0

I want to understand how ACL's works in Tivoli Identity Manager. I am trying to request for an a/c on a service from a user console but getting an error :

" The request cannot be submitted because the synchronization password does not comply with the password rules that govern the service. Change or reset the synchronization password to comply with the following password rules."

I have set default password to "12345" in provisioning policy and password length from 0 to 8 in password policy and have grant 'ADD' operation in ACL, still dont know what wrong am i doing. pLease suggest

Below is the rule under default Identity policy for ITIM.

function createIdentity()  {   
var EXISTING_CASE=0;   
var UPPER_CASE=1;   
var LOWER_CASE=2;   
var tf = false;   
var identity = "";   
var baseidentity = "";   
 var counter = 0;   
var locale = subject.getProperty("erlocale");   
var fAttrKey = "uid";   
var sAttrKey = "";   
var idx1 = 0;   
var idx2 = 0;   
var fCase = 2;   
var sCase = 2;   
if ((locale != null) && (locale.length > 0)) {     
 locale = locale[0];   
}
if (locale == null || locale.length == 0)
locale = "";   
 var firstAttribute = "";   
 var secondAttribute = "";   
 if (((fAttrKey != null) && (fAttrKey.length > 0)) || ((sAttrkey != null) &&     (sAttrkey.length > 0))) {
 if ((fAttrKey != null) && (fAttrKey.length > 0)) {       
firstAttribute = subject.getProperty(fAttrKey);       
if (((firstAttribute != null) && (firstAttribute.length > 0)))         
 firstAttribute = firstAttribute[0];       
 if (firstAttribute == null || firstAttribute.length == 0)          
 firstAttribute = "";       
 else {         
 firstAttribute=IdentityPolicy.resolveAttribute(fAttrKey,firstAttribute);         
 if ((idx1>firstAttribute.length) || (idx1==0))            
   idx1=firstAttribute.length;         
 firstAttribute = firstAttribute.substring(0,idx1);       
 }       
if (fCase == UPPER_CASE)         
 firstAttribute = firstAttribute.toUpperCase(locale);       
 else if (fCase == LOWER_CASE)          
 firstAttribute = firstAttribute.toLowerCase(locale);     
}     
if ((sAttrKey != null) && (sAttrKey.length > 0)) {       
secondAttribute = subject.getProperty(sAttrKey);       
 if (((secondAttribute != null) && (secondAttribute.length > 0)))          
 secondAttribute = secondAttribute[0];       
 if (secondAttribute == null || secondAttribute.length == 0)          
 secondAttribute = "";       
 else {         
 secondAttribute=IdentityPolicy.resolveAttribute(sAttrKey,secondAttribute);         
 if ((idx2>secondAttribute.length) || (idx2==0))            
   idx2=secondAttribute.length;         
 secondAttribute = secondAttribute.substring(0,idx2);       
 }       
 if (sCase == UPPER_CASE)          
 secondAttribute = secondAttribute.toUpperCase(locale);       
 else if (sCase == LOWER_CASE)          
 secondAttribute = secondAttribute.toLowerCase(locale);     
 }     
 baseidentity = firstAttribute + secondAttribute;   
 }   
 if ((baseidentity == null) || (baseidentity.length == 0)) {     
var givenname = subject.getProperty("givenname");     
 if (((givenname != null) && (givenname.length > 0)))        
 givenname = givenname[0];     
  if(givenname == null || givenname.length == 0)        
 givenname = "";     
 else        
  givenname = givenname.substring(0,1);     
  baseidentity = givenname + subject.getProperty("sn")[0];   
  }   
  tf = IdentityPolicy.userIDExists(baseidentity, false, false);   
 if (!tf)      
 return baseidentity;   
  while (tf) {     
 counter+=1;     
  identity = baseidentity + counter;     
  tf = IdentityPolicy.userIDExists(identity, false, false);   
 }   
 return identity; 
 }  

 return createIdentity();
Gaurav Sharma
  • 11
  • 4

1 Answers1

0

I am going to assume when you are requesting access you don't already have an account for the service. Hence, it is trying to create a new account for that service before provisioning the access. When the new account is created, it will use the password from the identity for the service if you have global password synchronization turned on.

The password set on the identity (erSynchPassword) does not meet the password requirements for the individual service. Try changing the password on the identity and make sure that the password meets the service's password requirements. Or, temporarily for testing, disable the password policy that applies to that service and attempt to request access.

If this is a development question, personally I would disable all password policies temporarily to determine if the problem is really a password policy issue. That is the easiest way to troubleshoot the error you are seeing.

Matt
  • 731
  • 6
  • 7
  • Matt, I tried requesting an a/c after disabling the password policy it worked. Though, still it's not clear what is wrong with the policies. When i set the min. password length in password policy to 1 the above error comes up and when i set min length to 0 it allows to create an A/C. However, when try to login to that new a/c on the service it doesnt accept the default password given in the provisioning policy (12345). could you please explain what's wrong ? – Gaurav Sharma Oct 11 '14 at 13:56
  • @GauravSharma did you change the password on the identity to 12345? You stated that the provisioning policy put the password on the account. ISIM should be pushing the password from the identity to the account for you if global password sync is turned on, so it will be pushing whatever is set on the identity with global password sync turned on. Hence, the password on the identity probably does not meet the password requirements for the service you are trying to request access (and hence provision an account to). – Matt Oct 11 '14 at 18:02
  • Yes, when i turn off the password sync from (set security properties) the A/C is created on windows service without a problem, the issue arises when password sync is turned on. Could you also explain why is it that when i turn off the password sync, while requesting an a/c from user console it ask's me to set the password rather than taking the default password (12345) given in the provisioning policy for windows service. Also, there's only one default Identity policy running that is for ITIM and i have updated those rules in my question section – Gaurav Sharma Oct 13 '14 at 07:07