Implementing a Password Policy

Password policies let Imprivata Enterprise Access Management respond to an application request for a password change. Imprivata Enterprise Access Management generates a new password according to the rules in this topic. This feature is supported for applications profiled with the Imprivata Application Profile Generator only.

NOTE:The Imprivata Enterprise Access Management Password Policy feature requires that the application profile include the application’s Change Password screen(s). If you configure a Password Policy for an application and do not profile the Change Password screen(s), then the policy is stored but has no effect until you profile the Change Password screens.

How you configure a password policy depends on whether the application shares credentials.

NOTE:The Imprivata Enterprise Access Management Password Policy feature requires that the application profile include the application’s Change Password screen(s). If you configure a Password Policy for an application and do not profile the Change Password screen(s), then the policy is stored but has no effect until you profile the Change Password screens.

To set up a password policy for a single application:

  1. Verify that the application profile includes the Change Password series of screens (Change Password, Change Password Success, and Change Password Failure).
  2. Open the Application Profile Record by clicking its name in the application profile list. If the application profile has not been deployed, select the Deploy this application option.
  3. Select Implement an auto-generated password change policy. The page expands to include password change policy options, as shown in the following image. If the profile does not include at least the Change Password screen, you see a reminder to profile those screens.
  5. Select a password length.
  6. Allow or disallow duplicate characters.
  7. Select either standard password format or custom mask:
    • For a Standard Format password policy, make a selection from the Valid Character Types drop-down list.
    • For a Custom Mask password policy, select a mask from the Character 1 drop-down list. Repeat for each character in the password. The following image shows an example of setting a Custom Mask for an auto-generated password:
  9. (Optional) Choose any special characters to be used.
  10. Click Test to test password generation. Imprivata Enterprise Access Management generates a sample password. Examine the password to be sure it satisfies the application. The following image shows a sample auto-generated password test.
  12. Click Save.

To set up a password policy for a credential store:

  1. Verify that the application profile for each application includes the Change Password series of screens (Change Password, Change Password Success,and Change Password Failure.)
  2. Open the Application Profile Record for any participating application by clicking its name in the application profile list.
  3. Scroll to the Credential section, and click Edit Store to open the Edit Credential Store dialog.
  4. Scroll to the bottom of the dialog.
  5. In the Password Policy section, select Implement an auto-generated password change policy. The page expands to include password change policy options.
  7. Select a password length.
  8. Allow or disallow duplicate characters.
  9. Select either standard password format or custom mask:
    • For a Standard Format password policy, make a selection from the Valid Character Types drop-down list.
    • For a Custom Mask password policy, select a mask from the Character 1 drop-down list. Repeat for each character in the password. The following image shows an example of setting a Custom Mask for an auto-generated password:
  11. (Optional) Choose any special characters to be used.
  12. Click Test to test password generation. Imprivata Enterprise Access Management generates a sample password according to the policy you have generated.
  14. Click Save.

Imprivata Enterprise Access Management can enforce a password strength policy when a user changes an application password. Automatic password changes occur each time the application’s change password screen is recognized by an Imprivata agent.

This topic describes how to enforce a password policy for user-generated application passwords. This feature is only applicable to application Change Password workflows. It has two primary uses:

  • To make sure the new passwords satisfy the application’s requirements

  • To make sure the new passwords satisfy your corporate password policy requirements

You can enforce password policy for user-generated passwords for any applications that are deployed in Imprivata Enterprise Access Management.

Before You Begin

To configure this feature, you need to:

  • Know the requirements of the target application’s password change policy (if it has one) and your corporate password change policy.
  • Use the Imprivata APG to profile the application’s Change Password series of screens.

Overview of the Procedure

The procedure has two steps:

  1. Use the Imprivata APG to create an Imprivata Enterprise Access Management Credential Enrollment Window for the application’s Change Password screen or screens, as described in Creating an Imprivata Enterprise Access Management Credential Enrollment Window.
  2. Deploy the application profile. In the deployment rules, set the user-generated password policy rules. There are many options available when deploying an application. They are detailed in Deploying Application Profiles. While deploying the application profile, set the rules for user-generated application passwords as described in Implementing a User-Generated Application Password Policy.

NOTE: If the application was originally tested and deployed using the application’s native password change screen, adding a new custom change password screen can be a significant change. Thoroughly test the new profile before deploying it. Testing procedures are detailed in Testing Application Profiles.

Use an Imprivata Enterprise Access Management Credential Enrollment Window to capture the user’s new password so it can be tested against your password policy rules. The Imprivata Enterprise Access Management credential enrollment window feature is described in The Imprivata OneSign Credential Enrollment Window. You can create a credential Enrollment Window specifically for password changes.

When you opt to use a Imprivata Enterprise Access Management Credential Enrollment Window, the Imprivata APG opens the Password Policy form:

You configure the screen title and field labels using the Imprivata APG. The list of password requirements is automatically filled in based on the settings you make next in Implementing a User-Generated Application Password Policy.

To configure an application password policy for an application:

  1. Open the Application Profile Record by clicking its name in the application profile list. If the application profile has not been deployed, select the Deploy this application option. The screen expands to show deployment options.
  2. Fill in the deployment options for this profile as needed.
  3. Scroll to the Password Policy section, and select Implement a user-generated password change policy. The page expands to include password change policy options.
  4. All controls are optional. Select the ones you need to match the application's policy and your corporate policy. These settings apply to the custom Credential Enrollment Window you created in Creating an Imprivata Enterprise Access Management Credential Enrollment Window.

NOTES:

  • The password policy is automatically enforced on Change Password screens only.
  • Imprivata Enterprise Access Management can block the following characters: ~ ! @ # $ * - _ = | \ ; : ? , . /