Setting up password policy at PMDB level is good idea ?
Many PROD servers are connected with PMDB.
When i set password policy on a particular server, every time due to gracelogin the users is unable to login.
I tried to ignore gracelogin by doing grace- in pass policy but still , the user is only able to login once.
How could i ignore gracelogin when i apply pass policy in seos.
Thanks in advance.
gracelogin becomes 0.
I can set gracelogin as higher number but i dont want any limit for gracelogins...
Using PMDB to manage your password policy is neither 'good' nor 'bad'. Most customers seem to prefer to use the newer Advanced Policy Management (APM) instead, but both options should work and it is really a matter of which way you prefer to manage the policy.
According to the documentation the grace value must be between 0 and 255. When you think about what a grace login actually is, it makes more sense (to me at least) that you wouldn't want to have this unlimited for a few reasons.
1- It may directly go against a corporate password policy.
2- It would allow users the unlimited ability to use an expired password without having to change it. Why bother having a password expiration if you are going to negate it by allowing someone to keep using it forever?
You should consider using interval- to remove the password expiration instead.
setoptions Command Set Options - CA Privileged Identity Manager - 12.9.01 - CA Technologies Documentation
Hope this helps,
Thanks for the reply Chris.
The challenge here is,
We already have subscribers on PMDB and if we deploy password policy at PMDB, it will set the grace login as the number we will set and the users must change the password before the grace login becomes 0.
This case is okay for all the users who can change the password but what about the batch users or any applications users which may use new session for every login, for these users, password must be changed with sepass command and if not then application or batch or cron may be down.
Please correct if i am wrong.
If there any way, that we can set the password policy but users does not have dependency to change their password immateriality ?
Read the last word as Immediately.