Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Identity Manager
11g Release 1 (11.1.1)

Part Number E14308-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

14 Managing Password Policies

The Administration folder of Oracle Identity Manager Design Console enables you to administer Oracle Identity Manager.

See Also:

Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about Oracle Identity Manager Design Console and all the forms available in Oracle Identity Manager Design Console

You can perform the following tasks by using the Administration folder of Oracle Identity Manager Design Console:

14.1 Creating a Password Policy

You can use the Password Policies form in Oracle Identity Manager Design Console to create password policies, and thereby:

To create a password policy:

  1. Open the Password Policies form. Figure 14-1 shows the Password Policies form.

    Figure 14-1 The Password Policies Form

    Description of Figure 14-1 follows
    Description of "Figure 14-1 The Password Policies Form"

  2. In the Policy Name field, enter the name of the password policy.

  3. In the Policy Description field, enter a short description of the password policy.

  4. Click Save.

Note:

  • A password policy is not applied during the creation of an Oracle Identity Manager user through trusted reconciliation.

  • After you create a password policy, it must be supplied with criteria and associated with a resource. To supply your password policy with criteria, use the Policy Rules tab of this form. To associate your password policy with a resource, use the Password Policies Rule tab of the Resource Object form to create a password policy and rule combination that will be evaluated when accounts are created or updated on the resource. The password policy will be applied when the criteria for the rule are met. Each password policy can be used by multiple resources.

    The same resource might be accepted by the rules of two different password policies. However, the password policy attached to the rule with the highest priority is applied.

    See "Adding a Password Policy Rule to a Resource Object" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about associating a resource with a password policy.

The tabs in this form become functional after you create a password policy. These tabs are used to set the criteria for the password policy and to view the rules and resource objects that are associated with the current password policy. The following sections discuss these tabs:

14.1.1 The Policy Rules Tab

You use the Policy Rules tab to specify criteria for your password policy, for example, the minimum and maximum length of passwords.

You can use either or both of the following methods to set password restrictions:

  • Enter information in the appropriate fields, or select the required check boxes. For example, to indicate that a password must have a minimum length of four characters, enter 4 in the Minimum Length field.

  • In the Password File field, enter the directory path and name of the password policy file (for example, c:\xellerate\userlimits.txt). This file contains predefined words that you do not want to be used as passwords. The delimiter specified in the Password File Delimiter field separates these words. the predefined words in the file cannot be used as passwords. For example, if the file contains the word welcome, then welcome, Welcome, and welcome123 are invalid passwords

Figure 14-1 shows the Policy Rules tab of the Password Policies form.

Table 14-1 describes the data fields on the Policy Rules tab. You specify the password policy criteria in these fields.

Note:

If a data field of the policy is empty, a password conforming to this policy does not have to meet the criteria of that field for the password to be valid. For example, when the Minimum Numeric Characters data field is blank, Oracle Identity Manager will accept a password, regardless of the number of characters included in it.

Table 14-1 Fields of the Policy Rules Tab of the Password Policies Form

Field Name Description

Minimum Length

The minimum number of characters that a password must contain for the password to be valid.

For example, if you enter 4 in the Minimum Length field, the password must contain at least four characters.

This field accepts values from 0 to 999.

Expires After Days

The duration in days for which users can use a password.

For example, if you enter 30 in the Expires After Days field, users must change their passwords by the thirtieth day from when it was created or last modified.

Note: After the number of days specified in the Expires After Days field passes, a message is displayed asking the user to change the password.

This field accepts values from 0 to 999.

Disallow Last Passwords

The frequency at which old passwords can be reused. This policy ensures that users do not change back and forth among a set of common passwords.

For example, if you enter 10 in the Disallow Last Passwords field, users are allowed to reuse a password only after using 10 unique passwords.

This field accepts values from 0 to 24.

Warn After (Days)

The number of days that must pass before a user is notified that the user's password will expire on a designated date.

For example, suppose you enter 30 in the Expires After Days field, and 20 in the Warn After (Days) field, and the password is created on November 1. On November 21, the user will be informed that the password will expire on December 1.

This field accepts values from 0 to 999.


On the Policy Rules tab of the Password Policies form, you can configure either a complex password or custom password policy. If you select the Complex Password option, you cannot use the Custom Password option setup and passwords will be evaluated against the complex password criteria that you enter on the Policy Rules tab.

