4.2 Enabling Universal Password in the Identity Vault

Identity Manager requires Universal Password for both password synchronization and password self-service. Universal Password synchronizes the various passwords (Universal, NDSĀ®, Simple and Distribution) stored in the Identity Vault and provide password policies that define the rules for creating and replicating passwords in the Identity Vault.

To enable Universal Password in the Identity Vault, you must create a Universal Password policy in iManager, then assign it to a container to apply the password policy to the users.

Complete the following tasks to enable Universal Password in the Identity Vault:

4.2.1 Creating the Password Policy

  1. In iManager, click Roles and Task > Passwords > Password Policies.

  2. Click New to create the new policy.

  3. Specify the following information to create the policy:

    Container to create the policy in: Accept the default location where the password policy is created in the Password Policies container in the Security container.

    Policy Name: Specify a name for the password policy.

    Description: Specify a description of the policy.

    Password Change Message: Specify a message that the users see when changing their password through the password self-service option in the Roles Based Provisioning Module.

  4. Select Create a new Password Policy based on the default settings.

  5. Click Next.

  6. Click Finish on the summary page.

  7. Click Close.

4.2.2 Configuring the Password Policy for Universal Password

After the password policy is created, you must configure the password for your environment.

  1. In iManager, click Roles and Tasks > Passwords > Password Policies.

  2. Click the name of the password policy you created in Section 4.2.1, Creating the Password Policy.

  3. Click Universal Password > Configuration Options.

  4. Use the following information to configure Universal Password:

    Configuration Options: Select both Enable Universal Password and Enable the Advanced Password Rules.

    Universal Password Synchronization: These options determine how Universal Password is synchronized within the Identity Vault and with other connected systems. The following options are the best to use when synchronizing passwords with SAP systems:

    • Remove the NDS password when setting Universal Password

    • Synchronize NDS password when setting Universal Password

    • Synchronize Simple Password when setting Universal Password

    • Synchronize Distribution Password when setting Universal Password

    Universal Password Retrieval: Select whether you want other agents to retrieve passwords:

    • Allow user to retrieve password: This option determines whether the Forgotten Password Self-Service feature can retrieve a password on behalf of a user, so that the password can be e-mailed to the user. If you don't select this option, the corresponding feature is dimmed on the Forgotten Password tab in the password policy.

    • Allow admin to retrieve password: Select this box only if you have a particular service that needs it. Identity Manager does not have a need for administrators to retrieve passwords. However, some third-party services (for example, the Samba server and FreeRADIUS server that ship with NovellĀ® Open Enterprise Server) might take advantage of this option.

    • Allow the following to retrieve passwords: If you have another service or agent that requires the ability to retrieve passwords, you can define those services or agents here.

    Authentication: You can verify whether existing passwords comply with the password policy by selecting this option. It is useful if you are deploying a new password policy or changing the Advanced Password Rules for an existing policy, and you want to verify that existing passwords comply with the new or changed rules.

  5. Click Apply to save the changes.

  6. Click the Advanced Password Rules option under the Universal Password tab.

  7. Define the password rules for your environment. This is how you control the types of passwords that users can set.

  8. Click OK to save the changes.

4.2.3 Assigning the Password Policy

After the password policy is configured, you must assign the policy for it to take affect. You can assign the password policy to a user, a container, or a container that is the root of a partition in the Identity Vault.

If you assign the policy to a container that is the root of a partition, the policy assignment is inherited by all users in that partition, including subcontainers. iManager displays whether a container is the root of a partition or not when you browse to it.

If you assign the policy to a container that is not the root of a partition, the policy assignment is inherited only by users in that specific container. It is not inherited by users that are in subcontainers. If you want the policy to apply to all users below a container that is not the root of a partition, you must assign the policy to each subcontainer individually.

To assign the policy:

  1. In iManager, click Roles and Task > Password > Password Policies.

  2. Click the name of the password policy you created in Section 4.2.1, Creating the Password Policy.

  3. Click the Policy Assignment tab.

  4. Browse to and select the containers where you want the password policy applied.

  5. Click OK.