Default token policy change prompts every user to change their PIN in RSA Authentication Manager 8.x
Originally Published: 2015-09-14
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
If you edit a token policy and check the box to make this policy the default policy, it changes the token policy configured within the Security Domain(s) to this Default Policy.
Procedure to set a default token policy
- In the Security Console, navigate to Authentication > Policies > Token Policies > Manage Existing.
- From the context menu of the chosen token policy, click Edit.
- For Default Policy, select checkbox next to Set as default SecurID token policy, as shown below:
- Click Save.
Resolution
- Let's say you have an Initial Token Policy that requires a minimum PIN length of four digits as your Default Token Policy
- There is another token policy called Test Token Policy with a minimum PIN length of six digits.
- A Security Domain called TestDomain has the Initial Token Policy assigned to it.
- The TestDomain security domain has policies configured with SecurID Token Policy "Always Use Default"
- Later the default policy is changed to Test Token Policy.
- Once you save the default token policy change, TestDomain will have a token policy of Test Token Policy, effectively and all users in TestDomain will be challenged to set a new PIN if they have four-digit PIN. This is functioning as designed.
- To avoid any unexpected results from the default policy change, use a custom policy instead of Always Use Default when you add a new Security Domain.
Procedure to assign a custom token policy to a Security Domain
- In the Security Console, click Administration > Security Domains > Add New.
- In the Security Domain Name field, enter a unique name.
- From the SecurID Token Policy drop-down list, assign a SecurID token policy to the security domain.
- Click Save.
Notes
