Global Security Forum

 View Only

  • 1.  ibm security identity manager - v7.0.2

    Posted Wed November 25, 2020 11:34 AM

    How can we configure maximum password age in isim password policy ?

    For minimum password age I referred :

    https://www.ibm.com/support/knowledgecenter/SSRMWJ_6.0.0.22/com.ibm.isim.doc/admin/cpt/cpt_ic_admin_pwdrules_add_cust_min_pwd_age.html

    Do we have similar article for maximum password age ?



    ------------------------------
    Pradhan Rishi Sharma
    ------------------------------


  • 2.  RE: ibm security identity manager - v7.0.2

    Posted Thu November 26, 2020 03:58 AM
    Hello Pradhan,

    You've posted this question at the Global community level.  Not a problem - it is still monitored - but you would likely get much better engagement on an IAM question if you post to the IAM group forum.  You can find it here: https://ibm.biz/iamcommunity.

    To answer your question:

    The password policy you're looking at here is checked when a user changes their password.  It wouldn't make sense to check maximum password age here - you wouldn't want to stop someone changing their password because it is too old.  So, you won't find reference to maximum password age in his policy.

    Usually maximum password age is enforced at login time.  For Identity Manager itself, you can set the maximum password age as part of login setting:
    https://www.ibm.com/support/knowledgecenter/SSRMWJ_7.0.1.13/com.ibm.isim.doc/installing/cpt/cpt_ic_ins_first_mod_gui_sec_login.html

    If users are accessing other systems (Active Directory, IBM Verify Access) you would need to set a maximum password age in those systems.  You would either do this directly at a global level - or you could add this parameter as an account attribute that is set during Identity Manager provisioning.

    I hope this helps.  If you have further questions I would recommend asking on the IAM group forum as mentioned above.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: ibm security identity manager - v7.0.2

    Posted Mon November 30, 2020 07:51 AM
    Hi Pradhan...

    Seems you posted the same question in 4 or 5 different forums.  Please see my response in the other 4.  As Jon stated below, ISIM Password rules/policies are meant to check passwords as they are being changed, not to remind/force users to change at some interval.  We have the ISIM password expiration configuration Jon pointed to, but that's only for ISIM Accounts...so could be handled at each endpoint (as Jon stated) OR you could configure Lifecycle Rules (LCRs) in ISIM to remind users to change passwords for all of the Accounts ISIM manages for a user.  In the LCR you would typically filter on the erPswdLastChanged attribute, then call a custom Operation that would send off reminders, escalations and/or suspend Accounts that haven't changed passwords in the desired timeframe.   

    The LCR filter would typically be something like this, if a password needs to be changed ever 90 days:   (erpswdlastchanged >= ${system.date - 90})

    ------------------------------
    Grey Thrasher
    IBM
    ------------------------------

    Original Message