This post covers steps on how to create a new password policy in Oracle Identity Manager (OIM) 11g and how to set the criteria to enforce this custom password policy based on defined rules.
OIM 11g comes with a development tool call “DESIGN CONSOLE” to perform various user management , resource management, administration and development tasks including configuring system settings that controls the global behavior of an OIM instance. For more details on how to start Design Console, please refer this link
To create password policy , use Administration section of Design console and to define rules and assigning these rule’s to resource objects use resource management section of DesignConsole.
Steps :–
1) Login to Design console under $ORACLE_IDM_HOME/designconsole/ as xelsysadm user or any user who have designconsole access:-
./xlclient.sh
2) Navigate to Administration –> Password policies . On the right hand side, password policy form opens up where in you can define the restrictions on password and rules.
3) Under Policy Name field, enter name of password policy, and in description field enter a short description about policy.
Click SAVE (Floppy icon on top)
Note:- Its important to save policy to make the “Policy Rules and Usage” tabs functional.
4) Under the “Policy Rules” tab define the restrictions you wish in password policy like – minimum length of password, number of days after which password should expire etc . For details please refer Oracle documentation HERE
5) In “Policy Rules” tab you can select complex password policy or custom password policy which ever meets your requirement. After making criteria, click SAVE
6)Next Navigate to Resource Management section in design console and click the “Rule Designer” form. Here you define a rule based on your requirements , for example lets take below case:-
Your client wish that business users must change password after 90 days but for administrative/service accounts like “xelsysadm” or “oamadmin” etc this might be a overhead, so there is a need of rule of exception where in all business users should be forced to change password every 90 days excluding the administrative accounts.
To achieve so , create a new rule in Rule designer to state the exception like:-
a) Name- Name of the rule , for example- ServiceAccRule
b)Operator – You have an option to select And or OR operators where
AND- means that rule will true when all conditions in rule are met
OR- means it will be true when any one condition is met .
c)Under Type Information field :- select Type – General – This type enables OIM to add a user to a role automatically and to determine the password policy that is assigned to a resource object.
d)Add Description about rule in description field.
e)Click Add Element under Rule Elements tab
f) On Edit Rule Element Window,
Select “Atrribute” from drop down – User Login
Operation = “==”
Attribute Value- “Name of users you want to apply the condition”, example “XELSYSADM” or “OAMADMIN”
IMPORTANT- The attribute value is case-sensitive and should be kept as it is recorded in the USR table of OIM schema. Example USER LOGIN attribute is store in CAPITAL LETTERS , hence the value given should be in caps.
Click Save and close Rule Designer Window
7) Navigate to resource management –>Resource Object. Search for Name field under object definition for resource object you want to apply the rules and password policies.
Example, we want to modify “Xellerate User” resource object which is the default resource object and have default password policy .
a) Search for “Xellerate User”
b) Navigate to “Password Policies Rule”
c)Click ADD button and set rules, assign password policy to each rule and change priority with “the rule having highest priority will be evaluated first”
Example:- If we take the above example of ServiceAccRule, will be the order:-
Rule Policy Priority
Default CustomPwdPolicy 2
ServiceAccRule Default Policy 1
Click SAVE.
Note:- Priority 1 means this Rule will be checked first .
You can test, whether above rules works by login as any service account and normal business user and try change password. Policy applicable will be displayed in right hand corner.
