Enforced Password Changes

Post Reply
User avatar
Alan Kirk
Site Admin
Posts: 6606
Joined: Sun May 11, 2008 2:30 am
OLAP Product: TM1
Version: PA2.0.9.18 Classic NO PAW!
Excel Version: 2013 and Office 365
Location: Sydney, Australia
Contact:

Enforced Password Changes

Post by Alan Kirk »

I just got a request from the higher ups.
I notice in TM1 there is no requirement for Password change after a required period ?

Is that possible to set up in TM1.

It is normal practice in the Network systems
Hmmm.

How do I diplomatically respond "Hey, yeah, we've been asking for that for years now but Iboglix can't be stuffed to do it. But hey, they say that we could use LDAP. Err, no, now that you mention it, that WON'T work with our Web implementation on the VPN."?

That was of course a rhetorical question.

Sigh.

Maybe I could become a DBA. Anybody got a copy of SQL Server For Dummies that they can lend me?

Or I could go to truck driving school.

'Cos I'm suuuuure gettin' sick of all this.
"To them, equipment failure is terrifying. To me, it’s 'Tuesday.' "
-----------
Before posting, please check the documentation, the FAQ, the Search function and FOR THE LOVE OF GLUB the Request Guidelines.
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

Re: Enforced Password Changes

Post by jim wood »

Calm down Capt. You'll be complaining about undo spread next.

As for the issue. We TM1 is checked by internal audit it fails the security element check every year. The security is very poor. We can't do LDAP either. Our IT department don't support LDAP. Joy.
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
User avatar
John Hobson
Site Admin
Posts: 330
Joined: Sun May 11, 2008 4:58 pm
OLAP Product: Any
Version: 1.0
Excel Version: 2020
Location: Lytham UK
Contact:

Re: Enforced Password Changes

Post by John Hobson »

You'll be complaining about undo spread next.
Oi! :x
John Hobson
The Planning Factory
User avatar
jim wood
Site Admin
Posts: 3951
Joined: Wed May 14, 2008 1:51 pm
OLAP Product: TM1
Version: PA 2.0.7
Excel Version: Office 365
Location: 37 East 18th Street New York
Contact:

Re: Enforced Password Changes

Post by jim wood »

:D
Struggling through the quagmire of life to reach the other side of who knows where.
Shop at Amazon
Jimbo PC Builds on YouTube
OS: Mac OS 11 PA Version: 2.0.7
User avatar
Alan Kirk
Site Admin
Posts: 6606
Joined: Sun May 11, 2008 2:30 am
OLAP Product: TM1
Version: PA2.0.9.18 Classic NO PAW!
Excel Version: 2013 and Office 365
Location: Sydney, Australia
Contact:

Re: Enforced Password Changes

Post by Alan Kirk »

John Hobson wrote:
You'll be complaining about undo spread next.
Oi! :x
I wouldn't worry about me getting in on your act. There are only 144 days until Daylight Savings ends.

I'm marking the calendar and sharpening my scythe even as we speak.... :twisted:
"To them, equipment failure is terrifying. To me, it’s 'Tuesday.' "
-----------
Before posting, please check the documentation, the FAQ, the Search function and FOR THE LOVE OF GLUB the Request Guidelines.
User avatar
Steve Vincent
Site Admin
Posts: 1054
Joined: Mon May 12, 2008 8:33 am
OLAP Product: TM1
Version: 10.2.2 FP1
Excel Version: 2010
Location: UK

Re: Enforced Password Changes

Post by Steve Vincent »

Am i missing something here? }Client Properties - PasswordExpirationDays - forces the user to change password after x days

I have this enforced by a rule;

Code: Select all

#Ensure admin account never expires
['PasswordExpirationDays', 'Admin'] = S: 'No Expiration.';

#if pwd is left blank, change "last time updated" to be a year in the past and force the account to 
#be invalidated.
['PasswordLastTimeUpdated'] = S:
	IF ( DB('}ClientProperties',!}Clients,'Password') @= ' ' ,
		'20' | SUBST ( Date (NOW-365) ,1, 2 ) | SUBST ( Date (NOW) ,4, 2 ) | SUBST ( Date (NOW) ,7, 2 ) | '000000' ,
		STET);

