API/Method to check/validate password history specified in Auth Policy
I want to programmatically validate password history to make sure that user is not using any of his/her last N passwords. Can someone pls help me with the method and API to use.
And also can some answer whether the hashed and encrypted password strings under pzPasswordHistorypage list contains current password? Because to me it seems it doesn't otherwise I could use isInPageList method to find pyPwdOld value. Or I have to first compare pyPwdNew vs pyPwdOld and then check IsInPageList, if there is no OOTB API to validate?
Accepted Solution
Pegasystems Inc.
IN
>>> OOTB API available to validate password history?
- not sure if we've any OOTB APIs
>>> I would try to manipulate it in my custom activity
-
since pyEnableAuthPolicies is enabled
-
as you said - yes
-
we do not need onChange rule and
- try manipulate with custom activity.
-
we do not need onChange rule and
-
as you said - yes
Please share your observations/thoughts, Thank you!
psahukaru
Pegasystems Inc.
US
Hi Dhirendra,
Would using the Security Policies within Pega 7 be helpful?
How to configure login security and password policies
https://collaborate.pega.com/question/how-can-i-track-number-assignments-completed-user
Carissa
JPMC
US
Hi Carissa - Thank you for your response! I am already using password policies.
But I have a separate Desktop admin portal where we have given provision to admins to reset/update password along with other attributes/roles/privileges. So Pega automatically enforces these policies when we change password within pega either from developer portal or from profile menu. But in my case from desktop admin portal when we try updating password then it doesn't enforces password history policy because we are using our own custom activity to validate various operator attributes, though calling pzValidateOperatorPassword activity from my custom activity does enforces password complexity policies so is there anything like this which I can use to enforce password history policies programmatically?
Pegasystems Inc.
US
Dhirendra,
One option that you may want to consider is running the validate activity for the operator instances against the operator when he changes his password as this does do the password history check (along with other validation of the operator record).
You are current that the current password is not in the password history list. However, the current password is checked as part of the password history check.
Matt
Pegasystems Inc.
JP
Why do you need to enforce password history policy on admin users?
Usually the password reset/updated by the admin users should be changed by end users at their first login attempt.
You can generate random password and notify the end user that password.
JPMC
US
Hi Chunzhi - We need this because we have build the admin portal for application in pega which is accessible to desktop support(Help desk) team in my organization. And these desktop support users update/reset password for pega users when they call on help desk number. These desktop users use a random password to update/reset using this admin portal in pega, but we have a use case which we need to implement which says that last N passwords should not be used.
Pegasystems Inc.
JP
>last N passwords should not be used.
are you sure the requirement is even targeting random passwords, where the chance of duplicated value is almost negligible?
how often a user password will be reset by admin user?
JPMC
US
Yes Chunzhi.....you are right in real life scenario probably it wont happens as password would be generated randomly.....but QA failed the test case because it did not meet the use case requirement which they were testing by supplying their own values and not using random password generation utility. Currently this request is put on hold.
Pegasystems Inc.
IN
- would creating a declare onChange rule
- storing the changed valued to a custom database table
- and then validating the current value with previous works/makes sense?
- storing the changed valued to a custom database table
Please share your thoughts/comments, Thank you!
psahukaru
Pegasystems Inc.
IN
- or leveraging TrackSecurityChanges (https://community.pega.com/sites/default/files/help_v717/procomhelpmain.htm) makes a start from the result list obtained?
JPMC
US
Thank you Phani for your suggestions!! I think I may not need onChange rule for my scenario as I already have handle and control of the event which is performed by my custom activity. So if there is no OOTB API available to validate password history then I would try to manipulate it in my custom activity as I can see the pagelist structure under OperatorID page which stores previous passwords.
Accepted Solution
Pegasystems Inc.
IN
>>> OOTB API available to validate password history?
- not sure if we've any OOTB APIs
>>> I would try to manipulate it in my custom activity
-
since pyEnableAuthPolicies is enabled
-
as you said - yes
-
we do not need onChange rule and
- try manipulate with custom activity.
-
we do not need onChange rule and
-
as you said - yes
Please share your observations/thoughts, Thank you!
psahukaru
Cognizant Technolgy Solutions
IN
Hi,
Is there a way we can enable this feature for one particular Access- Group. Also we need to modify the password construction criteria - any help is appreciated!