000031233 - Default token policy change prompts every user to change their PIN in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 9, 2020
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000031233
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

IssueWhen the default token policy is changed, all users assigned to Security Domain(s) are immediately assigned the new Ttoken policy, forcing users in the Security Domain(s) to change their PIN the next time they authenticate.

If you edit a token policy and check the box to make this policy the default policy, it changes the token policy configured within the Security Domain(s) to this Default Policy.

Procedure to set a default token policy

  1. In the Security Console, navigate to Authentication > Policies > Token Policies > Manage Existing.
  2. From the context menu of the chosen token policy, click Edit.
  3. For Default Policy, select checkbox next to Set as default SecurID token policy, as shown below:

User-added image

  1. Click Save.
  1. Let's say you have an Initial Token Policy that requires a minimum PIN length of four digits as your Default Token Policy
  2. There is another token policy called Test Token Policy with a minimum PIN length of six digits.
  3. A Security Domain called TestDomain has the Initial Token Policy assigned to it.

User-added image

  1. The TestDomain security domain has policies configured with SecurID Token Policy "Always Use Default"
User-added image
User-added image

  1. Later the default policy is changed to Test Token Policy.
  2. Once you save the default token policy change, TestDomain will have a token policy of Test Token Policy, effectively and all users in TestDomain will be challenged to set a new PIN if they have four-digit PIN.  This is functioning as designed.
  3. To avoid any unexpected results from the default policy change, use a custom policy instead of Always Use Default when you add a new Security Domain.

Procedure to assign a custom token policy to a Security Domain 

  1. In the Security Console, click Administration > Security Domains > Add New.
  2. In the Security Domain Name field, enter a unique name. 
  3. From the SecurID Token Policy drop-down list, assign a SecurID token policy to the security domain. 
  4. Click Save.

User-added image
NotesFor more information, see "Security Domains and Policies" in the RSA Authentication Manager Administrator's Guide for your version.