Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Introduction

Different password policies can be defined for each target system. The policy always consists of a combination of a regex pattern array and a validation text, which in turn is defined as a name key. The name key in turn allows the text to be translated into multiple languages.

Properties

Whenever you are creating of updating a catalog, you have to specify the following properties:

Property

Data Type

Mandatory

Example

Description

Name

String

(tick)

Default Password Policy

The name of the password policy

Change at first logon

String

(tick)

true

Whether or not the user must change his password upon the first logon

Password expiration rule

DropDown

An optional password expiration rule

Enforce password policy on logon

Bool

 (tick)

true

Whether or not the users password should be checked against the current password policy upon logon. If the password does not meet the criteria of the password policy, the user is forced to change his password.

Check against password blacklist

Bool

(tick)

true

Whether or not the password should be checked against a blacklist. For details, see the black list section further down the documentation.

Check against current password

Bool

(tick)

true

Whether or not the password should be checked against the current password upon a password change. If enabled, the password will be checked against all provisioned identities of the current core identity. This check is performed in the target system itself and will therefore affect the execution times of a password change.

Force change when password on the black-list

Bool

(tick)

true

If enabled, the user will be asked to change his password if it’s on the black list. If disabled, the user will be presented with a warning instead.

How many previous passwords to check

Bool

(tick)

1

The amount of password hashes that are kept in the system to check the new password against. If set to 0, none will be kept.

Regex-Pattern-Array

The regex pattern array is a list of several regex patterns. This list must be entered in the JSON syntax.

Example multiple conditions:

[ ".{8,32}", "[A-Z]", "[a-z]", "[0-9]" ]

Beispiel einfache Bedingung:

[ ".{8,32}" ]

Validation text

For each regex pattern array a validation text can be defined, which is displayed to the user if one of the patterns does not apply.

Default-Guideline

If no password policy is assigned to a target system, the default policy applies, which has the following conditions defined:

  • At least one capital letter

  • At least one lowercase letter

  • Length between 8 and 32 characters

Regex

Name-Key

Text

[ "[A-Z]" ]

Global.Validation.Password.Uppercase

Please enter at least one capital letter

[ "[a-z]" ]

Global.Validation.Password.Lowercase

Please enter at least one lowercase letter

[ "[0-9]" ]

Global.Validation.Password.Number

Please enter at least one number

[ "[^A-Za-z0-9]" ]

Global.Validation.Password.specialcharacter

Please enter at least one special character

[ ".{8,32}" ]

Global.Validation.Password.8To32Characters

Please enter between 8 and 32 letters

[ ".{10}" ]

Global.Validation.Password.DoesNot10charcacter

Please increase the password length to min. 10 character

Generate Password Workflow Definition Id

This feature was introduced in version 7.2

Whenever a new password for an identity with the the given password policy has to be generated, you can specify a workflow to override the default behavior. The default behavior calculates the new password that matches the default password policy.

If you have configured a more complex password policy or you want tho check the generated password against an external system, against a customized password black list or any other special use case, use your own workflow. The Generate Random String activity is particularly useful in this case.

The workflow that will be triggered does have the default input data and no additional input.

Password Blacklist

A blacklist can be added in the password policy. By default, this is stored on the web server in the directory "C:\ProgramData\itsense\BlackList.txt". Each password change will be checked against that list. An example list could look like this:

InappropriateWord
EasyPassword123
1234567890
Password
Password!

Check previous passwords

Indicates if a new password has to be changed against old passwords. This only applies to old passwords, the current password is always prohibited. Set this to 0 to disable the feature.

  • No labels