I've been using aveksa admin to call RSA Via's web service for password reset.
Anyone knows if i can assign someone with web service permissions to be able to make this request? I've tried assigning system administrator to a user, however, when the user initiate a change request , it has to been approved. Unlike aveksa admin, the change request gets accepted without any approval. and my password will be resetted.
Hi Macro,
Above is the api submitted, but it still goes waiting for approval stage..
Also.. Could i know what are the right entitlement that i should assigne to my API user? so that this user can only perform API call like create change request.. Right now im using system admin..
Hi Macro,
I found out that by changing the workflow to default AFX fulfillment, both AveksaAdmin and Apiuser are able to create a change request without an approval. it goes to straight to fulfilment phase.
However there's problem..
I found out that even if user has no entitlements, they are still able to invoke a api call. Creating a change request.
Below is the api content.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Changes>
<Description>enter your description in here, maybe a API service des or anything.</Description>
<Notes>enter notesss here. it wil all appear in the change request.</Notes>
<AccountChange>
<Operation>ResetPassword</Operation>
<User>apiuser1</User>
<Account>apiuser1</Account>
<BusinessSource>BW directory</BusinessSource>
<Password>password1e1</Password>
</AccountChange>
</Changes>
Hi Bowen,
i try to summarize:
1) What you had when no fulfillment workflow were associated was not an approval step but it was a 'Manual Activities' assigned to "AveksaAdmin", when you change the association then "Default Fulfillment Workflow" is instanciated where there are no manuel activities;
2) Like i said, there should not be any "special" entitlement to perform a reset password.
3) If you use a web service, the first security layer are the Allowed IP (under admin->web services), the second could be a token to authenticate the user if the API called is peculiar. The possibility to submit or not a change request is not a question of 'Aveksa Security Entitlement' on the change request, but it's a question of what type of change request you wanto to submit. A reset own password is permitted, but if you try to submit another type of request, API will respond negative, depending on the content.
Generally, if you share the scenario and what you want to achieve, i'll be happy to help you.
Marco Sannino
Moviri SpA,
Milan, Italy.
Hi Macro,
I would like to create a user that is able to reset everyone's password within the directory.
Please advise
It's not a default feature, but you can achieve it in different ways depending on the scenario, there is one:
you can create a Request Form with a "Command Provisioning non visual", you can assign the availability of this form to the user able to reset the password, then you can set this form to choose who is the user to reset the password to and all will be ok.
Good: nothing is custom, you can choose to use "default AFX fulfillment" or other custom.
Bad: the password must be generated by the form or by the workflow and you can't use the standard "Password Management"
Hope it helps.
Hi i think you did not understand my question..
Or i think i did not phrase it properly.
I have a AD connector which has password reset capability. This AD is tie to a user directory.
Previously i was using AveksaAdmin user to initiate a web service call to the server. Now i do not want to use aveksaadmin, I found out that using any user can initiate this web service change request. My question is, is this the right way? is that any way to limit only one user to trigger the web service change request call.?
For sure, you can double check into the workflow if the requestor match a static user(in order to prevent this behaviour). Maybe the fact that any user can initiate that request depends on how (from where) you submit the request. Please try to call the webservice with this user through POSTMAN(so that the request is client-side).
ps it seems the token must be valid and unexpired(so any user can submit a reset), but maybe you can achieve desiderata with that workflow control.
Hope it helps
When a CR is submitted a Request Workflow is instantiated so you can modify original CR workflow in order to have no approvals. What CR workflow is istantiated depends on Requests -> Workflows -> Overview. Depending on VIA version you have or not a field called "Requests created through Web Services..." that's the workflow instantiated when a CR is submitted via Web Services, if you pass a parameter into the body post:
then you can modify the "Delegated approvals with defaults" default workflow in order to know if this is another request or a "RESETVIAWS" request. If it's a "RESETVIAWS" then you can jump directly to fulfillment.
Hope it helps, if you need further informations don't hesitate to ask.
ps
Maybe AveksaAdmin works not because of some entitlements but only because there are no AveksaAdmin Supervisor.
Marco Sannino,
Moviri SpA,
Milan, Italy