The remaining fields in the Policy Rules tab are discussed in the following sections:

Complex Password

The following are the complex password criteria:

  • The password is at least six characters long. This password length overrides the Minimum Length field if the value entered in the Minimum Length field is less than 6. For example, if you enter 2 in the Minimum Length field, at least six characters will be required for the password because it must have at least six characters according to the complex password criteria.

  • The password must contain characters from at least three of the following five categories:

    • English uppercase characters (A - Z)

    • English lowercase characters (a - z)

    • Base 10 digits (0 - 9)

    • Non-alphanumeric characters (for example: !, $, #, or %)

    • Unicode characters

  • The password must not contain the user's first name, last name, or user ID when their length is greater than 2.

    The names are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, then the names are split and all sections are verified not to be included in the password. For example, if the user name is john-d, then d will not be checked in the password because its length is less than 2. Similarly, if the name is John Richard Doe, then the password cannot contain john, richard, or doe.

    When checking against the user's full name, characters such as commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs are treated as delimiters that separate the name into individual character sets. Each character set that has three or more characters is searched in the password. If the character set is present in the password, the password change is rejected. For example, the name John Richard-Doe is split into three character sets: John, Richard, and Doe. This user cannot have a password that consists of three continuous characters from either John or Richard or Doe anywhere in the password. However, the password can contain the substring d-D because the hyphen (-) is treated as the delimiter between the substrings Richard and Doe. In addition, the search for character sets in the password is not case-sensitive.

Note:

If the user's full name is less than three characters in length, the password is not checked against it because the rate at which passwords will be rejected is too high.

Custom Policy

If you select the Custom Policy option, you can set a custom password policy by using the fields listed in Table 14-2.

Table 14-2 Fields of the Policy Rules Tab for Setting Custom Password Policy

Field Name Description

Maximum Length

The maximum number of characters that a password can contain.

For example, if you enter 8 in the Maximum Length field, a password is not accepted if it has more than eight characters.

This field accepts values from 1 to 999.

Maximum Repeated Characters

The maximum number of times a character can be repeated in a password.

For example, if you enter 2 in the Maximum Repeated Characters field, a password is not accepted if any character is repeated more than two times. For example, RL112211 would not be a valid password because the character 1 is repeated three times.

Note: In this example, there are four occurrences of the character 1, which means that it is repeated three times.

This field accepts values from 1 to 999.

Minimum Numeric Characters

The minimum number of digits that a password must contain.

For example, if you enter 1 in the Minimum Numeric Characters field, a password must contain at least one digit.

This field accepts values from 0 to 999.

Minimum Alphanumeric Characters

The minimum number of letters or digits that a password must contain.

For example, if you enter 6 in the Minimum Alphanumeric Characters field, a password must contain at least six letters or numbers.

This field accepts values from 0 to 999.

Minimum Unique Characters

The minimum number of nonrepeating characters that a password must contain.

For example, if you enter 1 in the Minimum Unique Characters field, a password is accepted if at least one character in the password is not repeated. For example, 1a23321 would be a valid password because the character a in the password is not repeated although the remaining characters are repeated.

This field accepts values from 0 to 999.

Minimum Alphabet Characters

The minimum number of letters that a password must contain.

For example, if you enter 2 in the Minimum Alphabet Characters field, the password is not accepted if it has less than two letters.

This field accepts values from 0 to 999.

Special Characters: Minimum

The minimum number of non-alphanumeric characters (for example, #, %, or &) that a password must contain.

For example, if you enter 1 in the Special Characters: Minimum field, a password must have at least one non-alphanumeric character.

This field accepts values from 0 to 999.

Special Characters: Maximum

The maximum number of non-alphanumeric characters that a password can contain.

For example, if you enter 3 in the Special Characters: Maximum field, a password is not accepted if it contains more than three non-alphanumeric characters.

This field accepts values from 1 to 999.

Minimum Uppercase Characters

The minimum number of uppercase letters that a password must contain.

For example, if you enter 8 in the Uppercase Characters: Minimum field, a password is not accepted if it contains less than eight uppercase letters.

This field accepts values from 0 to 999.

Minimum Lowercase Characters

The minimum number of lowercase letters that a password must contain.

For example, if you enter 8 in the Minimum Lowercase Characters field, a password is not accepted if it has less than eight lowercase letters.

This field accepts values from 0 to 999.

Unicode Characters: Minimum

The minimum number of Unicode characters that a password must contain.

For example, if you enter 3 in the Unicode Characters: Minimum field, the password is not accepted if it has less than three Unicode characters.

