Oracle® Fusion Middleware System Administrator's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14308-05 |
|
|
View PDF |
The Administration folder of Oracle Identity Manager Design Console enables you to administer Oracle Identity Manager.
See Also:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about Oracle Identity Manager Design Console and all the forms available in Oracle Identity Manager Design ConsoleYou can perform the following tasks by using the Administration folder of Oracle Identity Manager Design Console:
You can use the Password Policies form in Oracle Identity Manager Design Console to create password policies, and thereby:
Set password restrictions, for example, define the minimum and maximum length of passwords
See rules and resource objects that are associated with a password policy
See Also:
"Password Policies Form" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about the Password Policies form and the tabs in this formOpen the Password Policies form. Figure 14-1 shows the Password Policies form.
In the Policy Name field, enter the name of the password policy.
In the Policy Description field, enter a short description of the password policy.
Click Save.
Note:
A password policy is not applied during the creation of an Oracle Identity Manager user through trusted reconciliation.
After you create a password policy, it must be supplied with criteria and associated with a resource. To supply your password policy with criteria, use the Policy Rules tab of this form. To associate your password policy with a resource, use the Password Policies Rule tab of the Resource Object form to create a password policy and rule combination that will be evaluated when accounts are created or updated on the resource. The password policy will be applied when the criteria for the rule are met. Each password policy can be used by multiple resources.
The tabs in this form become functional after you create a password policy. These tabs are used to set the criteria for the password policy and to view the rules and resource objects that are associated with the current password policy. The following sections discuss these tabs:
You use the Policy Rules tab to specify criteria for your password policy, for example, the minimum and maximum length of passwords.
You can use either or both of the following methods to set password restrictions:
Enter information in the appropriate fields, or select the required check boxes. For example, to indicate that a password must have a minimum length of four characters, enter 4 in the Minimum Length field.
In the Password File field, enter the directory path and name of the password policy file (for example, c:\xellerate\userlimits.txt
). This file contains predefined words that you do not want to be used as passwords. The delimiter specified in the Password File Delimiter field separates these words. the predefined words in the file cannot be used as passwords. For example, if the file contains the word welcome, then welcome, Welcome, and welcome123 are invalid passwords
Figure 14-1 shows the Policy Rules tab of the Password Policies form.
Table 14-1 describes the data fields on the Policy Rules tab. You specify the password policy criteria in these fields.
Note:
If a data field of the policy is empty, a password conforming to this policy does not have to meet the criteria of that field for the password to be valid. For example, when the Minimum Numeric Characters data field is blank, Oracle Identity Manager will accept a password, regardless of the number of characters included in it.Table 14-1 Fields of the Policy Rules Tab of the Password Policies Form
Field Name | Description |
---|---|
Minimum Length |
The minimum number of characters that a password must contain for the password to be valid. For example, if you enter 4 in the Minimum Length field, the password must contain at least four characters. This field accepts values from 0 to 999. |
Expires After Days |
The duration in days for which users can use a password. For example, if you enter 30 in the Expires After Days field, users must change their passwords by the thirtieth day from when it was created or last modified. Note: After the number of days specified in the Expires After Days field passes, a message is displayed asking the user to change the password. This field accepts values from 0 to 999. |
Disallow Last Passwords |
The frequency at which old passwords can be reused. This policy ensures that users do not change back and forth among a set of common passwords. For example, if you enter 10 in the Disallow Last Passwords field, users are allowed to reuse a password only after using 10 unique passwords. This field accepts values from 0 to 24. |
Warn After (Days) |
The number of days that must pass before a user is notified that the user's password will expire on a designated date. For example, suppose you enter 30 in the Expires After Days field, and 20 in the Warn After (Days) field, and the password is created on November 1. On November 21, the user will be informed that the password will expire on December 1. This field accepts values from 0 to 999. |
On the Policy Rules tab of the Password Policies form, you can configure either a complex password or custom password policy. If you select the Complex Password option, you cannot use the Custom Password option setup and passwords will be evaluated against the complex password criteria that you enter on the Policy Rules tab.
