Symantec Access Management

  • 1.  How to set password-max-suspension to some infinite time

    Posted Feb 05, 2018 07:37 AM

    We have to set password-max-suspension to some infinite time for example 15 years ,  as for us suspended  account should not be activated automatically based on time .  

     

    I tried 

    set password-max-suspension = 3.154e+7 ,  

    where  3.154e+7 seconds = 1 year 

    but it didn't work 



  • 2.  Re: How to set password-max-suspension to some infinite time

    Broadcom Employee
    Posted Feb 05, 2018 09:14 AM

    Have you tried simply defining the value in # of days? i.e. 365?

     

    According to product documentation (link below), there is no complex formula for this to be calculated (i.e. 3.154e+7).

     

    set password-max-suspension Command - CA Directory - 12.6 - CA Technologies Documentation 

     

    e.g. set password-max-suspension = 365;



  • 3.  Re: How to set password-max-suspension to some infinite time

    Posted Feb 05, 2018 10:14 AM

    As mentioned in document 

    set password-max-suspension = number-seconds | 0 ; 
    • number-seconds
      Specifies the time (in seconds) for which a suspended password remains suspended. After the time has passed, the account in active.

    value will be taken as second , which we donot require , as we donot was account to be unsuspended automatically.

    Please help me with what we can set if we want max suspension in some years.



  • 4.  Re: How to set password-max-suspension to some infinite time

    Broadcom Employee
    Posted Feb 05, 2018 10:29 AM

    You are correct. I read it wrong as I had something else going on in my mind. It is in seconds, indeed, and not in days. While some other community member responds to this, let me see what I can do in due time.



  • 5.  Re: How to set password-max-suspension to some infinite time

    Posted Feb 07, 2018 12:13 AM

    Time-based password suspension can be disabled using: 

    set password-max-suspension = 0;



  • 6.  Re: How to set password-max-suspension to some infinite time
    Best Answer

    Broadcom Employee
    Posted Feb 07, 2018 09:24 AM

    Along with what Justin mentioned above, I believe if the requirement is to keep user account(s) suspended for more than a year (in this case e.g. 15 years as noted above), other option would be to 'lock' the account with setting the rule of 'set 

    password-allow-locking = true;' along with manually setting 'dxPwdLocked' operational attribute to 'true'.

    see "Administrative lock (Active -> Locked)" section in KB article TEC404484 for a quick reference. For more on this, you can also visit the online docops documentation.