<valuePolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>Custom password policy</name>
<stringPolicy>
<limitations>
<minLength>16</minLength> (1)
<maxLength>1024</maxLength> (2)
<minUniqueChars>8</minUniqueChars> (3)
<limit>
<description>Lowercase characters</description>
<minOccurs>5</minOccurs> (4)
<mustBeFirst>true</mustBeFirst> (5)
<characterClass>
<value>abcdefghijklmnopqrstuvwxyz</value> (6)
</characterClass>
</limit>
<limit>
<description>Uppercase characters</description>
<minOccurs>3</minOccurs>
<mustBeFirst>false</mustBeFirst>
<characterClass>
<value>ABCDEFGHIJKLMNOPQRSTUVWXYZ</value>
</characterClass>
</limit>
<limit>
<description>Digits</description>
<minOccurs>4</minOccurs>
<mustBeFirst>false</mustBeFirst>
<characterClass>
<value>0123456789</value>
</characterClass>
</limit>
</limitations>
</stringPolicy>
</valuePolicy>Apply resource-specific password policies
By default, midPoint validates passwords against the global security policy. When a resource requires its own password rules—different character sets, length requirements, or complexity constraints—you must configure and assign a dedicated security policy for that resource. You can have a different password policies for various resource object types. You can also define a password policy on the archetype level if that better suits your use case.
Background
Password policies are specified in the form of value policy. A value policy is a generic concept because value policies may be applied to many other attributes, not just passwords. In this article, we sometimes refer to value policies applied to passwords as to password policies.
Password policies can be defined on multiple levels. Policies are merged in the order of increasing proximity to the object they affect (typically users):
-
The global security policy with the lowest priority
-
The organization-level policy
-
The archetype-level policy with the highest priority
Each level can extend or override the settings of the lower-priority level.
Aside these three levels, you can define password policies for particular resource object types. The resource-level password policies sit outside this merging chain entirely. They apply specifically to account passwords on the particular resource, independent of the user-level policy hierarchy.
1. Create value policy
A value policy object defines the actual password rules.
-
In the midPoint GUI, navigate to Import object.
-
Under Get objects from, select one of:
-
Embedded editor to write or paste the configuration into the midPoint XML editor.
-
File to upload an XML file containing the policy.
-
-
Define a password policy. Refer to the example below for inspiration.
-
Name the policy descriptively so that you can easily recognize it later.
-
-
Save the object and note its OID.
Example value policy enforcing passwords to be 16-1024 characters long and containing at least 8 unique characters, 5 lowercase and 3 uppercase letters, and 4 numbers; no non-alphanumeric characters allowed
| 1 | Minimum password length |
| 2 | Maximum password length |
| 3 | Minimum number of unique characters (to avoid, e.g., ababbbab) |
| 4 | Minimum number of characters in the given class |
| 5 | Whether the password must start with a character of the given class |
| 6 | List of characters in the given class |
|
As a matter of principle, you should not limit the maximum length of passwords unless required by your resource. |
2. Create security policy
The value policy defined above is used to enforce the password strength (complexity). To use it, you need to create a security policy object and reference the value policy in it.
-
In Import object, create a new security policy object the same way you created the value policy above.
-
Reference the value policy using
valuePolicyRefinside thecredentials/passwordsection. See below for inspiration. -
Save the object and note its OID.
Security policy enforcing the value policy specified within
<securityPolicy xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>Custom security policy</name>
<credentials>
<password>
<valuePolicyRef oid="<!-- Value policy OID -->" />
</password>
</credentials>
</securityPolicy>3. Assign the security policy to resource objects
To apply your password policy to accounts in a resource, you need to reference it from within resource > schemaHandling > objectType.
Add securityPolicyRef inside the appropriate objectType element, pointing to the security policy created in the previous step:
-
In Resources > All resources, open the resource for editing.
-
Click Edit raw to open the midPoint XML editor.
-
Adjust the resource definition according to the example below.
Reference to the security policy in resource object type schema handling
<resource>
<name>My Resource</name>
...
<schemaHandling>
<objectType>
<securityPolicyRef oid="<!-- Security policy OID -->" />
...
</objectType>
</schemaHandling>
</resource>|
Different object types in a resource can have different security policies. If there is no security policy for an object type, the global security policy is used. |
Assign policy rule to archetypes
When you need to enforce a specific password policy based on a user type rather than resource object type, you can assign the security policy to an archetype. The mechanism of policy merging allows applying different security policies for different groups of objects.
To assign a security policy to an archetype:
-
Create the Value Policy and Security Policy objects as described in steps 1 and 2 above.
-
Open the archetype object for editing and add
securityPolicyRefto the archetype:
<archetype>
<name>Employee</name>
...
<securityPolicyRef oid="<!-- Security policy OID -->" />
</archetype>|
Standard roles cannot have their own password policy
Archetypes in midPoint act as structural roles.
The security policy merging mechanism applies to users based on their global policy, organization, and structural archetype.
Standard (non-archetype) roles cannot hold a |
Was this page helpful?
YES
NO
Thanks for your feedback