Configuration of minimum password age rule

An administrator can configure a minimum password age rule to limit how frequently users can change the password on their account. This rule is provided in the password policy. By default, the rule is disabled.

The following points describe the limitations, scenarios, and configuration information about the minimum password age rule.

• The rule accepts only integer values. A user with permissions to define or edit a password policy can specify the minimum period, in hours, for a password change. A user cannot change the password on that account again within the specified period.
• IBM Security Identity Manager interprets the specified integer value for the rule in hours. Security Identity Manager does not evaluate the rule when a user specifies a negative value, 0, or no value. In other words, users can change the password on their accounts immediately.
• Security Identity Manager can evaluate the rule only in these conditions:
  • When users try to change the password on any of the accounts owned by them.
  • When the previous password change on those accounts was successfully run by the same users (owners of the accounts).
  In other words, Security Identity Manager does not evaluate the rule if users other than owners of the accounts made the previous account password change. For example, help desk or system administrators.
• Security Identity Manager does not evaluate the rule when users change the password on accounts that are not owned by them. For example, Security Identity Manager does not evaluate the rule when help desk or system administrators change the password on some other user accounts. Security Identity Manager does not evaluate the rule if the password change is initiated by the system. For example, a password change initiated by the lifecycle rule or an automatic provisioning request workflow.
• Security Identity Manager maintains this information in IBM Security Directory Server:
  • Users who ran the last password change on each account object.
  • Time when the password change was run on each account object.
  For some reasons, if this information is corrupted or these attributes are wiped off from the account object, then Security Identity Manager does not evaluate the rule correctly.
• Security Identity Manager stores the password change information only when the password change is initiated by using one of these resources:
  • IBM Security Identity Manager console
  • IBM Security Identity Manager Self Service or the Identity Service Center user interface
  • IBM Security Identity Manager APIs
  Therefore, any information about password changes done directly on the resource or by using some other tool is not used to evaluate the rule.

• Add a customized minimum password age rule
  An administrator can add a customized minimum password age rule to limit users from changing the password on their account. For example, you might want to specify the minimum time, in hours, for a password change on your account before you can change it again.

Parent topic: Customized password rules