Password reset portal issue - How to decide which accounts you can change the password for

You can override one of the standard scripts that define which passwords you can change. All described here https://support.oneidentity.com/technical-documents/identity-manager/8.1.2/web-application-configuration-guide/10#TOPIC-1371112

Thanks for your reply, Markus! 

In the documentation you have attached I see that the script "QER_PasswordReset_IsAllowSet" takes in input the following parameters:

1. Current user's UID_Person.
2. Object's key (ObjectKey) offered for password reset.
3. Password column name.

Which table do these parameters refer to? Where can I compare the values of "ObjectKey" or "Password column name" so I get the right value that relates to the password account I want to exclude? What do these two parameters refer to?

The ObjectKey parameter takes the object key in the XML-Notation of OneIM. You will find this in the property XOBjectKey of the user account, e.g. ADSAccount.XObjectKey.

If you look at the original script, it checks if the table name of the objectkey is DialogUser, if so it loads the object having this key and is doing some checks.

You just need to put your check in your customized (overwritten) version of the script.

Ok, now the original code is:

Public Overridable Function QER_PasswordWeb_IsAllowSet(ByVal UID_Person As String, ByVal ObjectKey As String, ByVal ColumnName As String) As Boolean

***Some code***

End Function

and my custom code is:

Public Overrides Function QER_PasswordWeb_IsAllowSet(ByVal UID_Person As String, ByVal ObjectKey As String, ByVal ColumnName As String) As Boolean

***Some code***

End Function

but it doesn't seem to work. 

To make a basic (brutal) test I have inserted this line of code at the end of the code (before the return) in order to return the desired value, in this way I believe it should go to affect all the passwords:

IsAllowSet = False

but, again, it doesn't work.

Is there any particular configuration to implement? What could be the problem?

Ok, now the original code is:

Public Overridable Function QER_PasswordWeb_IsAllowSet(ByVal UID_Person As String, ByVal ObjectKey As String, ByVal ColumnName As String) As Boolean

***Some code***

End Function

and my custom code is:

Public Overrides Function QER_PasswordWeb_IsAllowSet(ByVal UID_Person As String, ByVal ObjectKey As String, ByVal ColumnName As String) As Boolean

***Some code***

End Function

but it doesn't seem to work. 

To make a basic (brutal) test I have inserted this line of code at the end of the code (before the return) in order to return the desired value, in this way I believe it should go to affect all the passwords:

IsAllowSet = False

but, again, it doesn't work.

Is there any particular configuration to implement? What could be the problem?

Did you do a full compile after you have changed the script?

Did you do an iisreset to ensure that the password reset web was restarted?

Yes, I did a full compile after I've chenged the script.

What you mean with "Did you do an iisreset to ensure that the password reset web was restarted?"?

After I compile, I log in to the password reset web portal and I keep seeing all the accounts for which it is possible to change the password, those that I would like to exclude are not excluded.

Did you restart the password reset web application?

The password reset web application has been restarted. If I try the script with the "test script" feature in the designer, it seems to work fine, but if I log into the password reset portal I still don't see the changes made.

If that is the case try to clear the local assembly cache of the password reset web.

<PasswordReset>\App_Data\AssemblyCache

The cache has been cleared, but I still don't see the changes in the password reset portal.

Sorry, I am out of ideas. I suggest contacting support then.

I solved the problem I had, now the password reset portal is able to take the changes made.
But I have another error now. In the script I have inserted a condition on a custom field for which the account must be selected or not for the password change, when I login in the password reset portal I get the error message "Viewing permission denied for value "IsManagedChangePwd".".

I have already assigned "VI_View" and "VI_UNS_UserInterface_and_DisplayRights" permissions to that field, but it seems to be not enough.

Do you have any suggestions on what permissions are needed?