Symantec IGA

 View Only
Expand all | Collapse all

Notify password expiration by email

  • 1.  Notify password expiration by email

    Posted Dec 29, 2016 11:48 AM

    I would like to know if this can be done: I want that the Identity Manager send an email reminder to users from 14 days before the expiration of their Identity Manager password until it changes its password.



  • 2.  Re: Notify password expiration by email
    Best Answer

    Broadcom Employee
    Posted Jan 17, 2017 10:10 AM

    Hi Felix,

     

    Yes it can be done. It's a bit complex though. You will need create an email policy in IDM which basically is set to trigger when the attribute for password expiration is 14 days ahead of expiration. I believe that attribute is the %PASSWORD_DATA%. You shall check your users and see this attribute using an LDAP browser to learn its format so that you can then make the comparison in your email policy accurately.

     

     

    Regards,

    Sagi



  • 3.  Re: Notify password expiration by email

    Posted May 05, 2017 03:20 PM

    Hello Sagi,

     

    I am also trying to do exactly the same thing, however, the %PASSWORD_DATA% attribute in the user store is an encrypted blob (our IdM environment is integrated with SiteMinder). Would you have any recommendation how to read that data to a meaningful context and send the email notification either via email policy or px policy?

     

    Thank you so much,

     

    Ephrem



  • 4.  Re: Notify password expiration by email

    Posted Feb 27, 2018 05:56 AM

    Hi Ephrem,

     

    Am trying to configure password expiry notifications for the users from CA identity manager 12.6 SP8, however as you mentioned the %PASSWORD_DATA% attribute in the user store is an encrypted data and couldn't find a way to read or extract it in an meaningful way to notify via PX policy. Our environment is integrated with Ping federation for SSO authentication. Did you manage to find a way to do it?

     

    Thanks,

    Brijit.



  • 5.  Re: Notify password expiration by email

    Posted Feb 27, 2018 11:11 AM

    Hi Brijit –

     

    What I ended up doing is capturing the date when the password changed for a user in some custom attribute and then do a bulk task that would scan for those dates that are, say 14 days before expiry. For example, if user A changes password today, I will capture today’s date in an attribute “password changed date” then I have a bulk task that runs nightly with a criteria that filters for users that are witin the notification date and triggers a PX somehow to send email.

     

    I hope that helps.

     

    Kind regards,

     

    Ephrem



  • 6.  Re: Notify password expiration by email

    Broadcom Employee
    Posted Apr 27, 2018 05:36 AM

    This is very much the way to implement this requirement. %PASSWORD_DATA% value cannot be read by any public method - this can only be achieved by storing the required date in a clear way in another attribute.


    Regards

    Rinat

    CA Tech Support



  • 7.  Re: Notify password expiration by email

    Posted Dec 10, 2018 08:17 PM

    Hello Ephrem/Rinat,

     

    Thanks for the suggestion!

     

    Configured an attribute to capture "last password change" and managed to update the attribute via PX for every password change and created a PX to filter the user population something like this,

    am calculating Days_until_expiry as "SELECT Expiry_days = DIFF({'Today'}, 'DATEADD(day, 45, '{'Last_Password_change'}')')" and trying to trigger notification 

    further configured a bulk task to sent email notification before 14 days and 5 days and scheduled to run every night, but for some reason the bulk task is not getting triggered. Also tried executing it manually and didn't get expected result.

     

    Could you please help me on what am i missing here?

     

    Regards,

    Brijit.



  • 8.  Re: Notify password expiration by email

    Broadcom Employee
    Posted Dec 17, 2018 10:57 AM

    If you preview the users in the Population tab of the Bulk Task, do you see the expected users?  Also, when you executed it manually what results did you actually get, and what were the expected results?



  • 9.  Re: Notify password expiration by email

    Posted Dec 21, 2018 12:10 AM

    Hi Catherine,

    Thanks for the response,

    After editing the date filters, i managed to get the population data as expected, however the bulk task fails with error message "No data element was found for: Last_Password_Change, failed performing action send mail"

    But the Last_Passoword_change holds a valid data on the checking across user data.

     

    Regards,

    Brijit.



  • 10.  Re: Notify password expiration by email

    Broadcom Employee
    Posted Dec 21, 2018 10:30 AM

    Hi Brijit,

    This appears to be a problem with the PX Policy configuration. Are you using Last_Password_Change in the PX action that sends the mail? Check that the data element name is specified correctly in any action element that uses it. It is case sensitive, so if you named the data element "Last_Password_change" please ensure that the action element uses the same case, e.g. {'Last_Password_change'} rather than {'Last_Password_Change'}.

     

    Regards,

    Cathy



  • 11.  Re: Notify password expiration by email

    Posted Jan 04, 2019 04:14 AM

    Thanks Cathy, that was helpful.

     

    Am able to trigger notification post correcting the data element and simplifying the sql query

    Regards,

    Brijit.