000034761 - How to use the ${GeneratedPassword} value in an Active Directory Account Template in RSA Identity Governance and Lifecycle without using Password Management

Document created by RSA Customer Support Employee on Apr 14, 2017Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034761
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
IssueYou are using Access Fulfillment Express (AFX) to create new Active Directory accounts and would like to use the ${GeneratedPassword}  parameter so that passwords are automatically generated for these accounts. However, you do not want to use the Password Management feature of RSA Identity Governance and Lifecycle.
In order to use the ${GeneratedPassword} value in an account template, a password policy needs to be defined in order for RSA Identity Governance and Lifecycle to generate a password consistent with the password policy settings of the data source in which the account is being created.  Password policies may only be defined in RSA Identity Governance and Lifecycle when the Password Management module is enabled. This article explains how you may use the ${GeneratedPassword}  parameter and work around the Password Management requirement.
This article assumes that you have familiarity with Account Templates and AFX, but are looking specifically for assistance on using the ${GeneratedPassword} parameter in the account template because you do not want to use Password Management.
Resolution Here are the steps to define a password policy for a data source and eliminate the use of the Password Management Module.
  1. Note that you are using the ${GeneratedPassword} value in the Account Template for AD accounts as in:
    User-added image

  2. Enable the Password Management Module:
    1. Navigate to the Admin > System > Settings tab.
    2. Click Edit.
    3. Toggle Password Management to On.User-added image
  3. Define a password policy for Active Directory (AD) consistent with your AD password policy.
    1. Navigate to the Requests > Password Management > Password Policies tab.
    2. Select New > Create a new Password Policy.  
    3. Click Next and define the settings as per your AD policy.
      • NOTE: Set Password Expiration values to 0 days.  This means the password never expires.
      • NOTE: There are two default policies: Secure Password Policy and Basic Password Policy. You could use these password policies as a basis for defining your own. 
User-added image

User-added image

  1. Associate the new password policy with your AD business source.  
    1. Navigate to Requests > Password Management.
    2. Select the Password Policies tab.  
    3. Click on the name of your new policy.
    4. Select Choose Business Sources:
User-added image

  1. Remove the Forgot My Password link on the login page. After enabling the Password Management module the login screen contains a Forgot My Password link. 
User-added image

  1. Create a test file called customerstrings.properties which contains one line: 

  1. Upload customerstrings.properties into RSA Identity Governance and Lifecycle:
    1. Navigate to the Admin > User interface > Files tab.
    2. Choose Customer Strings from the drop-down menu.
    3. Upload the customerstrings.properties file.
User-added image

  1. Logout and back in. Note the Forgot My Password link is no longer visible in the login screen:
User-added image

  1. Disable the Password Reset email template. When users click on the Forgot My Password link or if users request a password reset from the Request menu, an email will be sent to the user requesting they change their password. To prevent this email from being sent in case of the above scenarios,
    1. Go to Admin > Email > Templates > PasswordResetEvent.  
    2. Edit Associations and click Next.
    3. Change the setting for Use this email template for ALL events of this type to No
User-added image

  1. Remove the Password Management option from the Requests menu:
User-added image

  1. Add this line to the customerstrings.properties file you created earlier and upload it again:

  1. Note the option is now gone from the Request menu:
User-added image

  1. Remove the option to reset a user's password from the Requests menu:
User-added image

  1. Go to Requests > Configuration > Request Buttons and delete the Reset My Password and Reset Password buttons:
User-added image

  1. Note these are now removed from the Requests drop-down menu:
User-added image