Introduction
Different password policies can be defined for each target system. The policy always consists of a combination of a regex pattern array and a validation text, which in turn is defined as a name key. The name key in turn allows the text to be translated into multiple languages.
Properties
Whenever you are creating of updating a catalog, you have to specify the following properties:
Property | Data Type | Mandatory | Example | Description | ||
|---|---|---|---|---|---|---|
| String |
| Default Password Policy | The name of the password policy | ||
| Bool |
|
| Whether or not the user must change his password upon the first logon This option overrides the setting that can be set on the Active Directory target system This option can be overwritten in the Active Directory identity provisioning configuration | ||
| DropDown | An optional password expiration rule | ||||
| Bool | |
| Whether or not the users password should be checked against the current password policy upon logon. If the password does not meet the criteria of the password policy, the user is forced to change his password. | ||
| Bool |
|
| Whether or not the password should be checked against a blacklist. For details, see the black list section further down the documentation. | ||
| Bool |
|
| Whether or not the password should be checked against the current password upon a password change. This check is performed in the target system itself and will therefore affect the execution times of a password change.
| ||
| Bool |
|
| If enabled, the user will be asked to change his password if it’s on the black list. If disabled, the user will be presented with a warning instead.
| ||
| Unsigned Integer |
| 1 | The amount of password hashes that are kept in the system to check the new password against. If set to 0, none will be kept. |
Regex-Pattern-Array
The regex pattern array is a list of several regex patterns. This list must be entered in the JSON syntax.
...
| Code Block | ||
|---|---|---|
| ||
[ ".{8,32}" ] |
Validation text
For each regex pattern array a validation text can be defined, which is displayed to the user if one of the patterns does not apply.
Default-Guideline
If no password policy is assigned to a target system, the default policy applies, which has the following conditions defined:
At least one capital letter
At least one lowercase letter
Length between 8 and 32 characters
Regex | Name-Key | Text |
|---|---|---|
| Global.Validation.Password.Uppercase | Please enter at least one capital letter |
| Global.Validation.Password.Lowercase | Please enter at least one lowercase letter |
| Global.Validation.Password.Number | Please enter at least one number |
| Global.Validation.Password.specialcharacter | Please enter at least one special character |
| Global.Validation.Password.8To32Characters | Please enter between 8 and 32 letters |
| Global.Validation.Password.DoesNot10charcacter | Please increase the password length to min. 10 character |
Generate Password Workflow Definition Id
...
The workflow that will be triggered does have the default input data and no additional input.
Password Blacklist
A blacklist can be added in the password policy. By default, this is stored on the app server in the directory "C:\ProgramData\itsense\BlackList.txt". Each password change will be checked against that list. An example list could look like this:
| Code Block |
|---|
InappropriateWord
EasyPassword123
1234567890
Password
Password! |
Check previous passwords
Indicates if a new password has to be changed against old passwords. This only applies to old passwords, the current password is always prohibited. Set this to 0 to disable the feature.