10.8:documentation:identities:adm:password

Password and identity

Each identity can have its password. Password can be created through frontend agenda or during failed or successful login attempts.

When an identity was created by synchronization, the password object including metadata isn't created.

Password can't be created by some frontend form. Password will be created only by internal process IdM.

Password change form

Password change form is accessible from identity detail via the Password submenu.

Password change form can also be accessible by dashboard button Password change.

For accessing this form you will need permission IDENTITY_PASSWORDCHANGE or IDENTITY_PASSWORDRESET (only with the password reset module active).

Information about password (password metadata)

Supported since version CzechIdM 9.6 Quartz

Information about password contains attributes that control password lifecycle like validity or block login.

Password agenda is accessible from identity detail and Password submenu. Global agenda for all passwords doesn't exist.

For accessing this agenda you will need permission PASSWORD_READ. To update available information like password never expires you will need permission PASSWORD_UPDATE.

When you set Password never expires, the attribute "valid till" will be emptied.

If you have permission to read password information only the password change form will not be shown.

If you have permission to change password only the agenda of password information will not be shown.

Metadata about password

Password also contains other metadata like:

  • valid till - start of the validity of the password. The attribute can be set by "validate password policy", or by the frontend agenda "information about password",
  • valid from - end of the validity of the password. The attribute is set only by "validate password policy",
  • must change - FIXME this attribute now doesn't work
  • last successful login - date of the last successful login,
  • unsuccessful attempts - number of unsuccessful attempts in a row,
  • block login date - date of blocked login. The attribute is set by settings from validate password policy, or by frontend agenda information about password,
  • password never expires - password will never have set "valid till". The option can be set by frontend agenda information about password. The option is recommend only for administrators accounts.
Right now, only "valid till", "block login date" and "password never expires" can be edited. To set these attribute you must have permission PASSWORD_UPDATE