Password Answers for Enrollment

Kyle Wiley · ‎03-07-2017

Is there a way to do an upload of information to populate at least 1 question for user's Password Enrollment?

Our Security team would like to be able to pull all user's hire date and input that as a security question answer for Password Enrollment.

robpickering · ‎03-07-2017

This should be possible by pre-populating the table 'pwd_active_answer'.

The answers are one-way encrypted.

Some other threads in the Community on this topic:

Auto-Enrolment in Password Reset Orchestration and QA Verification encryption?

Re: Password Reset Plug-In Auto-Enrollment

You should be able to write an import set and transform map that would take in your users and populate answers into the table.

The tricky part is the encrypted field. I'd have to try it to see how the transform map handles it, but I believe it will handle the encryption since that's how the field is set up, you'll just have to provide the question (reference to the question table) the user and the answer.

Also note, "enrollment" is defined by the system to mean something specific. If you have a minimum requirement of three Question/Answer pairs, then only populating one answer will NOT enroll the user, and they will be unable to use Password Reset until manually enrolling and fulfilling the requirement. You will have to either populate the full requirement of Question/Answer pairs, or else lower the requirement to be only 1. If you then increase the minimum requirement above 1 in the future, the system will re-evaluate "enrolled" and if users fail to meet the requirement, they will not be able to use Password Reset.

For this reason, we would recommend having users go through the normal enrollment process and not pre-populate answers.

-Rob

View solution in original post

annmoleapen · ‎06-30-2020

Hi Kyle

What did you do with this? Did you upload user answers or asked them to enroll manually? I need to migrate the password reset enrollments form a custom table to the pwd_active_answer. Imported the data and enrollment data. But doesn't seem to be able to verify. Verification throws an error, cannot verify. Can you help please?

annmoleapen · ‎09-09-2020

Hi all

I found a solution for this, imports doesn't handle encryption, so at verification stage it will fail. What I did was to import users to the pwd_enrollment table with the verification am using for password reset. In my case, questions and answers were stored in a custom table as we were using a custom solution for password reset. Depending on your scenario you can tailor this, however the next step is to run a background script with below two lines of code

var mgr = new SNC.PwdQAManager();
mgr.insertOrUpdateAnswer(enrl.sys_id, '', ques, ans);// here the parameters are enrollment sys_id, null, question display value, answer.

This is the class which does the encryption and insertion of answers into the pwd_active_answer table.

steps in detail below:

Here is what I did..

Import users onto the pwd_enrollment table with relevant values

Enrollment status	Domain	User	Verification
Active	global	Laura Kuensberg	xx - QA Verification

Run the below background script

var enrl = new GlideRecord('pwd_enrollment');

enrl.addEncodedQuery('verification=4ef02bbcdbc34c108ca878798261d961941'); // this is the id of the verification (xx - QA Verification) I used for enrollment and the one used in the password reset processes

enrl.query();

while(enrl.next()){

var user = enrl.user;

var uaa = new GlideRecord('custom_authentication_answer_table'); // this is the custom table that stores user verification answers in plain text

uaa.addQuery('u_user',user);

uaa.query();

while(uaa.next()){

var ans = uaa.u_answer;// answer

var ques = uaa.u_question.u_description;// question display value

//below two lines calls the encryption class and function; 4 parameters passed to the insertorUpdateAnswer() function, 2^nd one is send as null, as that is to update existing answers if it is already there

var mgr = new SNC.PwdQAManager();

mgr.insertOrUpdateAnswer(enrl.sys_id, '', ques, ans);

}