Symantec IGA

  • Private Community

  • 1.  Prevent IDM users from modifying System Manager account

    Posted Jul 12, 2017 11:53 AM

    Hello

    I have a CA ID M 12.6.8 Environment an we are working on implementing the password reset feature, normally users will reset their own passwords, but there are some scenarios where helpdesk users have to reset the password for the end users.

     

    in our environment we have a System manager account called "superadmin"  we would like to prevent help desk users from resetting the password for this user.

     

    Is there a way to prevent this, restrict the access to this account, if they cannot even search for it its even better.

     

    Regards.



  • 2.  Re: Prevent IDM users from modifying System Manager account

    Posted Jul 12, 2017 10:05 PM

    If you are using Microsoft Active Directory, just add the help desk user group with Deny Password Reset under permission of superadmin



  • 3.  Re: Prevent IDM users from modifying System Manager account
    Best Answer

    Posted Jul 13, 2017 08:13 AM

    You could create a PX Policy of type=UI that runs on Submission of the task you mentioned. The PX Policy could get the %USER_ID% as a Data Element and then for an action condition check to see if the value is for the user you want to prohibit. The action to take could be to display a message to the screen that says password changes for that user are not allowed. This will prevent the task from being submitted to change that user's password.



  • 4.  Re: Prevent IDM users from modifying System Manager account

    Broadcom Employee
    Posted Jul 18, 2017 03:12 AM

    You can explicitly remove the superadmin user from the scope of the help desk user.

    You can also set  a password policy for just the superadmin user that will make changing the password difficult.