The remaining fields in the Policy Rules tab are discussed in the following sections:
Complex Password
The following are the complex password criteria:
The password is at least six characters long. This password length overrides the Minimum Length field if the value entered in the Minimum Length field is less than 6. For example, if you enter 2 in the Minimum Length field, at least six characters will be required for the password because it must have at least six characters according to the complex password criteria.
The password must contain characters from at least three of the following five categories:
English uppercase characters (A - Z)
English lowercase characters (a - z)
Base 10 digits (0 - 9)
Non-alphanumeric characters (for example: !, $, #, or %)
Unicode characters
The password must not contain the user's first name, last name, or user ID when their length is greater than 2.
The names are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, then the names are split and all sections are verified not to be included in the password. For example, if the user name is john-d, then d will not be checked in the password because its length is less than 2. Similarly, if the name is John Richard Doe, then the password cannot contain john, richard, or doe.
When checking against the user's full name, characters such as commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs are treated as delimiters that separate the name into individual character sets. Each character set that has three or more characters is searched in the password. If the character set is present in the password, the password change is rejected. For example, the name John Richard-Doe
is split into three character sets: John
, Richard
, and Doe
. This user cannot have a password that consists of three continuous characters from either John
or Richard
or Doe
anywhere in the password. However, the password can contain the substring d-D
because the hyphen (-) is treated as the delimiter between the substrings Richard
and Doe
. In addition, the search for character sets in the password is not case-sensitive.
Note:
If the user's full name is less than three characters in length, the password is not checked against it because the rate at which passwords will be rejected is too high.If you select the Custom Policy option, you can set a custom password policy by using the fields listed in Table 14-2.
Table 14-2 Fields of the Policy Rules Tab for Setting Custom Password Policy
Field Name | Description |
---|---|
Maximum Length |
The maximum number of characters that a password can contain. For example, if you enter 8 in the Maximum Length field, a password is not accepted if it has more than eight characters. This field accepts values from 1 to 999. |
Maximum Repeated Characters |
The maximum number of times a character can be repeated in a password. For example, if you enter 2 in the Maximum Repeated Characters field, a password is not accepted if any character is repeated more than two times. For example, Note: In this example, there are four occurrences of the character This field accepts values from 1 to 999. |
Minimum Numeric Characters |
The minimum number of digits that a password must contain. For example, if you enter 1 in the Minimum Numeric Characters field, a password must contain at least one digit. This field accepts values from 0 to 999. |
Minimum Alphanumeric Characters |
The minimum number of letters or digits that a password must contain. For example, if you enter 6 in the Minimum Alphanumeric Characters field, a password must contain at least six letters or numbers. This field accepts values from 0 to 999. |
Minimum Unique Characters |
The minimum number of nonrepeating characters that a password must contain. For example, if you enter 1 in the Minimum Unique Characters field, a password is accepted if at least one character in the password is not repeated. For example, This field accepts values from 0 to 999. |
Minimum Alphabet Characters |
The minimum number of letters that a password must contain. For example, if you enter 2 in the Minimum Alphabet Characters field, the password is not accepted if it has less than two letters. This field accepts values from 0 to 999. |
Special Characters: Minimum |
The minimum number of non-alphanumeric characters (for example, #, %, or &) that a password must contain. For example, if you enter 1 in the Special Characters: Minimum field, a password must have at least one non-alphanumeric character. This field accepts values from 0 to 999. |
Special Characters: Maximum |
The maximum number of non-alphanumeric characters that a password can contain. For example, if you enter 3 in the Special Characters: Maximum field, a password is not accepted if it contains more than three non-alphanumeric characters. This field accepts values from 1 to 999. |
Minimum Uppercase Characters |
The minimum number of uppercase letters that a password must contain. For example, if you enter 8 in the Uppercase Characters: Minimum field, a password is not accepted if it contains less than eight uppercase letters. This field accepts values from 0 to 999. |
Minimum Lowercase Characters |
The minimum number of lowercase letters that a password must contain. For example, if you enter 8 in the Minimum Lowercase Characters field, a password is not accepted if it has less than eight lowercase letters. This field accepts values from 0 to 999. |
Unicode Characters: Minimum |
The minimum number of Unicode characters that a password must contain. For example, if you enter 3 in the Unicode Characters: Minimum field, the password is not accepted if it has less than three Unicode characters. This field accepts values from 0 to 999. |
