5.6 Configuring Helpdesk Policy for a Profile

SSPR provides a Helpdesk module. Helpdesk administrators can view user account data except password, such as password modification, login details, last password change, account status, and so on. You can create required number of Helpdesk profiles and configure appropriate settings for each profile.

SSPR allows Helpdesk administrators to search user details by using the wildcard search. For example, If the helpdesk user types a*b in the search field, the search result displays the list of users with name that includes the letter a followed by any letter and then include the letter b as the last letter of the name. SSPR also allows ajax search that searches the user details while they type.

The major tasks of Helpdesk administrators include resetting passwords, unlocking intruder locked accounts, assigning temporary passwords, managing users' challenge-responses, and deleting a user account. You must enable these settings to allow Helpdesk administrators to perform their tasks.

To perform Helpdesk administrators activities, a user must be a member of an LDAP directory’ group that has required rights.

In the following scenarios, a user cannot reset their password through the configured challenge-responses and call Helpdesk to reset passwords for them:

  • When users forget the saved answers to challenge questions.

  • When users have not set up challenge-responses.

Perform the following steps:

  1. On the left pane of the Configuration Editor, click Modules > Helpdesk.

  2. (Conditional) If you want to create different profiles, click Edit List then on the right pane add the profile names by using Add Profile.

    SSPR does not allow changing the name of the profile. If you do not require different profiles, you can click the default profile.

  3. On the left pane select the required helpdesk profile.

  4. Configure the following settings:

    Setting

    Description

    Helpdesk Profile Match

    Specify the set of users for a profile, so that the configuration setting that you specify for the profile is applicable for those set of users.

    You can use LDAP Group or LDAP filters to query the directory for users.

    Add Filter: Select the appropriate profile from the drop-down list and Select the LDAP search filter. For example, (&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(sAMAccountName=*%USERNAME%*)(userprincipalname=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))

    Add Group: Select the appropriate profile from the drop down list and specify the LDAP Group DN. For example, cn=admins,o=novell, or cn=administrators,cn=builtin,dc=example,dc=com

    Helpdesk Search Form

    Specify the user attributes that you want to display to Helpdesk administrators in the search result. You can also add a new form field by using Add Form Item.

    LDAP Search Base

    Specify the LDAP search base. If you leave this field blank, the system uses the default LDAP search bases.

    Helpdesk Detail Form

    Specify the user attributes that you want to display to Helpdesk administrators for an individual user. You can add, delete and add new fields that will be displayed to the helpdesk administrators.

    Viewable Status Fields

    Select the fields that should be available to helpdesk operators to view the status of the required user.

    Helpdesk search result limit (Advanced)

    Specify the limit of search result for the helpdesk user.

    Set Password UI Mode

    Select a mode from the list to allow Helpdesk administrators to set passwords. This is applicable for the users who have proper LDAP permissions. The options include:

    • None: Helpdesk administrators cannot change a user’s password.
    • Type new password: Helpdesk administrators require to type a new password to change the user’s password.
    • Auto generate a list of random passwords to choose from: Helpdesk administrators can select a password from the auto generated passwords list and assign it to the user.
    • Auto generate a list of random passwords and allow typing of new password: Helpdesk administrators can set a password by selecting an auto generated password or by typing it.
    • Set the password to a random value unknown to the helpdesk operator: The helpdesk administrator cannot view or provide the new password to the user but user’s password is set to a random value, which is sent to the users through the specified send method.

    Send Password to User

    Select this check box to send the reset password to users. The method of sending the password is selected under Forgotten Password > New Password Send Method.

    Post Set Password Actions (Advanced)

    Specify the actions that the system executes after a Helpdesk administrator modifies a user's password. You can use macros.

    Idle Timeout Seconds for Helpdesk Users

    Specify the number of seconds after which an authenticated Helpdesk administrator’s session requires re-authentication.

    Helpdesk Actor Actions (Advanced)

    Specify the actions that a Helpdesk administrator can perform. You can use macros.

    Enable Unlock

    Select this check box to enable Helpdesk administrators to unlock an intruder locked account.

    Enforce User Password Policy

    Select this check box if you want the Helpdesk administrators to follow the same password policies that a user does while setting their passwords.

    Clear Responses on Password Set

    Select a mode to allow Helpdesk administrators to clear responses after setting passwords, which a user provides during password change request. The available options include:

    • True: Automatically removes the user’s secret questions and answers.
    • Ask: Asks whether to remove the user’s secret questions and answers.
    • False: Neither removes nor asks for removing the user’s secret questions and answers.

    Force Password Expiration On Password Set

    Enable this setting if you want the password to expire when the user logs in with the new password that the helpdesk administrator has set.

    Enable Clear Responses Button

    Select this check box to allow the helpdesk operator to use a button for clearing the stored responses of the user.

    Enable Clear One Time Password Settings Button

    Select this check box to allow the helpdesk operator to click a button and clear the stored one time password settings of the user.

    Enable Delete User Button

    Select this option to allow helpdesk operator to delete the user account from the LDAP directory.

    Use Proxy Connection (Advanced)

    Select this check box to use the application proxy connection for all the actions that are initiated in the helpdesk module.

    If deselected, the actions are initiated using the LDAP connection of the logged in user. The user must have appropriate privileges in the LDAP directory.

    User Detail Display Name

    Specify the display name that identifies the user on the user detail screen. You can use macros to display the name of the user.

    Token Send Method

    Select a method for sending token code the user. The available methods include:

    • None - Token verification will not be performed

    • Email Only - Send to email address

    • SMS Only - Send via SMS

    • Both - Send token to both email and SMS

    • Email First - Try to send token via email; if no email address is available, send via SMS

    • SMS First - Try to send token via SMS; if no SMS number is available, send via email

    • Operator choice - If both mobile number and email address is available, the helpdesk operator can decide which method to use.

    Enable OTP Verification Button

    Select this checkbox if you want to allow the helpdesk user to use OTP verification.

    Mask Password Value

    Select this checkbox if you want to mask the password that the helpdesk user types for changing the user’s password.

  5. Click the Save icon.