Click HERE to see how Saviynt Intelligence is transforming the industry. |
12/29/2023 05:51 AM
The change password for service accounts tile in ARS : this will reset the passwords for service accounts in AD connectors , but by default it will force the password to be changed again at AD end. The password change forced option can be controlled in AD connector . However Is there a way to restrict this, only if the password change is done by service account owner? I.e. the AD connector JSON for resetandchangepassword should set pwdLastSet as -1 (password never expires) only if the password reset request is raised by the service account owner? Can we access requests or tasks table in this JSON?
12/29/2023 09:30 AM
This may not be possible to fetch who raise the request for password reset
01/04/2024 07:52 AM
Thanks for your response. I hope this can be considered as an enhancement. It is a valid requirement for our business.
01/04/2024 09:59 AM
Hi @AnuL_GH ,
Raise it on ideas portal https://ideas.saviynt.com/
01/04/2024 11:31 AM
@AnuL_GH : First of all password change for service account can only be initiated by owner of service account. Other than owner only Saviynt Role_Admins can initiate this so won't you be able to set it by default as part of password change?
if you want you can still avoid showing endpoints/service accounts to role_admins upon navigating Reset Service Account Password/Change Service Account Password by using Change Password Access Query config on respective endpoint
Will this solution work for you?
01/08/2024 05:32 AM
@Saathvik I will try this. I agree that it is restricted to role_admin and service account owners currently, we wanted to ensure that if admins try to reset, the pwdlastSet will be set to 0, but for owners, the pwdLastSet will be set to -1. But it seems the JSON does not have the option to check which SAV role is doing the reset.
01/08/2024 11:19 AM
JSON does have option to check authority ( sav role)
For any desired improvements or enhancements to this process, Saviynt encourages you to submit your proposal through Saviynt's Ideas Portal at https://ideas.saviynt.com/ideas/
Your valuable input is crucial to shaping the evolution of Saviynt systems.
Please notify us once the idea ticket has been created.
01/09/2024 04:04 AM
@rushikeshvartak I have been looking for examples of how to use SAV role in RESETANDCHANGEPASSWORDJSON. If we can even isolate the SAVROLE of the requestor (the person who made the password change request): that would be great. If this alternative is not possible, please let me know, I will raise this on IDEAS forum.
01/09/2024 05:28 AM
Its not possible to fetch sav roles
01/09/2024 07:03 AM
@AnuL_GH : Its not possible to fetch the sav role of user in RESETANDCHANGEPASSWORDJSON. Instead as said try to control the visibility to admins to change password of service accounts using Change Password Access Query or Config For AllowChangePassword combination and limit it to only owners and by in RESETANDCHANGEPASSWORDJSON by default set pwdLastSet to -1
01/24/2024 05:09 AM
Thanks for the clarification, Will give the workaround a try