Locking/Unlocking Functionality Per User¶
An admin user can lock and unlock functionalities on a per-user basis. This allows for fine-grained control over functionalities that a particular user is allowed to use. This page guides you through configuring per-user functionality locking for the security-question-based password recovery functionality with MWARE IAM using the OSGi service.
Tip
This can also be done using the User Functionality Management REST APIs. Using the REST API is the recommended approach.
Configure tenant-wide properties¶
The following properties related to the functionality need to be defined and will affect all the users in a tenant.
- MaxAttempts : Maximum attempts allowed for a user
- LockoutTime : The duration (in minutes) specifying how long the functionality is locked for a user
- TimeoutRatio : The ratio that the functionality's lockout time is increased upon when the maximum number of attempts is exceeded
This sample requests below use the following values for these properties.
MaxAttempts = 5
LockoutTime = 5
TimeoutRatio = 2
To store these configurations for per-user functionality locking, you must first define a resource type using the Configuration Management REST APIs. Sample requests and responses are given below.
-
Create a new resource type called
functionalityLock
in the configuration store.curl -k -X POST https://localhost:9443/api/identity/config-mgt/v1.0/resource-type -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{"name": "functionalityLock", "description": "This is the resource type for per user functionality locking."}'
{ "name": "functionalityLock", "id": "05f3996c-be3a-43b4-917e-2ae12a304d9b", "description": "This is the resource type for per user functionality locking.", "links": [] }
-
Next, create a resource for the specific functionality that you wish to configure. In this request, you can define the property values mentioned above.
curl -k -X POST https://localhost:9443/api/identity/config-mgt/v1.0/resource/functionalityLock -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{"name": "SecurityQuestionBasedPasswordRecovery", "attributes": [{"key": "MaxAttempts", "value": "5"}, {"key": "LockoutTime", "value": "5"}, {"key": "TimeoutRatio", "value": "2"}]}'
{ "resourceId": "c4357c84-5e4f-452e-9121-33cd1e655470", "tenantDomain": "carbon.super", "resourceName": "SecurityQuestionBasedPasswordRecovery", "resourceType": "functionalityLock", "lastModified": "2020-06-12T07:32:44.429Z", "created": "2020-06-12T07:32:44.429Z", "attributes": [ { "key": "MaxAttempts", "value": "5" }, { "key": "LockoutTime", "value": "5" }, { "key": "TimeoutRatio", "value": "2" } ], "files": [ { "href": "/t/carbon.super/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery/file", "rel": "file" } ] }
-
If you wish to update the configuration properties set for security-question-based password recovery, you can use the following command. In this example, the
MaxAttempts
property value is updated to3
.curl -k -X PUT https://localhost:9443/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{"key": "MaxAttempts", "value": "3"}'
{"key":"MaxAttempts","value":"3"}
-
Run the following command to retrieve the
SecurityQuestionBasedPasswordRecovery
resource you created.curl -k -X GET https://localhost:9443/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery -H "accept: application/json" -H 'Content-Type: application/json' -H 'Authorization: Basic YWRtaW46YWRtaW4='
{ "resourceId": "851827f8-1a38-4847-a8dc-db9fb97407ad", "tenantDomain": "carbon.super", "resourceName": "SecurityQuestionBasedPasswordRecovery", "resourceType": "functionalityLock", "lastModified": "2020-06-12T07:53:16Z", "created": "2020-06-12T07:52:14Z", "attributes": [ { "key": "MaxAttempts", "value": "3" }, { "key": "TimeoutRatio", "value": "2" }, { "key": "LockoutTime", "value": "5" } ], "files": [ { "href": "/t/carbon.super/api/identity/config-mgt/v1.0/resource/functionalityLock/SecurityQuestionBasedPasswordRecovery/file", "rel": "file" } ] }
Disable per-user functionality locking¶
Per-user functionality locking is enabled in MWARE IAM by default. If you wish to disable this, add the following configuration in the deployment.toml
file located in the <IS_HOME>/repository/conf/
folder.
[user]
enable_per_user_functionality_locking="false"
Top