This field accepts values from 0 to 999.

Unicode Characters: Maximum

The maximum number of Unicode characters that a password can contain.

For example, if you enter 8 in the Unicode Characters: Maximum field, a password is not accepted if it has more than eight Unicode characters.

This field accepts values from 1 to 999.

Characters Required

The characters that a password must contain.

For example, if you enter x in the Characters Required field, a password is accepted only if it contains the character x.

The character you specify in the Characters Required field, must be mentioned in the Characters Allowed field. If you enter a character in the Characters Required field that is not mentioned in the Characters Allowed field, then an error is displayed stating that the required characters must be in the list of allowed characters, and required characters must not be in the list of not allowed characters.

In addition, if you specify more than one character, then do not provide delimiters. Commas and white spaces are also considered as characters in this field. For example, if you specify characters such as a,x,c, then the password is not accepted unless it contains comma.

Characters Not Allowed

The characters that a password must not contain.

For example, if you enter an exclamation point (!) in the Characters Not Allowed field, a password is not accepted if it contains an exclamation point.

Characters Allowed

The characters that a password can contain.

For example, if you enter the percent sign (%) in the Characters Allowed field, a password is accepted if it contains a percent sign, given that all other criteria are met.

Note: If any character is used in the password and that character is not in the Characters Allowed field, then the password will be rejected. For example, if the Characters Allowed field has "abc" and the password is "dad", then the password is rejected because "d" is not in the Characters Allowed field.

If you specify the same character in the Characters Allowed and Characters Not Allowed fields, an error message is returned when you create the password policy.

Substrings Not Allowed

A series of consecutive alphanumeric characters that a password must not contain.

For example, if you enter IBM in the Substrings Not Allowed field, a password is not accepted if it contains the letters I, B, and M, in successive order.

Start With Alphabet

Whether or not the password must begin with a letter.

For example, if you select this option, then the password 123welcome is not accepted because the password does not begin with a letter. However, if you do not select this option, then the password can begin with a letter, numeric digit, or special character.

Disallow User ID

This check box specifies if the user ID will be accepted as the whole password or as part of the password.

When this check box is selected, a password will not be valid if the user ID is entered in the Password field. In addition, the password is not valid if the user ID occurs as a part of the password specified in the Password field.

If you deselect this check box, the password will be accepted, even if it contains the user ID.

Disallow First Name

This check box specifies if the user's first name will be accepted as the whole password or as part of the password.

When this check box is selected, a password will not be valid if the user's first name is entered in the Password field. In addition, the password is not valid is the first name is entered as a part of the password.

If you deselect this check box, the password will be accepted, even if it contains the user's first name.

Disallow Last Name

This check box specifies if the user's last name will be accepted as the whole password or as part of the password.

When this check box is selected, a password will not be valid if the user's last name is entered in the Password field. In addition, the password is not valid is the last name is entered as a part of the password.

If you deselect this check box, the password is accepted, even if it contains the user's last name.

Password File

The path and name of a file that contains predefined terms, which are not allowed as passwords. The file must be stored on the same host on which Oracle Identity Manager is deployed.

Note: The settings on the Policy Rules tab get precedence over the specifications in the password file. For example, a disallowed term of the password file is used in the policy when no disallowed term is specified in the Policy Rules tab.

Password File Delimiter

The delimiter character used to separate terms in the password file.

For example, if a comma (,) is entered in the Password File Delimiter field, the terms in the password file will be separated by commas.

Note: There are no escape characters defined to be used in password policies.


You can attach a process form with one of the Password fields to a resource. A password entered for a resource is validated against the password policy associated with that resource.

14.1.2 The Usage Tab

You use this tab to view the rules and resource objects that are associated with the current password policy.

Figure 14-2 shows the Usage tab of the Password Policies form. In this example rules are being defined for the Solaris password policy.

Figure 14-2 Usage Tab of the Password Policies Form

Description of Figure 14-2 follows
Description of "Figure 14-2 Usage Tab of the Password Policies Form"

See Also:

"Password Policies Rule Tab" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about the relationship between password policies and resource objects

14.2 Setting the Criteria for a Password Policy

You can attach a process form with one of the Password fields to a resource. A password entered for a resource is validated against the password policy associated with that resource.

To set the criteria for a password policy:

  1. Open the required password policy definition.

  2. Click the Policy Rules tab.

  3. Either enter information into the appropriate fields, or select the required check boxes.

  4. Click Save.