We can write a password policy to work for set of users using "FILTER" option in create password policy task.
But I have a requirement where I need to run a policy with strong password capabilities for some users who all are added in an AD group, Now this I can't achieve through "FILTER" option
Can anyone suggest me on this if it can be achieved, I am currently have two approaches:
1)Power shell script that will add ad group members in a table, PX will get all these users and add them in an IM group and I will write a password policy with filter as "IM Group"
2)Run some ds command through PX to get AD users and another policy to add them in IM group
Do we have a better way to achieve it something more out of the box.
Please try this approach:
I assume the AD is a managed endpoint and not the user directory hence why the IM users's groups are not the same as the AD groups.
As you noted the IM Password Policy cannot filter based on the groups that an associated account has so you will need to either populate information on the IM user object in an attribute field or you would need to create IM groups and assign IM users to those groups. You can then user either the User Filter (if populating a user attribute) or the Group Filter (if assigning IM groups).
I will test and will surely update you on this, My only concern is:
Number of users with strong password requirement is less compared to overall user count(1% approx)
Will it be a good idea to fetch AD grps every time a user reset his/her password
Will it slow down the password reset process, Any how I am going to test what you have suggested, And I believe we can achieve our requirement with this method
How can I get members of an AD group without adding an extra layer to IDAM.
Is it possible through etautil script.
The IM Password Policy filter is based on IM data (user attribute values, group membership) so you would need the IM data to be set up and maintained. You would end up needing to export out the AD data and determine how to set up IM data based on that. However the bigger challenge would be to maintain the IM data values when that AD data undergoes changes.
This sounds like it would be best served by CA Services and engaging an architect to gather requirements and design a solution. It is beyond just some etautil script.
Your questions are valid.
To tackle performance, make use of Entry Rule or Action Rule Condition. Which means, somehow implement the logic in such a way that, if PX should only extract AD groups if those 1% users are resetting passwords.
Is there a way to identify those users without extracting their AD account's AD groups and checking their values? May be some flag in User Store attribute?
Or may be assign some dummy Provisioning Role (without Account Template) to these 1% users, if we know these users beforehand. Then, this dummy Provisioning Role assignment can be checked at PX so that complex password check enforcement can be done.
The user count will keep on changing(AD team are adding and removing users from group) and we don't have any such attribute to identify these users else we could have used password policy ootb filter option.
I was thinking if we create a task for AD team(AD team user will login to IAM) to add or remove a user in IM group when he perform same at AD end.
On this IM group we will filter password policy
But this will be a manual process.
Yes that should be good if AD Team agrees.
Thanks a lot Sumeet
I have exactly the same requirement. In AD we already have the group where elevated user accounts are added but in CAIM we don't have a password policy for these elevated users.
We have to identify Administrative Users, create a group in CA Identity Manager that mimics the AD group, sync between the two groups on a daily basis and create a password policy for the user who are members of that particular AD group.
How did you finally achieved this? Any help would be very grateful.