Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Change Service account password on AD : stop passwordchangepostlogon for owners

AnuL_GH
New Contributor
New Contributor

The change password for service accounts tile in ARS : this will reset the passwords for service accounts in AD connectors , but by default it will force the password to be changed again at AD end. The password change forced option can be controlled in AD connector . However Is there a way to restrict this, only if the password change is done by service account owner? I.e. the AD connector JSON for resetandchangepassword should set pwdLastSet as -1 (password never expires) only if the password reset request is raised by the service account owner? Can we access requests or tasks table in this JSON?

10 REPLIES 10

rushikeshvartak
All-Star
All-Star

This may not be possible to fetch who raise the request for password reset


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

AnuL_GH
New Contributor
New Contributor

Thanks for your response. I hope this can be considered as an enhancement. It is a valid requirement for our business. 

Hi @AnuL_GH ,

Raise it on ideas portal https://ideas.saviynt.com/


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂

Saathvik
All-Star
All-Star

@AnuL_GH : First of all password change for service account can only be initiated by owner of service account. Other than owner only Saviynt Role_Admins can initiate this so won't you be able to set it by default as part of password change?

if you want you can still avoid showing endpoints/service accounts to role_admins upon navigating Reset Service Account Password/Change Service Account Password by using Change Password Access Query config on respective endpoint

Will this solution work for you?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

AnuL_GH
New Contributor
New Contributor

@Saathvik  I will try this. I agree that it is restricted to role_admin and service account owners currently, we wanted to ensure that if admins try to reset, the pwdlastSet will be set to 0, but for owners, the pwdLastSet will be set to -1. But it seems the JSON does not have the option to check which SAV role is doing the reset. 

JSON does have option to check authority ( sav role)

For any desired improvements or enhancements to this process, Saviynt encourages you to submit your proposal through Saviynt's Ideas Portal at https://ideas.saviynt.com/ideas/

Your valuable input is crucial to shaping the evolution of Saviynt systems.

Please notify us once the idea ticket has been created.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

AnuL_GH
New Contributor
New Contributor

@rushikeshvartak  I have been looking for examples of how to use SAV role in RESETANDCHANGEPASSWORDJSON.  If we can even isolate the SAVROLE of the requestor (the person who made the password change request): that would be great. If this alternative is not possible, please let me know, I will raise this on IDEAS forum.

Its not possible to fetch sav roles


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@AnuL_GH : Its not possible to fetch the sav role of user in RESETANDCHANGEPASSWORDJSON. Instead as said try to control the visibility to admins to change password of service accounts using Change Password Access Query or Config For AllowChangePassword combination and limit it to only owners and by in RESETANDCHANGEPASSWORDJSON by default set pwdLastSet to -1


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Thanks for the clarification, Will give the workaround a try