Symantec IGA

Hi All,

We can write a password policy to work for set of users using "FILTER" option in create password policy task.

But I have a requirement where I need to run a policy with strong password capabilities for some users who all are added in an AD group, Now this I can't achieve through "FILTER" option

Can anyone suggest me on this if it can be achieved, I am currently have two approaches:

1)Power shell script that  will add ad group members in a table, PX will get all these users and add them in an IM group and I will write a password policy with filter as "IM Group"

2)Run some ds command through PX to get AD users and another policy to add them in IM group

Do we have a better way to achieve it something more out of the box.

I assume the AD is a managed endpoint and not the user directory hence why the IM users's groups are not the same as the AD groups.

As you noted the IM Password Policy cannot filter based on the groups that an associated account has so you will need to either populate information on the IM user object in an attribute field or you would need to create IM groups and assign IM users to those groups. You can then user either the User Filter (if populating a user attribute) or the Group Filter (if assigning IM groups).

Thanks KennyV

How can I get members of an AD group without adding an extra layer to IDAM.

Is it possible through etautil script.

The IM Password Policy filter is based on IM data (user attribute values, group membership) so you would need the IM data to be set up and maintained. You would end up needing to export out the AD data and determine how to set up IM data based on that. However the bigger challenge would be to maintain the IM data values when that AD data undergoes changes. 

This sounds like it would be best served by CA Services and engaging an architect to gather requirements and design a solution. It is beyond just some etautil script. 

Thanks Sumeet,

I will test and will surely update you on this, My only concern is:

Number of users with strong password requirement is less compared to overall user count(1% approx)

Will it be a good idea to fetch AD grps every time a user reset his/her password

Will it slow down the password reset process, Any how I am going to test what you have suggested, And I believe we can achieve our requirement with this method

Thanks Sumeet,

The user count will keep on changing(AD team are adding and removing users from group) and we don't have any such attribute to identify these users else we could have used password policy ootb filter option.

I was thinking if we create a task for AD team(AD team user will login to IAM) to add or remove a user  in IM group when he perform same at AD end.

On this IM group we will filter password policy

But this will be a manual process.

Regards,

Amit

Thanks a lot Sumeet

Hi Amit,

I have exactly the same requirement. In AD we already have the group where elevated user accounts are added but in CAIM we don't have a password policy for these elevated users.

We have to identify Administrative Users, create a group in CA Identity Manager that mimics the AD group, sync between the two groups on a daily basis and create a password policy for the user who are members of that particular AD group. 

How did you finally achieved this? Any help would be very grateful.

Thanks!