Password synchronization
Identity Governance and Intelligence administrators use the Access Governance Core module in the Administration Console to configure password sync groups.
Overview
Password synchronization is the process of assigning and maintaining one password for all individual accounts that a user owns. Password synchronization reduces the number of passwords that a user must remember.
You must be a system administrator to enable password synchronization. You can configure Identity Governance and Intelligence to automatically synchronize passwords for certain accounts that are owned by a user. For example, a user might have two individual accounts: an Identity Governance and Intelligence account and a Linux account. If the user changes the password for the Identity Governance and Intelligence account, the Linux password is automatically changed to the same password.
To enable password synchronization, you create a password sync group that consists of account configurations, such as Identity Governance and Intelligence and Linux. You define a password policy that is shared by all the account configurations that belong to the password sync group.
Considerations
- An account configuration can belong to only one password sync group.
- If an account configuration belongs to a password sync group, users cannot specify different passwords for their individual accounts that are associated with that group.
- If an account configuration belongs to a password sync group, the password follows the policy that is specified for the password sync group. It does not follow the password policy that is defined for the account configuration. However, if an account configuration does not belong to a password sync group, then the password follows the policy that is specified for the account configuration.
- When password synchronization is initially enabled, individual accounts of users are not automatically synchronized immediately. Accounts are synchronized when users change the password of an account that is in a password sync group.
- When a user requests an account that belongs to a password sync group, and the user has a valid synchronized password (meaning that the password still meets the current password policy), this synchronized password is used for the new account. For a new account, if the requestor is the account owner and provided the new password, the new password is synchronized for all accounts that belong to the password sync group.
- If the requestor is not the account owner and enters a new password, the new password is used for the new account only. No password synchronization occurs. The account owner must log in to the Service Center and change the password. At that point, the password is synchronized with the other accounts that belong to the same password sync group.
- When a user changes a password for an account that belongs to a password sync group, the new password is stored as the user's synchronized password for that group in the Change Password page. When a new account is requested in that password sync group, the new account automatically uses the stored password.
- If you remove all of a user's accounts that belong to the same password sync group, and then you add a different account for that user, you're prompted to enter a password again. The previous synchronized password is not stored.
- Adopted accounts also use the synchronized password if the adopted accounts belong to the password sync group. In this same context, when an account is assigned or matched to you, the synchronized password is used.
- When an administrator forces a change password action for a user's account that belongs to a password sync group, the user is prompted to change the password the next time that they log in to the Service Center. The Change Password page in the Service Center lists all the user's accounts that belong to the same password sync group, along with the password requirements for the password sync group. The new password is applied to all the accounts within the password sync group. For more information about the force change password action, see Forcing a password change.
Password synchronization tasks and references
To do this task | See these topics |
---|---|
Add and define a password sync group. | |
Modify a password sync group. | |
Define a password policy for a password sync group. | |
Create custom password rules to use with a password sync group. | |
Add or remove account configurations from a password sync group. | |
Remove a password sync group. | |
Add the rule named "Update target account with synchronized password" to the ACCOUNT_CREATE rule flow. | Adding the rule for target account password synchronization |
Learn about password synchronization and integration with Desktop Password Reset Assistant (DPRA). | Desktop Password Reset Assistant |
Learn about and implement the reverse password synchronization feature for Windows Active Directory targets. | Reverse password synchronization for the Windows Active Directory plug-in |
View a video that demonstrates the password synchronization feature. |
Configuring Password Synchronization in the IBM® Security Learning Academy. |