Requesting a Password Change

Password changes, self-service or for others, are requested through the Manage Access QuickLink for Lifecycle Manager. When the request is submitted, it is immediately processed through a workflow, by default, the LCM Manage Passwords workflow. This workflow's default configuration requires no application-owner or manager approvals for a password change.

If the change request is for an account whose application is configured with a Change Password Provisioning Policy, additional information is required before the change occurs. See Application Change Password Provisioning Policy (link).

Changing Account Passwords for Yourself

When you want to and are authorized to change your own password for an account, complete these steps:

1. From the Manage Access Quicklink, select Manage Passwords.

2. If you are able to manage multiple identities, you see the Manage Passwords page with user cards for every identity you can manage. Select Manage on your own user card. If you only manage your own identity, you will skip this page and go directly to the Identity Details > Passwords page.

3. On the Identity Details > Passwords page, select the application account(s) for which the password is being changed. For some accounts, you may review password policy requirements by selecting the question mark icon next to Password Constraints.

4. Use one of two password change methods:

   • Changing Account Passwords Manually
   • Synchronizing Passwords Across Accounts

5. The password reset only occurs if all requested changes can be made successfully. If a password reset fails, an error message displays and the password values must be reentered before the requested changes are successfully submitted.

6. View the status of your password changes in the Request Status column.

Password change requests follow the LCM Manage Passwords Workflow.

Changing Account Passwords for Others

As described in Enabling Password Management in Identity (link), the sets of Identities for which a user can make requests, as well as the types of requests available to each user, depend on the Lifecycle Manager Configuration settings that apply to that Identity. This section assumes that the logged-in user is authorized to make password requests for the Identity needing a password change.

Complete these steps to reset another user's password on an external application through IdentityIQ:

1. From the Manage Access Quicklink, select Manage Passwords.

2. Find the relevant user card and select Manage.

3. Use one of three password change methods:

   • Changing Account Passwords Manually

   • Synchronizing Passwords Across Accounts

   • Generating Account Passwords Automatically

4. The password reset only occurs if all requested changes can be made successfully. If a password reset fails, an error message displays.

5. View the status of your password changes in the Request Status column.

When passwords are reset for another user, the system automatically sets a flag that tells the external application to require a password reset upon initial login by the user. Whether the password is manually set or system generated, the user is prompted to change it the next time they sign into the target application.

See Requesting a Password Change.

Password change requests follow the LCM Manage Passwords Workflow.

Changing Account Passwords Manually

On the Identity Details > Passwords page, you can manually change an account password.

1. Select an account by clicking on a row in the Application column or selecting the Change button in the Actions column.

2. Enter the new password twice – once in the New Password field and once in Confirm Password.

3. Select Submit.

Note

If you click the Home button, exit the IdentityIQ application, or navigate away from the manage access pages before you complete all tasks, your entries are cleared and the access request is NOT submitted.

Generating Account Passwords Automatically

If Generate functionality is configured on your system, IdentityIQ can generate new account passwords. This functionality is only available when changing passwords for others.

1. On the Identity Details > Passwords page, select the checkboxes next to the appropriate accounts or use the checkbox in the header to select all accounts.

2. Select Generate at the top right side of the page. Because the system generates the password, there is no prompt for new password entry.

3. If you are generating passwords for more than one account, select:

   • Synchronize Password for All to generate a new single password for all the selected accounts.

   • Or Individual Passwords for All to generate a new password for all the selected accounts.

4. Select Submit.

5. Note the new password(s), then select Ok.

The option to generate passwords for the selected accounts can be turned on or off from gear > Lifecycle Manager > Configure > Manage Password Options. Select or clear the checkbox option for Enable password auto-generation in requesting for others.

Note

If you click the Home button, exit the IdentityIQ application, or navigate away from the manage access pages before you complete all tasks, your entries are cleared and the access request is NOT submitted.

Synchronizing Passwords Across Accounts

If more than one of an identity's account passwords are being changed and the new passwords should all be identical, you can use the Sync button to apply a single, manually-entered password to all of the selected accounts.

1. On the Identity Details > Passwords page, select the checkboxes next to the appropriate accounts or use the checkbox in the header to select all accounts.

2. Select Sync at the top right side of the page.

3. In the Synchronize Passwords dialog, enter a New Password, then re-enter to Confirm Password.

4. Select Submit.

Note

If you click the Home button, exit the IdentityIQ application, or navigate away from the manage access pages before you complete all tasks, your entries are cleared and the access request is NOT submitted.

LCM Manage Passwords Workflow

By default, application password requests (forgot, expired, or change), either self-service or for others, invoke the LCM Manage Passwords workflow. This workflow's default configuration requires no application-owner or manager approvals on a password change. It creates and processes a provisioning plan that contains the requested password changes and then notifies the user by email when the change is complete.

If the change request is for an account whose application is configured with a Change Password provisioning policy, additional information is required before the change occurs.

The default email template for password change notification sends a summary of the change request. This includes the requester, some representation of the new password, and any comments entered on the request (from the Summary of Requests window). If the password was system generated, that password is included in the email body. If it was a manually entered password, it is displayed in the email body as ******; in the case of request-for-others password resets, the new password value must be verbally, or otherwise, communicated to the user by the person who made the change.

To direct IdentityIQ to use a different, custom workflow for password management, create a workflow of type LCMProvisioning and select it as the Manage Passwords business process on the Lifecycle Manager Configuration window's Business Processes tab.