#if pwd is "<secret default pwd>" set it to expire in 5 days so the user is nagged to alter it.
['PasswordExpirationDays'] = S:
	IF ( DB('}ClientGroups',!}Clients,'ADMIN') @= 'ADMIN' ,
		IF ( DB('}ClientProperties',!}Clients,'Password') @= '<encrypted version of default pwd>' ,
			'5' ,
			'90' ),
		IF ( DB('}ClientProperties',!}Clients,'Password') @= '<encrypted version of default pwd>' ,
			'5' ,
			'90' ));
OK so its still basic and pee's a lot of users off, but at least we pass audits :lol: Most annoying feature is you can't get a reminder longer than 5 days, so if you don't log in very often (like a lot of our users) or happen to be on holiday / off sick when it expires, admin will have to reset it for you. I have submitted an enhancement request to Cognos to allow this to be configurable in the server, not got a possible date for inclusion yet tho.
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
Adam Buckle
Posts: 6
Joined: Thu Aug 28, 2008 4:30 am

Re: Enforced Password Changes

Post by Adam Buckle »

I use integrated login (not to be confused with LDAP) in association with Active Directory. This allows password expiry, reset, protocols etc to be set and determined by parameters in AD. Works great, passes Audit etc. Best thing about it is it allows me to palm off such mundane tasks to system admin. Once I go live with 9.4 I will then only have to give them the cut down security admin for user groups in tm1 and not worry if they are going to break anything, not that they have yet!

Incidentally, I don't know of anyone who has successfully implemented LDAP with TM1? Is there anyone?
David Usherwood
Site Admin
Posts: 1453
Joined: Wed May 28, 2008 9:09 am

Re: Enforced Password Changes

Post by David Usherwood »

We are just about to, for a very large UK insurance group. In their case they had a project to sort out authentication to sort out around a hundred Finance apps and TM1 was one of the five which could meet their requirements.

We _won't_ be using ETLDAP (since it never seems to work). I googled around and found dsquery and dsget. Think these will do the trick.

As a side issue, I found that it is not possible to delete the Admin user. Is this news to my esteemed colleagues? It was to me.

I'll update when the project has been implemented.
User avatar
Steve Vincent
Site Admin
Posts: 1054
Joined: Mon May 12, 2008 8:33 am
OLAP Product: TM1
Version: 10.2.2 FP1
Excel Version: 2010
Location: UK

Re: Enforced Password Changes

Post by Steve Vincent »

I knew that, but thru the cunning use of rules you can still make it completely unusable ;)
If this were a dictatorship, it would be a heck of a lot easier, just so long as I'm the dictator.
Production: Planning Analytics 64 bit 2.0.5, Windows 2016 Server. Excel 2016, IE11 for t'internet
User avatar
Alan Kirk
Site Admin
Posts: 6606
Joined: Sun May 11, 2008 2:30 am
OLAP Product: TM1
Version: PA2.0.9.18 Classic NO PAW!
Excel Version: 2013 and Office 365
Location: Sydney, Australia
Contact:

Re: Enforced Password Changes

Post by Alan Kirk »

Steve Vincent wrote:Am i missing something here? }Client Properties - PasswordExpirationDays - forces the user to change password after x days

I have this enforced by a rule;
I haven't tested this, but it looks very clever. Still doesn't quite do the job that "real" password expiry methods do, but it's a workaround of sorts....
"To them, equipment failure is terrifying. To me, it’s 'Tuesday.' "
-----------
Before posting, please check the documentation, the FAQ, the Search function and FOR THE LOVE OF GLUB the Request Guidelines.
User avatar
Alan Kirk
Site Admin
Posts: 6606
Joined: Sun May 11, 2008 2:30 am
OLAP Product: TM1
Version: PA2.0.9.18 Classic NO PAW!
Excel Version: 2013 and Office 365
Location: Sydney, Australia
Contact:

Re: Enforced Password Changes

Post by Alan Kirk »

David Usherwood wrote: As a side issue, I found that it is not possible to delete the Admin user. Is this news to my esteemed colleagues?
Nope. I think that's documented somewhere, or it was at one point. I seem to recall reading it once many moons (and planetary orbits) ago, but I can't recall where.

It's not unprecedented, though; try deleting the Admin account in a secured Access database and you won't get far either.

I suspect that in TM1's case it's a safeguard against accidentally deleting the last Admin group account, though in practice it'd be pretty easy to put one back in by taking down the server and copying over a new }ClientGroups cube before restaring the server.
David Usherwood wrote: I'll update when the project has been implemented.
I look forward to reading...
"To them, equipment failure is terrifying. To me, it’s 'Tuesday.' "
-----------
Before posting, please check the documentation, the FAQ, the Search function and FOR THE LOVE OF GLUB the Request Guidelines.
Post Reply