Unicode Characters: Maximum |
The maximum number of Unicode characters that a password can contain. For example, if you enter 8 in the Unicode Characters: Maximum field, a password is not accepted if it has more than eight Unicode characters. This field accepts values from 1 to 999. |
Characters Required |
The characters that a password must contain. For example, if you enter x in the Characters Required field, a password is accepted only if it contains the character x. The character you specify in the Characters Required field, must be mentioned in the Characters Allowed field. In addition, if you specify more than one character, then do not provide delimiters. Commas and white spaces are also considered as characters in this field. For example, if you specify characters such as a,x,c, then the password is not accepted unless it contains comma. |
Characters Not Allowed |
The characters that a password must not contain. For example, if you enter an exclamation point (!) in the Characters Not Allowed field, a password is not accepted if it contains an exclamation point. |
Characters Allowed |
The characters that a password can contain. For example, if you enter the percent sign (%) in the Characters Allowed field, a password is accepted if it contains a percent sign, given that all other criteria are met. Note: If any character is used in the password and that character is not in the Characters Allowed field, then the password will be rejected. For example, if the Characters Allowed field has "abc" and the password is "dad", then the password is rejected because "d" is not in the Characters Allowed field. If you specify the same character in the Characters Allowed and Characters Not Allowed fields, an error message is returned when you create the password policy. |
Substrings Not Allowed |
A series of consecutive alphanumeric characters that a password must not contain. For example, if you enter IBM in the Substrings Not Allowed field, a password is not accepted if it contains the letters I, B, and M, in successive order. |
Start With Alphabet |
Whether or not the password begins with a letter. For example, if you select this option, then the password 123welcome is not accepted because the password does not begin with a letter. |
Disallow User ID |
This check box specifies if the user ID will be accepted as the whole password or as part of the password. When this check box is selected, a password will not be valid if the user ID is entered in the Password field. In addition, the password is not valid if the user ID occurs as a part of the password specified in the Password field. If you deselect this check box, the password will be accepted, even if it contains the user ID. |
Disallow First Name |
This check box specifies if the user's first name will be accepted as the whole password or as part of the password. When this check box is selected, a password will not be valid if the user's first name is entered in the Password field. In addition, the password is not valid is the first name is entered as a part of the password. If you deselect this check box, the password will be accepted, even if it contains the user's first name. |
Disallow Last Name |
This check box specifies if the user's last name will be accepted as the whole password or as part of the password. When this check box is selected, a password will not be valid if the user's last name is entered in the Password field. In addition, the password is not valid is the last name is entered as a part of the password. If you deselect this check box, the password is accepted, even if it contains the user's last name. |
Password File |
The path and name of a file that contains predefined terms, which are not allowed as passwords. Note: If settings on the Policy Rules tab differ from the specifications in the password file, Oracle Identity Manager will use the settings on the Policy Rules tab. |
Password File Delimiter |
The delimiter character used to separate terms in the password file. For example, if a comma (,) is entered in the Password File Delimiter field, the terms in the password file will be separated by commas. |
You can attach a process form with one of the Password fields to a resource. A password entered for a resource is validated against the password policy associated with that resource.
You use this tab to view the rules and resource objects that are associated with the current password policy.
Figure 14-2 shows the Usage tab of the Password Policies form. In this example rules are being defined for the Solaris password policy.
Figure 14-2 Usage Tab of the Password Policies Form
See Also:
"Password Policies Rule Tab" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about the relationship between password policies and resource objectsYou can attach a process form with one of the Password fields to a resource. If you apply a password policy to the same resource and create an access policy for the resource, the password entered by the user in the process form is not validated against the password policy rules. This is because when a resource is provisioned to the user, the user must provide the password, which will be validated against the password policy rules applied to the resource.
To set the criteria for a password policy:
Open the required password policy definition.
Click the Policy Rules tab.
Either enter information into the appropriate fields, or select the required check boxes.
Click Save.