validate the user's password against connected
applications? :confused:
Are there any kind of "live" event that I can track on SAP drivers' log
to monitor these validations? :confused:

Unfortunately I didn't find any helpful information on IDM User
Application guide.

Could someone help me on this?

Thank you so much.


--
emerson_infosys
------------------------------------------------------------------------
emerson_infosys's Profile: https://forums.netiq.com/member.php?userid=5308
View this thread: https://forums.netiq.com/showthread.php?t=49250

Labels (1)
0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: User Application > Self-Service > Password Management

On 11/18/2013 09:54 AM, emerson infosys wrote:
>
> Hi all,
>
> I have a doubt regarding the option *"Password Sync Status"* on *User
> Application interface >> Identity Self-Service >> Password Management*.
> When I try to check my password sync status I get "Success", "Warning"
> and "Unchecked" status for my SAP drivers.
>
> -_My_questions_are:_-
> How does User Application validate the user's password against connected
> applications? :confused:
> Are there any kind of "live" event that I can track on SAP drivers' log
> to monitor these validations? :confused:
>
> Unfortunately I didn't find any helpful information on IDM User
> Application guide.
>
> Could someone help me on this?
>
> Thank you so much.
>
>

Greetings,
They are seeing the word "Unchecked" under the Drivers that they are
trying to sync with, because the user does not have correct View ACL for
the driver or they are not properly associated to it. Therefore, they
get back the value of "Unchecked".

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Application > Self-Service > Password Management


Thank you Steven, 🙂

Any idea regarding the others status?
I could see different information on DirXML-PasswordSyncStatus
attributes.
Some drivers have:
1 - *"Code(-8032) Operation vetoed by policy."* (what I believe the new
password violated the application password policy and was not
synchronized)
2 - *"...BapiException: 'PASSWORD_NOT_ALLOWED...'"* (what I believe the
new password violated the application password policy and was not
synchronized)
3 - *"User joe0123 has changed : Password Change Successful"* (it is
clear the password was syncronized with IDM and its connected
application)

Are there any way to enforce password synchronization with connected
systems after its change on IDM/eDir? :confused:

Best regards,


--
emerson_infosys
------------------------------------------------------------------------
emerson_infosys's Profile: https://forums.netiq.com/member.php?userid=5308
View this thread: https://forums.netiq.com/showthread.php?t=49250

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Application > Self-Service > Password Management

On 11/18/2013 10:46 AM, emerson infosys wrote:
>
> Thank you Steven, 🙂
>
> Any idea regarding the others status?
> I could see different information on DirXML-PasswordSyncStatus
> attributes.
> Some drivers have:
> 1 - *"Code(-8032) Operation vetoed by policy."* (what I believe the new
> password violated the application password policy and was not
> synchronized)
> 2 - *"...BapiException: 'PASSWORD_NOT_ALLOWED...'"* (what I believe the
> new password violated the application password policy and was not
> synchronized)
> 3 - *"User joe0123 has changed : Password Change Successful"* (it is
> clear the password was syncronized with IDM and its connected
> application)
>
> Are there any way to enforce password synchronization with connected
> systems after its change on IDM/eDir? :confused:
>
> Best regards,
>
>

Greetings,
You would need to handle that in your drivers. Please post to the
IDM Engine and Driver Forums regarding how to properly configure
password sync with Drivers between eDirectory and your connected systems.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Application > Self-Service > Password Management


Thank you again Steven,

I don't think I have an issue on my drivers' configuration, once many
users get synchronize their password successfully.
The problem is, in some cases somehow the password synch event is not
properly sent/received/processed by the connected system at the time
when the user changes the password on User Application.
Talking about SAP drivers, for me doesn't make sense 2 drivers sync
successfully and, because policy violation, 3 doesn't, once the SAP
systems have the same password policy 😞 , *in these cases I would like
to enforce the current password to be synchronized with all SAP drivers
*(even to have the error messages again because drivers' log rotation).

So, -*are there any way to enforce the current password synch instead of
ask the user to reset the password again?*- :confused:

Best regards,


--
emerson_infosys
------------------------------------------------------------------------
emerson_infosys's Profile: https://forums.netiq.com/member.php?userid=5308
View this thread: https://forums.netiq.com/showthread.php?t=49250

0 Likes
Knowledge Partner
Knowledge Partner

Re: User Application > Self-Service > Password Management

On 11/18/2013 11:24 AM, emerson infosys wrote:
>
> Thank you again Steven,
>
> I don't think I have an issue on my drivers' configuration, once many
> users get synchronize their password successfully.
> The problem is, in some cases somehow the password synch event is not
> properly sent/received/processed by the connected system at the time
> when the user changes the password on User Application.


