Symantec Access Management

  • Private Community

  • 1.  Which password policy gets triggered if we have a subset of user in a user Directory  part of two password policy.

    Posted Feb 23, 2016 09:30 AM

    Which password policy gets triggered if we have a subset of user in a user Directory  part of two password policy.

     

    Thanks,

    soumya



  • 2.  Re: Which password policy gets triggered if we have a subset of user in a user Directory  part of two password policy.

    Posted Feb 23, 2016 10:46 AM

    I believe the strongest of the two password policy applies, if the same user subset is present in more than one password policy.

     

     

    Regards

     

    Hubert



  • 3.  Re: Which password policy gets triggered if we have a subset of user in a user Directory  part of two password policy.

    Posted Feb 24, 2016 02:55 AM

    Thanks Hubert. I would like to understand "strongest of the two password policy applies" ...

     

    Lets suppose, I have a two password policies(ODBC) with the below setting

     

    1. Max invalid login 3 times & Re-enable after 30 mins

    2. Max invalid login 3 times & Re-enable after 20 mins

     

    In this scenario which one will be triggered?

     

    Regards,

    Sarwan



  • 4.  Re: Which password policy gets triggered if we have a subset of user in a user Directory  part of two password policy.

    Posted Feb 24, 2016 10:16 AM

    Sarwan

     

    Ideally from a security standpoint, we would like to have the strongest applied based off the Journey. In the example that was showcased, It'd be [2] - if the journey being performed is, User entering wrong password three times.

     

    From a product standpoint, we'd like the product to function as per the strongest being enforced. I'd test this as the configuration is not complex. Also the smtracedefault.log spews out the password policy actions which would help us validate our thought.

     

     

     

    Having said the above, Here another purview (Just me 1 cent)....

     

    From an Organizational Security perspective what is the password policy we would like to be enforced. Having two password policy for the same subset of users seems like a detrimental design / implementation. It really doesn't make sense, for e.g. Single Identity Store, Single User, Two or more Password Policy applied - why? It would be an absolute nightmare to manage password resets and user experience behaviour; if this were to continue.

     

    I'd ideally look at designing a password policy for which is nuclear to a set of users. A good design of password policy should never be in this situation where the same subset of users are actionable across different password policies.

     

     

    Regards

     

    Hubert



  • 5.  Re: Which password policy gets triggered if we have a subset of user in a user Directory  part of two password policy.
    Best Answer

    Posted Feb 26, 2016 04:25 PM

    All the password policies that applies are triggered.

    So , in your use case both policies are triggered.

     

    The order in which password policies are processed depends upon the password policy priorities.

    You can also set an option to skip processing lower priority password policies.

     

    Cheers,

    Ujwol Shrestha

    Ujwol's Single Sign-On Blog



  • 6.  Re: Which password policy gets triggered if we have a subset of user in a user Directory  part of two password policy.

    Posted Aug 30, 2016 04:04 AM

    Hi Ujwol,

     

    What is the order if both the password policies have same priority? Could you please let us know how can I skip processing lower priority policies other than disabling them  ? I am using 12.52 SP2 WAMUI.

     

    Thanks.



  • 7.  Re: Which password policy gets triggered if we have a subset of user in a user Directory  part of two password policy.

    Posted Aug 30, 2016 06:47 PM

    Hi Uma,

     

    For better thread management, I have opened a new thread for your question : Password Policy order of execution