cancel
Showing results for 
Search instead for 
Did you mean: 

Handling Password in IDM

Former Member
0 Kudos

Hello all,

I'm currently doing the migration from CUA to IDM and I would like to keep the same password way of working.

Password provisioning works fine in IDM but I have a problem.

In CUA I can reset the password (SU01) of 1 user and select the system (one or more) I want to reset. In IDM I don't find that option, if I change the password it apparently change it on all systems on which the user has access.

In our CUA I can select the child system for which I want to reset the password.

So le's suppose a user has access to A, B, C.

He locked himselft to B so he need a new password. How can I provide him a new initial password on B, without resetting A and C ?

Thx for your help,

Nicolas.

Accepted Solutions (1)

Accepted Solutions (1)

Murali_Shanmu
Active Contributor
0 Kudos

Nicolas,

Are you using the Password Self service feature in IdM OR just having an Administrator going to the IdM UI to reset passwords on requests by users ?

Cheers

Murali.

Former Member
0 Kudos

Hi,

I first would like to do as now, by an Administrator.

Then I will implement Self-service Password.

For self-service, does the user need an access to UME ?

Nicolas.

Former Member
0 Kudos

Hi Nicolas,

To answer your questions separately:

Password reset by system

This is not possible as standard, but to customise it, you would need to provide some bespoke attributes called "password to be reset - system1", "password to be reset - system2" etc on the admin screen where the password is reset, and then check these on the "Set Password" task. It's a missing function from standard in my opinion, may be you should stick it on the scn idea place for IdM?

Self Service

For self service, the users must define the answers to their secret questions in advance, and they need an UME account to do that. From then on, they access the service anonymously so don't need a UME account, unless they want to update their answers.

Hope that helps?

Cheers,

Ian

p.s. love your use of the #sapidm hashtag on twitter - we should do more of that as a community!

Murali_Shanmu
Active Contributor
0 Kudos

Nicolas,

I think Ian & Peter have provided most of the answer. There is no out of the box feature for this.  I have already highlighted this on Idea Place for IdM and they have responded that this will come as part of future enhancements. As of now, this is already available for customers opting for RDS Solution (below screen capture)

You could try and build something similar to this. As peter mentioned, this new attribute which takes the repository name could be a Multivalued one with a predefined list.

If you investigate the Modify Task, you will see that for the below pass "8. Exec Plugin - Set Password", the task name is dynamically passed to the script sap_core_executeplugin (based on the repository) . Inside this script there is a statement uProvision(mskey, executetask, AuditID, repid, 0, 1) which calls the respective password change task.You could use this existing logic to build your own task.

Cheers,

Murali.

Former Member
0 Kudos

Hi Ian,

Thanks for your complete answer !

For me those are bad news but I'll try to solve Password by system with Murali's idea : RDS Solution.

I'm not yet 100% confortable with scripting, but I'll tackle that !

I'm not twitting as much as I should, but thanks for reading and following 🙂

It would be a pleasure for me to follow other people from SCN concerning SAP IDM tweets.

Evolving on SAP IDM is not only working on the system, it's also reading posts, asking questions and trying to help the others.

Nicolas.

Former Member
0 Kudos

Hi Murali,

Thx for your explanation, that seems a very interresting solution !

is RDS Solution a free tool ?

That would perfectly solve my problem waiting SAP to enhance their package (it's a shame they haven't included Reset Password by System on IDM).

Nicolas.

Murali_Shanmu
Active Contributor
0 Kudos

Hi Nicolas,

Unfortunately nothing is free in SAP . It comes with a cost. There are so many other things included in RDS which people want very often. There has been no clear indication when those things will be rolled out in the normal solutions. You can find more information on RDS - http://service.sap.com/rds-idm. We have to keep guessing what comes as part of SP8.

Cheers

Murali.

Answers (1)

Answers (1)

Former Member
0 Kudos

You can create a task set to do it.  The RDS has something similar which you can have a look at.

Basically you can have a temporary MV attribute with a limited attribute picklist to only the repositories defined.

Have a trigger on that attribute ADD/Change which then calls your tasks.  The task then calls the password hook task for each repository set in your temporary attribute.  Then delete the values from the temporary attribute (not strictly necessary but probably safest).

Peter