MartinOlesen1 (Customer) asked a question.
We are looking into Password Management in RSA IG&L
My question is, is it possible to reset password for different AD user, which is not my own Account though RSA?, and if so, can I control who is able to reset password for other user?
My question is, is it possible to reset password for different AD user, which is not my own Account though RSA?, and if so, can I control who is able to reset password for other user?
I assume the reset password you are referring to is done via a form.
If that's the case, the access to such form can be limited. For example, managers can reset password only for their direct employees.
Or helpdesk team member can reset password for all employees.
As I can see it I can not edit it? I can make a new form, but when i choose External password reset, I can not choose who can access this form?
Am I missing something?
I haven't used the External Password Reset config in the past.
why do you need this configuration checked?
I would like to reset password on AD accounts, which are not collected by the Account collector, but only exist in Active directory.
Not sure if the password reset form is the right approach for this use case.
it seems that password reset form must have one and only one required account selection field.
How do you envision this form?
Users will need to type the account name which they want to reset password for?
You will need to add some validation to make sure users who are using this form are resetting password for a specific subset of accounts.
Consider collecting these accounts to a different application and then use Drop Down Select with Web Service type control (leveraging findAccounts API) to limit which accounts' password can be reset within that form.
Try using a global type form.
In my experience you always need to collect the accounts you want to reset a password for.
Which in practice means that you do not collect the passwords, the form will just do a password reset when needed.
It is also possible to reset one of two accounts in AD (say you have a tier1-account and a normal account), but for that usercase I usually divide the directories: One directory for each type of account... gives more flexibility... with the cost that YOU do not miss any accounts in your filters for each account type. And personally I created an own password reset form, just to be able to filter out some accounts that the users should NOT be able to reset passwords for (for example the accounts that have "smart card required")
But I agree with Boris: What is your usercase? For example you need a completely different handling for say "shared accounts"...
Hi Guys,
Thank you for taking the time to answer my questions.
The user case here is that we want our IT support department to be able to reset password for AD accounts there are in a special OU. These accounts are collected though the Account collector in RSA, but are not mapped to an Identity, so they only exist in the Account collector.
As I understand It is only possible to reset password for AD accounts that are mapped to an identity, is this correct? Using the form I can only search for Identity and not AD accounts.
@MartinOlesen1 (Customer)
There is a new functionality in the community where you need to explicitly click on Expand Post to see the full reply.
In case you missed it, have a look at my previous reply where I described how you can reset a password for an account which isn't mapped to an identity.
Hey Boris
I tried you suggestion, but the problem is that I have link the form to the request button ( Reset Password) and then when I want to test it, I choose "Reset password" under request, then it is mandatory to choose a User before I get to the FORM I created. How to I get around this? So its not asking for a user first?
Here is how I've configured the access to the form: