How to use the ${GeneratedPassword} value in an Active Directory Account Template in RSA Identity Governance and Lifecycle without using Password Management
Originally Published: 2017-01-31
Article Number
Applies To
Issue
In order to use the ${GeneratedPassword} value in an account template, a password policy needs to be defined in order for RSA Identity Governance and Lifecycle to generate a password consistent with the password policy settings of the data source in which the account is being created. Password policies may only be defined in RSA Identity Governance and Lifecycle when the Password Management module is enabled. This article explains how you may use the ${GeneratedPassword} parameter and work around the Password Management requirement.
This article assumes that you have familiarity with Account Templates and AFX, but are looking specifically for assistance on using the ${GeneratedPassword} parameter in the account template because you do not want to use Password Management.
Resolution
- Note that you are using the ${GeneratedPassword} value in the Account Template for AD accounts as in:
- Enable the Password Management Module:
- Navigate to the Admin > System > Settings tab.
- Click Edit.
- Toggle Password Management to On.
- Define a password policy for Active Directory (AD) consistent with your AD password policy.
- Navigate to the Requests > Password Management > Password Policies tab.
- Select New > Create a new Password Policy.
- Click Next and define the settings as per your AD policy.
- NOTE: Set Password Expiration values to 0 days. This means the password never expires.
- NOTE: There are two default policies: Secure Password Policy and Basic Password Policy. You could use these password policies as a basis for defining your own.
- Associate the new password policy with your AD business source.
- Navigate to Requests > Password Management.
- Select the Password Policies tab.
- Click on the name of your new policy.
- Select Choose Business Sources:
- Remove the Forgot My Password link on the login page. After enabling the Password Management module the login screen contains a Forgot My Password link.
- Create a test file called customerstrings.properties which contains one line:
FORGOT_MY_PASSWORD=
- Upload customerstrings.properties into RSA Identity Governance and Lifecycle:
- Navigate to the Admin > User interface > Files tab.
- Choose Customer Strings from the drop-down menu.
- Upload the customerstrings.properties file.
- Logout and back in. Note the Forgot My Password link is no longer visible in the login screen:
- Disable the Password Reset email template. When users click on the Forgot My Password link or if users request a password reset from the Request menu, an email will be sent to the user requesting they change their password. To prevent this email from being sent in case of the above scenarios,
- Go to Admin > Email > Templates > PasswordResetEvent.
- Edit Associations and click Next.
- Change the setting for Use this email template for ALL events of this type to No:
- Remove the Password Management option from the Requests menu:
- Add this line to the customerstrings.properties file you created earlier and upload it again:
PASSWORD_MANAGEMENT=
- Note the option is now gone from the Request menu:
- Remove the option to reset a user's password from the Requests menu:
- Go to Requests > Configuration > Request Buttons and delete the Reset My Password and Reset Password buttons:
- Note these are now removed from the Requests drop-down menu:
