|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.x
O/S Version: Suse Linux Entprise Server 11 SP3
|Issue||When default token policy is changed, all users assigned to Security Domain(s) are immediately assigned the new Token Policy, causing users in the Security Domain(s) to change their PINs the next time they authenticate.|
If you edit a Token policy and check the box to make this policy the Default Policy, it changes the token policy configured within the Security Domain(s) to this "Default Policy".
Procedure to set Default Policy
1. In the Security Console, click Authentication > Policies > Token Policies > Manage Existing.
2. From the context menu of the chosen token policy, click Edit.
3. For Default Policy, select checkbox next to Set as default SecurID token policy as below
4. Click Save.
|Resolution||Let's say you have a required PIN minimum length of 4 digits in your Default Token Policy called "Initial Token Policy" and of 6 digits in another token policy called "Test Token Policy".|
Now a Security Domain TestDomain has a token policy "Initial Token Policy".
TestDomain has Policies configured with SecurID Token Policy "Always Use Default"
Later you change the default policy to "Test Token Policy".
Once you saved the default token policy change, TestDomain will have a token policy "Test Token Policy" effectively and all users in TestDomain will be challenged to set a new PIN if they have 4-digit PIN.
This is functioning as designed.
To avoid any unexpected results from the default policy change, use a custom policy instead of "Always Use Default" when you add a new Security Domain.
Procedure to assign a custom token policy to a Security Domain
1. In the Security Console, click Administration > Security Domains > Add New.
2. In the Security Domain Name field, enter a unique name.
3. From the SecurID Token Policy drop-down list, assign a SecurID token policy to the security domain.
4. Click Save.
See "Security Domains and Policies" in AM8.1 Administrator's guide for further details.