Skip to main content
Skip table of contents

Password Policies

Definition

A Password Policy determines how passwords should be composed and which rules apply to their lifecycle.

Memority Portal provides the ability to define several Password Policies that could be assigned to various account types (users, server accounts, etc...).

A Password Policy declares a set of:

  • general constraints that can be defined such as forbidden words, based on a dictionary. This dictionary is configured as a Reference Table.

  • character rules that a given password must comply to (a password can comply with only a subset of the rules, depending on the configuration).

Mandatory character rules are identified by a type of character, associated with a minimum occurrence value.

Password Lifecycle is also configurable.

Once created, one or several Password Policies can be assigned to an Identity Type with rules (Scope and priority order) allowing finding the proper Policy to be applied each time.

Configuration

You can access the Password Policy configuration :

  • by clicking on "Policies" → “Password Policies

  • by clicking on "System" → "Configurations" → "Data Model" and perform an import/export.

Properties

Global

Property name

Type

Mandatory

Description

Values (default value in bold)

id

String

YES

The identifier is the unique identifier of each Password Policy.

It is case sensitive and no special characters (except - or _) are allowed.

-

name

String

YES

The Password Policy name.

The name may be different from the identifier.
Specifying the name first allows to define automatically the identifier.
Must be at least 4 characters long.

-

active

Boolean

NO

Allows to define if the Password Policy is activated or not.

ON, OFF

description

String

NO

Allows to describe the purpose of the Password Policy.

-

Assignment

Property name

Type

Mandatory

Description

Values (default value in bold)

priority

Integer

YES

Indicates the priority of this policy when resolving which policy to apply on an Identity (1 having more precedence).

If the Object is part of the Password Scope of several Policies, the Policy with the highest prority will be taken into account.

0, 1, 2, 3...

scope

-

YES

Allows to configure on which Identities the Password Policy will be applied.

It is possible to define several Identity Types.

-

Constraints

Property name

Type

Mandatory

Description

Values (default value in bold)

minLength

Integer

YES

Allows to define the minimum length of the password.

2, 3, 4, 5, 6... to 20

maxLength

Integer

YES

Allows to define the maximum length of the password.

4, 5, 6..., 64 to 128

autoLength

Integer

NO

Allows to generate automatically the length of the password. This property must be between the min and max number.

In this case, when you generate a password for a user, the password size will be the one configured.

Between 1 to 128

maxRepeatingChars

Integer

YES

Allows to define how many times an identical character can be in the password.

0, 1, 2, 3... to 10

percentDifferentChars

Integer

YES

Allows to define the percentage of different characters in the password.

Between 0% and 100%

percentDifferentIgnoreSequence

Boolean

NO

Allows to consider, if it is set to ON, the order of the characters when computing the percentage of different characters.

ON, OFF

characterClasses

Enum

YES

Allows to define the allowed content types of password.
Several types can be chosen.

Digits, Letters or digits, Non alphanumeric, Uppercase letters, Letters, Lowercase letters, Punctuation characters

contentRules

Enum

YES

Allows to configure rule(s) on selected content types.

Digits, Letters or digits, Non alphanumeric, Uppercase letters, Letters, Lowercase letters, Punctuation characters

minRules

Integer

NO

Allows to define how many specific rules the password must respect.

-

attributeDictionary

Enum

NO

Allows to select one created attribute in order to forbid words based on rules.

List of configured Attributes

referenceTableDictionary

Enum

NO

Allows to select a created Reference Table in order to forbid words based on a dictionary.

List of configured Reference Table

regularExpressions

-

NO

Allows to configure one or several regular expressions whose password must match or not.

-

Lifecycle

Property name

Type

Mandatory

Description

Values (default value in bold)

periodBeforeExpiration

Period

YES

Allows to set the password expiration period in day, month, week, year.

P1D (1 day)

periodBeforeReuse

Period

YES

Allows to define the period before previous password can be reused.

