Tracking User Password History

By default, Identity Manager does not track user password changes initiated by administrators. The following options allow administrators to change this default behavior. Choose the option that best suits your deployment.

Option 1: Adding a View Option to a Form

You can add a view option to the target form, as shown below. Note that this view option will override any system configuration setting. Specifically, if you set the view option to true, and the relevant system configuration attribute is false, Identity Manager follows the view option and ignores the system configuration setting.

If you are working with a target form that is not part of ActiveSync processing, set the savePasswordHistory attribute on the target form (typically User form) as shown below.

<Field name=’savePasswordHistory’>
   <Default>
      <Boolean>true</Boolean>
   </Default>
</Field>

To record password changes during Active Sync configuration, you must set the savePasswordHistory view option in a different way. You can modify the Synchronize User Password TaskDefinition by adding the following action to the SetPasswordView Activity.

<Activity id=’5’ name=’SetPasswordView’>
   <Action id=’0’>
     <expression>
          <set name=’PasswordView.resourceAccounts.password’>
             <ref>password</ref>
          </set>
     </expression>
   </Action>
<!-- Add action here -->
   <Action id=’1’>
    <expression>
         <set name=’PasswordView.savePasswordHistory’>
             <Boolean>true</Boolean>
        </set>
    </expression>
   </Action>
   <!-- end -->
   <Action id=’2’>
     <expression>
       <dolist name=’account’>
        <ref>PasswordView.resourceAccounts.currentResourceAccounts</ref>

Option 2: Changing a System Configuration Object Setting

Alternatively, you can edit the relevant System Configuration object setting. You can configure the savePasswordHistory option through the Login application.

To Modify a System Configuration Object Setting

1. In the System Configuration object, locate this path:

   security.admin.changePassword.[login interface]

2. Switch the values for savePasswordHistory for the appropriate interfaces from false to true (see example below). By default, these values are false.

   <Attribute name=’security’> <Object> <Attribute name=’admin’> <Object> <Attribute name=’changePassword’> <Object> <Attribute name=’Administrator Interface’> <Object> <Attribute name=’savePasswordHistory’> <Boolean>false</Boolean> </Attribute> </Object> </Attribute> <Attribute name=’Command Line Interface’> <Object> <Attribute name=’savePasswordHistory’> <Boolean>false</Boolean> </Attribute> </Object> </Attribute> <Attribute name=’IVR Interface’> <Object> <Attribute name=’savePasswordHistory’> <Boolean>false</Boolean> </Attribute> </Object> </Attribute> <Attribute name=’SOAP Interface’> <Object> <Attribute name=’savePasswordHistory’> <Boolean>false</Boolean> </Attribute> </Object> </Attribute> <Attribute name=’User Interface’> <Object> <Attribute name=’savePasswordHistory’> <Boolean>false</Boolean> </Attribute> </Object> </Attribute> </Object> </Attribute> </Object> </Attribute> <Attribute name=’authn’> <Object> ..

   To permit password history recordings through the SPML interface, you must set the following in the system configuration object:

   security.admin.changePassword.Command Line Interface