Show TOC

Password ManagementLocate this document in the navigation structure

Use

Users require a password to log on with user ID and password. As administrator, you must define or generate an initial password for newly created users. If users forget their passwords, you can also define or generate a new password for them. You can provide a link on the logon screen where users can reset their passwords themselves. If you enable self-management, users can view their profile and change their own passwords.

You can also disable a user's password. A user with a disabled password cannot log on with a password, but can still log on under certain circumstances.

Prerequisites

To change a user's password or automatically generate a user's password, you must enable e-mail notification, otherwise the system cannot notify users about their new password.

For more information, see Configuring E-Mail Notification .

Features

Security Policy

The security policy defines the password rules. For example, you can define how long until a password expires or how many digits a password must contain.

For more information, see Configuring the Security Policy for User ID and Passwords .

Defining Initial Passwords or Changing Passwords

You have the following options for defining initial passwords for new users, or changing an existing user's password:

Caution

When defining or changing passwords, note the following:

  • You must enable e-mail notification for when you define or change passwords, otherwise the system cannot notify users of their new password.

  • E-mail notification sends the logon passwords in plain text.

  • Define a user's password in the user details view

    The user receives a notification e-mail containing the new password and is prompted to change his or her password the next time he or she logs on.

  • Generate a password for the user in the Details view for the user or for one or more user in the Search view.

    The system automatically generates a new password for the user. The user receives a notification e-mail containing the new password and is prompted to change his or her password the next time he or she logs on.

  • Update the user with the import function

    Include the password attribute with a new password in the import. The user receives a notification e-mail containing the new password and is prompted to change his or her password the next time he or she logs on.

Help for Forgotten Passwords

Users inevitably forget their passwords. You can enable users to reset their passwords themselves, by configuring a link for logon help on the Welcome screen. Users enter their logon ID and other data.

  • If the user enters all this information correctly, the UME generates a new password according to the security policy and e-mails it to the user.

  • If the user enters the information incorrectly, an error message appears and the user must contact the administrator directly.

For more information, see Enabling Users to Reset Their Own Password .

Disabling Passwords

You can disable a user's password. The user can no longer log on using a password, but only with Single Sign-On variants, such as X.509 certificate or logon ticket. Disable passwords if you do not require password-based logon. In such cases, deactivating the password increases security, as passwords that are not used are often still initial. Initial passwords are often well-known or were sent to the user in an e-mail, unencrypted.

Auto Lock

Depending on the security policy settings, the UME can lock a password after too many failed logon attempts. Each time a user fails to log on with the correct password, the system increments the number of failed logon attempts. When this attribute equals the configured value, the system locks the user with a password lock. The user must request the administrator to unlock the user or you can configure the auto unlock function. The attribute that tracks the number of failed logon attempts is reset to zero when the user successfully logs on or if the administrator unlocks the user.

Auto Unlock

The auto unlock function unlocks a user with a password lock after the configured period of time. After this period, the user can attempt to logon again. This feature does not reset the number of failed logon attempts. A user who attempts and fails to log on again after a password lock is locked again immediately.

Self-Management

To enable users to manage their own passwords, assign the action Manage_My_Password to a role assigned to the Authenticated Users group. If you enable users to manage their own profiles, this action is not necessary.

For more information, see User Profile .

This function requires you to select the Allow Users to Change Their Own Passwords checkbox in the security policy settings.

Activities

Defining an Initial Password for a User

  1. Search for and select a user.

  2. In the Details view, choose the Modify pushbutton.

  3. On the General Information tab, select the Define Initial Password radio button.

  4. Enter the new password in the Define Password field and reenter it in the Confirm Password field.

  5. Save your entries.

    The system sends the user a notification e-mail containing the new password and prompts him or her to change this password the next time he or she logs on.

Generating a New Password for a User

  1. Search for and select a user.

  2. Choose the Generate New Password pushbutton.

    The system sends the user a notification e-mail containing the new password and prompts him or her to change this password the next time he or she logs on.

Disabling a User's Password

  1. Search for the user.

  2. In the search results list, select the user.

  3. In the user details view, choose the Modify pushbutton.

  4. On the General Information tab, select the Disable Password checkbox.

  5. Save your entries.

More Information