P1D (1 day)

timeBeforeChange

Period

YES

Allows to set the time period between two password changes.

PT1M(1 minute)

numberBeforeReuse

Integer

NO

Allows to define the number of different passwords that a user must configure before reusing an old password.

-

Activation Strategy

Property name

Type

Mandatory

Description

Values (default value in bold)

enableMethod

Boolean

NO

When enabled, newly created identities will automatically be granted the password authentication method.

ON, OFF

generatePassword

Boolean

NO

When enabled, a new password is automatically set on identities that are granted the password authentication method.

ON, OFF

actions

Script

NO

Actions performed when the password authentication method is activated for a user in scope.

-

requirePasswordInit

Boolean

NO

When enabled, the PASSWORD_INIT login task is automatically added to the identity if it is granted the password authentication method.

ON, OFF

Deactivation Strategy

Property name

Type

Mandatory

Description

Values (default value in bold)

clearPassword

Boolean

NO

When enabled, the identity password is automatically cleared when the password authentication method is revoked.

ON, OFF

actions

Script

NO

Actions performed when the password authentication method is deactivated for a user in scope.

-

Grace Period Strategy

Property name

Type

Mandatory

Description

Values (default value in bold)

suggestPasswordChange

Boolean

NO

When enabled, the PASSWORD_CHANGE_SUGGESTED login task is automatically added to the identity when it enters the password grace period.

ON, OFF

period

Integer

NO

Allows you to define the grace period.

1 day

Expiration Strategy

Property name

Type

Mandatory

Description

Values

expirationStrategy

Groovy, Notifications

NO

Allows to configure the period and the behavior before the password expiration by configuring a notification or a groovy script.

15 days

Example

Password Policy Example
XML 
<?xml version="1.0" encoding="UTF-8"?>
<kit:DataSet xmlns:atlastcf="http://www.memority.com/atlas/tcf/1_0" xmlns:ctd="http://www.memority.com/citadel/1_0" xmlns:ctdcore="http://www.memority.com/citadel/core/1_0" xmlns:ctdidm="http://www.memority.com/citadel/idm/1_0" xmlns:ctdrep="http://www.memority.com/citadel/rep/1_0" xmlns:ctdrule="http://www.memority.com/citadel/rule/1_0" xmlns:ctdtnt="http://www.memority.com/citadel/tnt/1_0" xmlns:i18n="http://www.memority.com/toolkit/addons/i18n/1_0" xmlns:kit="http://www.memority.com/toolkit/1_0" xmlns:netfilter="http://www.memority.com/toolkit/network-filtering/1_0" xmlns:rule="http://www.memority.com/toolkit/rule/1_0" xmlns:ruleaddon="http://www.memority.com/toolkit/addons/rule/1_0" xmlns:search="http://www.memority.com/toolkit/search-expression/1_0" xmlns:settings="http://www.memority.com/toolkit/addons/settings/1_0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <ctdidm:PasswordPolicy id="internal-passwordPolicy">
      <name>Internal</name>
      <description></description>
      <assignmentPriority>3</assignmentPriority>
      <assignmentScope type="EXPRESSION" objectKind="IDENTITY">
         <searchExpression>
            <search:And/>
         </searchExpression>
         <objectTypes>
            <objectType>internal</objectType>
         </objectTypes>
      </assignmentScope>
      <active>true</active>
      <minRules>1</minRules>
      <characterClasses>
         <class>DIGITS</class>
         <class>LETTERS_OR_DIGITS</class>
         <class>PUNCTUATION</class>
         <class>NON_ALPHANUMERIC</class>
      </characterClasses>
      <contentRules>
         <rule>
            <characterClass>PUNCTUATION</characterClass>
            <minOccurrences>1</minOccurrences>
         </rule>
      </contentRules>
      <objectKind>IDENTITY</objectKind>
      <minLength>6</minLength>
      <maxLength>64</maxLength>
      <maxRepeatingChars>3</maxRepeatingChars>
      <regularExpressions/>
      <attributeDictionary/>
      <percentDifferentChars>0</percentDifferentChars>
      <percentDifferentIgnoreSequence>true</percentDifferentIgnoreSequence>
      <numberBeforeReuse>0</numberBeforeReuse>
      <activationStrategy>
         <actions>
            <action>
               <script><![CDATA[
import com.memority.citadel.shared.api.context.CitadelContext

