• State Suggested Answer
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 92 subscribers
  • Views 2864 views
  • Users 0 members are here
Options
Related

how the Person.Dialoguserpassword be initialized

davidhsu
over 4 years ago

From the 1IM Operational Guide, it tells 

Using a password policy

You can assign password policies to system user passwords, the employees' central password as well as passwords for individual target systems. Assign a password policy to the base object to which it should apply.

  • The predefined One Identity Manager Password policy password policy is assigned to the (DialogUser.Password and Person.DialogUserPassword) system user passwords as well as the passcode of the employee (Person.Passcode).
  • The predefined password policy Employee central password policy is assigned to the employee's central password (Person.CentralPassword).

  • The password policies for target systems are assigned to the password columns of the user accounts.

I set initial password on the both predefined password policy like 'P@ssw0rd'. When I create an Employee usring Manager and don't key-in anything on the relative password field. 

After save, 1IM can sync centralpassword to other target system, but when I login on password reset web or other web portal, I can't logon using the dialoguserpassword

I don't know why the dialoguserpassword not be initialized, I have set an initial password on the password policy. 

Please help , if you have any suggestion or tell me "You have wrong concept",

Very Thanks~~

  • 0 over 4 years ago

    Hi,

    Talking v8.x (please let us know your product version number) , you need to check QER\Person\UseCentralPassword\SyncToSystemPassword in Designer->Getting Started->Edit configuration parameters,  and set/unset them according to your needs.

    Also check which authentication method you're using in your web applications.  In the Web Designer open your project. In the Start page there's a cog + wrench button , click there, set the authentication module . It should be at least Employee (role based) to use the dialog password.

    HtH!

  • 0 over 4 years ago in reply to CVU

    The version is 8.1, I have check the configuration parameter you mentioned, it is on by default

    I wonder why the Person.DialogUserPassword not be initialized even I have set an initial password

  • 0 over 4 years ago in reply to davidhsu

    Can you see the process QER_Person_Publish_CentralPassword in jobqueue running right after you update a person's central password in Manager? Check this process in Designer too (Process Orchestration->Person) , it will help you trace this behaviour.

  • 0 over 4 years ago in reply to CVU

    Thank juancarlos, I clarify the issue more detail as bellow,

    1. Set an initial password on the predefined One Identity Manager Password policy password policy

    2. Create an Employee, just only key-in firstname, lastname using Manager

    3. Save

    4. The Employee can't login the password reset web using the initial password

    5. The Employee can login the other target system like MS AD

    I don;t know why the initial password on the predefined One Identity Manager Password policy password policy not effective.

  • 0 over 4 years ago in reply to davidhsu

    Hi ,

    Yes, you're quite right. I've been able to reproduce your problem and it is just as you say. Hmmm.. let me check a few things.

  • 0 over 4 years ago in reply to davidhsu

    OOTB, the initial password is not set at Person.DialogUserPassword due to some security concerns. For example, there is no way to provide a one-time or time-limited login for the person-based authenticators using this password. In combination with the empty password protection turned on by default, newly created users are unable to log into the system.

    Depending on your use-case I suggest using either a passcode based first-time login to the password reset web for new persons as we do for our user self-service scenario in 8.1 or to add the necessary code to create an initial password for Person.DialogUserPassword.

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    Thanks Markus,

    I do second that for safety. In our case we were unaware of this configuration because our users are assigned a temporary password and the first thing they do is change it via windows logon -> password sync to OI. 

    Have a nice day!

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    Thanks Markus,

    I understand this is for safety! Thanks~~