Defining a Password Policy

Complete these steps to define an application's password policy:

1. Open the application definition. From the navigation menu, go to Applications > Application Definition > select application from list or click Add New Application to create a new application.

2. Open the Password Policy tab.

3. Click Create New Policy to create a new password policy, click a policy name in the list to edit an existing policy, or click Add Existing Policy to select a predefined password policy from the dropdown list, see Policy Reuse.

4. Name the policy (required) and provide a brief description. Specify any required password characteristics. Most of these characteristics are self-explanatory.

   These few are further explained here since they might be unclear:

   • Password history length: specifies number of previous passwords in password history to check against for uniqueness (prevents re-use of a password over the specified number of password changes); the current password is included in the count

   • Validate passwords against the password dictionary: compares password to an internally-stored, implementation-specific password dictionary, ensuring that the password is not, and does not contain, any word in that dictionary (see Password Dictionary below)

   • Validate the password against the identities list of attributes: ensures that values stored as Identity attributes (for example, last name, department, office number, region) are not used as the password

   • Validate the password against the identity’s account attributes: prevents values stored on the application account from being used as the password

Note: The password history, if a Password history length value is specified, it is stored as a <PasswordHistory> element on the <Link> (account representation) within the Identity object. It is stored as a comma separated values list of encrypted passwords. The number of passwords stored is determined by the Password history length value specified. New passwords set for the account cannot match any password in the list.

5. Select an Identity Filter if this policy should only apply to certain sets of Identities. The default Identity filter is All, which means the policy applies to all Identities. Other options are:

   • Match List – specify Identity Attributes or Application Attributes/Permissions by which Identities can be matched for this policy to apply (for example, Identity Attribute: Department = Accounting)

   • Filter – specify a filter (as CompoundFilter XML) that can be used to identify Identities to which this policy applies

   • Script – specify a segment of beanshell that selects Identities that should use this policy

   • Rule – specify a rule (type: IdentitySelector) that returns a list of Identities to which this policy should apply

   • Population –apply this filter to the Identities in an existing IdentityIQ Population

Note: The first policy defined should be the default policy that applies to all users. This policy serves as the "fallback" policy if none of the more restrictive policy Identity Filters apply to the Identity whose password is being validated. If more than one policy is specified with Identity Filter = All, only the last one created is applied in any Identity password validation. This is further explained in the Password Validation Process section.

See Password Dictionary.