Adding Access Applications to Password Management
You need to add an access application to your users' Password Manager page that allows them to change their source passwords, including their passwords on your corporate network.
Tip
To allow users to change their corporate network passwords, choose a source in the Authentication Source field that supports Password Management. Go to Identity Management > Identity Profiles. Select the identity profile you want to edit and choose a Password Management-enabled source under Sign-in Method. View the list of sources to identify if Password Management is enabled for your source.
First, set up access applications for the systems you want to allow users to reset passwords for.
-
Go to Admin > Applications.
-
Select the access application you want to edit or select + New.
- When adding a new access application, enter the app name and a description, then select the source. Select Continue.
-
Under Account Source, select Specific Users From Source or All Users From Source.
- Use Specific Users From Source to set up access applications for a subset of users within a source based on the access profiles assigned to those identities. After selecting Specific Users From Source, go to the access application's Access tab to search for existing access profiles, or select the + New button to add new access profiles to include in your password management.
- Use All Users From Source to set up one application for the whole source.
Note
When you have multiple access applications defined for a source, refer to Passwords and Multi-Application Sources for details about configuring secondary applications with the Specific Users From Source option.
-
Choose the source you want to enable Password Management for from the Select Source dropdown list.
-
Under Request Center Options, select the checkboxes for any options you want to enable.
-
The password-related sections at the bottom of this tab are read-only fields.
- The Password Source is automatically the source you selected as the Account Source.
- The Password Policy is the primary password policy selected in the source definition.
To view or modify the source or the password policy, select the Edit icon
next to the field. You will be redirected away from this page. When you finish your changes, return here to complete the remaining steps. -
(Optional) On the Settings tab, under General Settings, select the Edit icon
next to App Icon to upload an image. This image is displayed with the access application name on the Password Manager page.Image Requirements
- The image must be a PNG or JPG.
- The image must be smaller than 5MB.
- Use a 1:1 width:height ratio to avoid icon distortion.
-
Select Save.
-
When you are ready to make this access application visible to users, go to the upper-right corner and set Enable For Users to ON, then select Save. This option appears on both the Configuration and Settings tabs.
-
Use the arrow at the top left to return to the Applications page, then select Apply Changes. Refer to Applying Changes for Applications.
Best Practice
For best system performance, wait to select Apply Changes until you are ready to apply the whole set of configuration changes to your whole set of identities. Selecting it for roles, access profiles, or applications automatically processes all three.
Users with accounts on this source can see and manage their passwords for this source using Password Manager:
- If any identity profiles are configured to use this source with pass-through authentication, changing their password in Password Manager also changes their SailPoint password.
- If this source is part of a password sync group, when a user changes the password for this source using the application password update, the password for all other sources and apps in the sync group will be changed as well.
Important
In order to use sync groups, each authentication source in the sync group must have at least one application.
For details on how to create access applications, as well as editing, hiding, viewing, and applying changes, refer to Configuring Access Applications.
Passwords and Multi-Application Sources
Passwords are managed per source. Access applications defined for the same source share a password, so Password Manager groups access applications for each source to show that relationship.
Typically, only the access applications the user has access to should appear in that list. To ensure only the relevant users see these secondary applications:
- Go to Admin > Applications.
- Select an access application.
- On the Configuration tab, under Account Source, choose Specific Users From Source for those applications.
-
Select Save.
Note
The Specific Users From Source option depends on the access profiles associated with the application. You must add access profiles to define which users from the source should have the access application.
Consider the Expense example from Naming Access Applications. While all users might have AD accounts and should be able to reset their AD passwords, only some AD users might have access to the Expense system through AD groups. Choosing Specific Users From Source for the Expense application means only users with Expense access profiles have the Expense application included in their Password Manager list.
For users with Expense system access, both access applications appear under the Directory source in Password Manager:
For users with an AD account who don't have Expense system access, only the Directory application is listed:
Important
The primary application for the source should always specify All Users From Source unless you only want Password Management to be available to a subset of users on the source.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.