What Steve is saying is that there are several moving parts here.

1) Driver handle sync. They handle check-password.

2) UA reads the results. Might send a command to drivers.

> Talking about SAP drivers, for me doesn't make sense 2 drivers sync
> successfully and, because policy violation, 3 doesn't, once the SAP
> systems have the same password policy 😞 , *in these cases I would like
> to enforce the current password to be synchronized with all SAP drivers
> *(even to have the error messages again because drivers' log rotation).


So there is a problem here. In your various drivers (each one has its
own settings), there is an option what to do if the password change does
not work, due to security violations.

One option is to reset the IDV password to the previous one. Which can
cause all sorts of fun, especially if some of the other systems do not
allow you to revert back to the past password (I.e. History/password
uniqueness).

You would need to review every drivers settings. (in designer,
depending on the version of Designer and the version of the driver
config/packages, right click on each driver line, and select Password
Management. If it is all blank, you have a Packaged driver, and an older
Desigenr).

> So, -*are there any way to enforce the current password synch instead of
> ask the user to reset the password again?*- :confused:


Not directly in the engine. You could implement such a thing in Policy.

Which is an engine thing. You would identify a trigger attribute to
force a password sync, and then implement a Sub-Event rule, that when it
sees this trigger on a user/object to read the current IDV password and
send it down the Sub channel. Then you could have a workflow to trigger
that attribute, or do it any way you would like.



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Application > Self-Service > Password Management

On 11/18/2013 11:38 AM, Geoffrey Carman wrote:
> On 11/18/2013 11:24 AM, emerson infosys wrote:
>>
>> Thank you again Steven,
>>
>> I don't think I have an issue on my drivers' configuration, once many
>> users get synchronize their password successfully.
>> The problem is, in some cases somehow the password synch event is not
>> properly sent/received/processed by the connected system at the time
>> when the user changes the password on User Application.

>
> What Steve is saying is that there are several moving parts here.
>
> 1) Driver handle sync. They handle check-password.
>
> 2) UA reads the results. Might send a command to drivers.
>
>> Talking about SAP drivers, for me doesn't make sense 2 drivers sync
>> successfully and, because policy violation, 3 doesn't, once the SAP
>> systems have the same password policy 😞 , *in these cases I would like
>> to enforce the current password to be synchronized with all SAP drivers
>> *(even to have the error messages again because drivers' log rotation).

>
> So there is a problem here. In your various drivers (each one has its
> own settings), there is an option what to do if the password change does
> not work, due to security violations.
>
> One option is to reset the IDV password to the previous one. Which can
> cause all sorts of fun, especially if some of the other systems do not
> allow you to revert back to the past password (I.e. History/password
> uniqueness).
>
> You would need to review every drivers settings. (in designer,
> depending on the version of Designer and the version of the driver
> config/packages, right click on each driver line, and select Password
> Management. If it is all blank, you have a Packaged driver, and an older
> Desigenr).
>
>> So, -*are there any way to enforce the current password synch instead of
>> ask the user to reset the password again?*- :confused:

>
> Not directly in the engine. You could implement such a thing in Policy.
>
> Which is an engine thing. You would identify a trigger attribute to
> force a password sync, and then implement a Sub-Event rule, that when it
> sees this trigger on a user/object to read the current IDV password and
> send it down the Sub channel. Then you could have a workflow to trigger
> that attribute, or do it any way you would like.
>
>
>

Greetings,
You will want to make sure that in your Password Policy (in the
Vault) if will only allow a user to create a password that will work for
all of the systems you want to sync the password to. The User
Application is only going to look at the Password Policy rules you have
set and enforce them.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: User Application > Self-Service > Password Management


Thank you all for your replay.

I am going to plan a job that will read the user's account attribute
*DirXML-PasswordSyncStatus* and if the job finds anything different than
"User %cn% has changed : Password Change Successful"-, or I can
create a new attribute *"Enforce PassSync?"* to be updated through LDAP
browser (to be used only by Service Desk's operators) to created a
enforced PassSync event when they receive a call from end users. In both
cases an event will be started to sync down the user's password. 😉

I hope it gonna works :confused:

Best regards,


--
emerson_infosys
------------------------------------------------------------------------
emerson_infosys's Profile: https://forums.netiq.com/member.php?userid=5308
View this thread: https://forums.netiq.com/showthread.php?t=49250

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.