Symantec IGA

Expand all | Collapse all

Password policy filter based on AD group membership

Jump to Best Answer
  • 1.  Password policy filter based on AD group membership

    Posted 08-31-2017 05:30 AM

    Hi All,

     

    We can write a password policy to work for set of users using "FILTER" option in create password policy task.

     

    But I have a requirement where I need to run a policy with strong password capabilities for some users who all are added in an AD group, Now this I can't achieve through "FILTER" option

     

    Can anyone suggest me on this if it can be achieved, I am currently have two approaches:

     

    1)Power shell script that  will add ad group members in a table, PX will get all these users and add them in an IM group and I will write a password policy with filter as "IM Group"

    2)Run some ds command through PX to get AD users and another policy to add them in IM group

     

    Do we have a better way to achieve it something more out of the box.



  • 2.  Re: Password policy filter based on AD group membership

    Broadcom Employee
    Posted 09-01-2017 02:45 AM

    Hi Amit,

     

    Please try this approach:

    • Create a PX to check whether User has AD account while Password Reset task is submitted
    • If yes, extract AD Groups associated (I think 'groupMembership' should be the AD attr name to be extracted at PX). The result should come in List (Grp1^Grp2^Grp3) or JSON format
    • If associated AD groups are within those specific AD group, create an Action Rule
    • The Action Rule will check the new password complexity
    • If complexity is not met, throw error which should not submit the Admin Task

     

    Regards,

    Sumeet

     



  • 3.  Re: Password policy filter based on AD group membership

    Posted 08-31-2017 12:02 PM

    I assume the AD is a managed endpoint and not the user directory hence why the IM users's groups are not the same as the AD groups.

     

    As you noted the IM Password Policy cannot filter based on the groups that an associated account has so you will need to either populate information on the IM user object in an attribute field or you would need to create IM groups and assign IM users to those groups. You can then user either the User Filter (if populating a user attribute) or the Group Filter (if assigning IM groups).



  • 4.  Re: Password policy filter based on AD group membership

    Posted 09-01-2017 03:03 AM

    Thanks Sumeet,

     

    I will test and will surely update you on this, My only concern is:

     

    Number of users with strong password requirement is less compared to overall user count(1% approx)

    Will it be a good idea to fetch AD grps every time a user reset his/her password

    Will it slow down the password reset process, Any how I am going to test what you have suggested, And I believe we can achieve our requirement with this method



  • 5.  Re: Password policy filter based on AD group membership

    Posted 08-31-2017 12:52 PM

    Thanks KennyV

     

    How can I get members of an AD group without adding an extra layer to IDAM.

     

    Is it possible through etautil script.



  • 6.  Re: Password policy filter based on AD group membership

    Posted 08-31-2017 01:00 PM

    The IM Password Policy filter is based on IM data (user attribute values, group membership) so you would need the IM data to be set up and maintained. You would end up needing to export out the AD data and determine how to set up IM data based on that. However the bigger challenge would be to maintain the IM data values when that AD data undergoes changes. 

     

    This sounds like it would be best served by CA Services and engaging an architect to gather requirements and design a solution. It is beyond just some etautil script. 



  • 7.  Re: Password policy filter based on AD group membership
    Best Answer

    Broadcom Employee
    Posted 09-01-2017 05:45 AM

    Hi Amit,

     

    Your questions are valid.

     

    To tackle performance, make use of Entry Rule or Action Rule Condition. Which means, somehow implement the logic in such a way that, if PX should only extract AD groups if those 1% users are resetting passwords.

     

    Is there a way to identify those users without extracting their AD account's AD groups and checking their values? May be some flag in User Store attribute?

     

    Or may be assign some dummy Provisioning Role (without Account Template) to these 1% users, if we know these users beforehand. Then, this dummy Provisioning Role assignment can be checked at PX so that complex password check enforcement can be done.

     

    Regards,

    Sumeet

     

     

     



  • 8.  Re: Password policy filter based on AD group membership

    Posted 09-01-2017 06:01 AM

    Thanks Sumeet,

     

    The user count will keep on changing(AD team are adding and removing users from group) and we don't have any such attribute to identify these users else we could have used password policy ootb filter option.

     

    I was thinking if we create a task for AD team(AD team user will login to IAM) to add or remove a user  in IM group when he perform same at AD end.

     

    On this IM group we will filter password policy

    But this will be a manual process.

     

    Regards,

    Amit



  • 9.  Re: Password policy filter based on AD group membership

    Broadcom Employee
    Posted 09-01-2017 06:08 AM

    Yes that should be good if AD Team agrees.



  • 10.  Re: Password policy filter based on AD group membership

    Posted 09-01-2017 06:25 AM

    Thanks a lot Sumeet



  • 11.  Re: Password policy filter based on AD group membership

    Posted 12-07-2017 09:31 AM

    Hi Amit,

     

    I have exactly the same requirement. In AD we already have the group where elevated user accounts are added but in CAIM we don't have a password policy for these elevated users.

    We have to identify Administrative Users, create a group in CA Identity Manager that mimics the AD group, sync between the two groups on a daily basis and create a password policy for the user who are members of that particular AD group. 

     

    How did you finally achieved this? Any help would be very grateful.

     

    Thanks!