// Get Manager
final def manager = FIND.identity().withId(OBJECT.manager) as ApiObject
NOTIFY.buildNotification("ICR2-identity-common-create-emailDefinition")
        .withActor(manager.id)
        .role("identity")
        .email(manager.email)
        .end()
        .send();
ActionOutcome.success()
]]></script>
            </action>
         </actions>
         <enableMethod>true</enableMethod>
         <generatePassword>true</generatePassword>
         <requirePasswordInit>true</requirePasswordInit>
      </activationStrategy>
      <deactivationStrategy>
         <actions>
            <action>
               <script><![CDATA[
import com.memority.citadel.shared.api.context.CitadelContext

// Get Manager
final def manager = FIND.identity().withId(OBJECT.manager) as ApiObject
                  
NOTIFY.buildNotification("PAC3-common-passwordDeactivation-emailDefinition")
        .withActor(manager.id)
        .role("identity")
        .email(manager.email)
        .end()
        .send();
ActionOutcome.success()
]]></script>
            </action>
         </actions>
         <clearPassword>false</clearPassword>
      </deactivationStrategy>
      <graceStrategy>
         <period>P3D</period>
         <suggestPasswordChange>true</suggestPasswordChange>
      </graceStrategy>
      <expirationStrategy>
         <actions period="P15D">
            <rules>
               <rule class="actionNotification">
                  <config xsi:type="ctdrule:CitadelNotificationConfigurationType">
                     <notifications>PAC4-common-passwordExpiration-emailDefinition</notifications>
                  </config>
               </rule>
            </rules>
         </actions>
         <actions period="P3D">
            <rules>
               <rule class="actionNotification">
                  <config xsi:type="ctdrule:CitadelNotificationConfigurationType">
                     <notifications>PAC4-common-passwordExpiration-emailDefinition</notifications>
                  </config>
               </rule>
            </rules>
         </actions>
         <notifications/>
      </expirationStrategy>
      <periodBeforeExpiration>P1M</periodBeforeExpiration>
      <periodBeforeReuse>P1D</periodBeforeReuse>
      <timeBeforeChange>PT1M</timeBeforeChange>
   </ctdidm:PasswordPolicy>
</kit:DataSet>

Read Next

Business Policies — A Business Policy allows to configure how to trigger actions on Object Types through a Feature with an optional configured Workflow.
Object Policies — An Object Policy is an Identity Management Service Policy allowing to execute arbitrary actions on Managed Objects, either on a scheduled basis, or in reaction to an Object Operation.
Deduplication Policies — A Deduplication Policy describes how duplicates should be searched for when creating a managed object.
Feature Access Policies — A Feature Access Policy is composed of a right which encompasses several Features.
Manual Provisioning Policies — A Manual Provisioning Policy allows to define that manual provisioning or deprovisioning Workflow is launched when the Role assignment status changes.
Object Lifecycle Policies — An Object Lifecycle Policy allows to configure rules, on all Object Types, that will alter an Object attribute directly when certain lifecycle events occur.
Password Policies — A Password Policy determines how passwords should be composed and which rules apply to their lifecycle.
Role Request Policies — A Role Request Policy allows to define if a Role can be requested, for whom, by whom, and using which Workflow.
Workflow Administration Policies — A Workflow Administration Policy is composed of a right which encompasses several Features.
Memority MFA Account Policies — A Memority MFA Policy allows to configure how multi factor authentication should be applied to a population of user
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close