Set Security Properties - Access Control
Use this page to configure password administration settings and login account settings.
Password Settings
- Enable password editing
- Select this check box to enable users to type a value when changing their own passwords. Additionally, help desk assistants, service owners, and administrators can type a value when changing their own passwords, and also the passwords for other individuals. We can also select a check box using the Tab key to give focus to the check box and then pressing the space bar. In some cases, the user cannot change the password, even when Enable password editing is selected. In these cases, the system automatically generates a new password. For example, some accounts are placed in a credential vault, and configured such that their credentials must be checked in and checked out. For these accounts, users cannot change the password, regardless of the value of the password editing configuration setting on this page.
- Hide generated passwords for others
- Select this check box to hide generated passwords for others. This check box is unavailable if password editing is enabled.
- Enable password synchronization
- Select this check box to synchronize any subsequent password changes on all of the individual accounts for a user. If this check box is selected, one password change is synchronized on all individual accounts for the user. Password synchronization does not affect sponsored accounts. If this check box is cleared, the user must select each account and change its password individually.
- Set password on user during user creation
- Select this check box to set the password for a user, at the time the user is created.
- Password retrieval expiration period in hours
- Enter an interval, in hours, in which a user must retrieve a password, before the password expires.
Identity Manager Login Account Settings
- Identity account password expiration period in days
- Enter an interval, in days, after which the password expires for a ISIM account. The default value of 0 indicates that the account password never expires. If Identity Manager is configured to use an authentication repository other than ITIM Service, we cannot specify password expiration. In this case, the configuration setting for password expiration is read only.
- Maximum number of incorrect login attempts
- Enter the number of incorrect login attempts that can occur before a ISIM account is suspended. The default value of 0 indicates that there is no limit. If Identity Manager is configured to use an authentication repository other than ITIM Service, we cannot specify the maximum number of incorrect login attempts. In this case, the configuration setting for the maximum number of incorrect login attempts is read only.
Group Settings
- Automatically populate Identity Manager groups
- Select this checkbox to automatically put ISIM accounts of newly named service owners in the default Service Owner group.
The automatic action is enabled or disabled immediately. We do not need to restart IBM Security Identity Manager.
For example, membership in a group can take place when we create or modify a service, specifying a service owner.
Additionally, ISIM accounts of newly named managers are automatically put in the default Manager group. For example, this population can occur when we create or modify a user who is a subordinate, specifying the manager of the user.
Automatic group membership is not supported when the service owner is a role.
Default Settings for Provisioning Policy When a New Service is Created
Select the default setting for provisioning policies when new services are created. We might not want to create a default policy when a new service is created if the amount of time to evaluate the default policy for all users is significant.
- Yes, create a policy for manually requesting accounts
- Select this option to require users manually request account entitlement.
- Yes, create a policy to automatically create accounts, and later enable the policy
- Select this option to allow for automatic provisioning of new accounts to users. We must subsequently enable the policy to provision new accounts.
- Yes, create a policy to automatically create accounts as soon as the policy exists
- Select this option to allow for automatic provisioning of new accounts to users. Provisioning of new accounts occurs as soon as the policy exists, and the Default Account Request Workflow is associated with the provisioning policy.
- No, I will manually configure a policy later
- Select this option if to configure a provisioning policy at a later time.
We might manually configure a provisioning policy if you need to set up account defaults or identity policies for this service. Later, we can change the provisioning to automatic.
Parent topic: Administration console
