Posted: 9 Nov 2015 21:10 EST Last activity: 20 Jan 2017 11:39 EST
API/Method to check/validate password history specified in Auth Policy
I want to programmatically validate password history to make sure that user is not using any of his/her last N passwords. Can someone pls help me with the method and API to use.
And also can some answer whether the hashed and encrypted password strings under pzPasswordHistorypage list contains current password? Because to me it seems it doesn't otherwise I could use isInPageList method to find pyPwdOld value. Or I have to first compare pyPwdNew vs pyPwdOld and then check IsInPageList, if there is no OOTB API to validate?
Hi Carissa - Thank you for your response! I am already using password policies.
But I have a separate Desktop admin portal where we have given provision to admins to reset/update password along with other attributes/roles/privileges. So Pega automatically enforces these policies when we change password within pega either from developer portal or from profile menu. But in my case from desktop admin portal when we try updating password then it doesn't enforces password history policy because we are using our own custom activity to validate various operator attributes, though calling pzValidateOperatorPassword activity from my custom activity does enforces password complexity policies so is there anything like this which I can use to enforce password history policies programmatically?
One option that you may want to consider is running the validate activity for the operator instances against the operator when he changes his password as this does do the password history check (along with other validation of the operator record).
You are current that the current password is not in the password history list. However, the current password is checked as part of the password history check.
Hi Chunzhi - We need this because we have build the admin portal for application in pega which is accessible to desktop support(Help desk) team in my organization. And these desktop support users update/reset password for pega users when they call on help desk number. These desktop users use a random password to update/reset using this admin portal in pega, but we have a use case which we need to implement which says that last N passwords should not be used.
Yes Chunzhi.....you are right in real life scenario probably it wont happens as password would be generated randomly.....but QA failed the test case because it did not meet the use case requirement which they were testing by supplying their own values and not using random password generation utility. Currently this request is put on hold.
Thank you Phani for your suggestions!! I think I may not need onChange rule for my scenario as I already have handle and control of the event which is performed by my custom activity. So if there is no OOTB API available to validate password history then I would try to manipulate it in my custom activity as I can see the pagelist structure under OperatorID page which stores previous passwords.