5.5 Configuring the Help Desk Module

Self Service Password Reset provides a Help Desk module that helps you define criteria for help desk administrators. Help desk administrators can view user account data except for passwords, such as password modification, login details, last password change, account status, and so on.

You can create required number of help desk profiles and configure appropriate settings for each profile. For more information, see Configuring Profiles.

Self Service Password Reset allows help desk administrators to search user details by using the wildcard search. For example, if the help desk user types a*b in the search field, the search result displays the list of users with names that include the letter a followed by any letter and then include the letter b as the last letter of the name. Self Service Password Reset also allows auto-complete (Ajax) searches that search the user details while they type.

The major tasks of help desk administrators include resetting passwords, unlocking intruder locked accounts, assigning temporary passwords, managing users' challenge-responses, and deleting a user account. Enable these settings to allow help desk administrators to perform their tasks.

To perform help desk administrator activities, a user must be a member of an LDAP directory group that has required rights. If a user is a member of the correct LDAP directory group, when the user logs into Self Service Password Reset, they now see the Help Desk module as a new tile on the home page.

In the following scenarios, users cannot reset their passwords using the configured challenge-responses and call the help desk to reset passwords for them:

  • When users forget the saved answers to the challenge questions.

  • When users have not set up challenge-responses.

To configure the Help Desk module:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Click Configuration Editor.

  4. Click Modules > Authenticated > Help Desk > Profiles > default > Details, then configure the details of the default profile for the Help Desk module with the following information:

    Help Desk Profile Match

    Specify the set of users for a profile, so that the configuration setting that you specify for the profile is applicable for that set of users.

    You can use LDAP Group or LDAP filters to query the LDAP directory for users.

    Add Filter

    Select the appropriate profile from the list, then select the LDAP search filter. For example:

    (&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(sAMAccountName=*%USERNAME%*)(userprincipalname=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))
    Add Group

    Select the appropriate profile from the list, then specify the LDAP Group DN. For example:

    cn=admins,o=company or cn=administrators,cn=builtin,dc=example,dc=com
    Help Desk Search Form

    Specify the user attributes that you want to display to help desk administrators in the search result. You can also add a new form field by clicking Add Item.

    Help Desk Search Filter

    Specify an LDAP search filter to query the directory. Substitute %USERNAME% for a user-supplied user name. If not specified, the system auto calculates a search filter based on the Help Desk Search Form. For example:

    Active Directory
    (&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(sAMAccountName=*%USERNAME%*)(userprincipalname=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))
    eDirectory
    (&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))
    LDAP Search Base

    Specify the LDAP search base. If you leave this field blank, the system uses the default LDAP search bases.

    Help Desk Detail Form

    Specify the user attributes that you want to display to help desk administrators for an individual user. You can add, delete, and add new fields that the help desk administrators see.

    Help Desk Search Result Limit

    Specify the limit of the search result for the help desk user.

    Send Password to User

    Select this option to send the reset password to users. You set the method of sending the password under Forgotten Password > New Password Send Method.

    Post Set Password Actions

    Specify the actions that the system executes after a help desk administrator modifies a user's password. You can use macros. Specify a descriptive name for the action, then click OK to display the available options.

    Help Desk Actor Actions

    Specify the actions that a help desk administrator can perform. You can use macros. Specify a descriptive name for the action, then click OK to display the available options.

    Idle Timeout Seconds for Help Desk Users

    Specify the number of seconds after which an authenticated help desk administrator’s session requires re-authentication.

    Enforce User Password Policy

    Select this option if you want the help desk administrators to follow the same password policies that a user does while setting their passwords.

    Clear Responses on Password Set

    Select a mode to allow help desk administrators to clear responses after setting passwords, which a user provides during password change request. The available options include:

    Ask

    Asks whether to remove the user’s secret questions and answers.

    False

    Neither removes nor asks for removing the user’s secret questions and answers.

    True

    Automatically removes the user’s secret questions and answers.

    Force Password Expiration On Password Set

    Enable this setting if you want the password to expire when the user logs in with the new password that the help desk administrator has set.

    Use Proxy Connection

    Select this option to use the application proxy connection for all the actions that you initiated in the help desk module.

    If deselected, the system initiates the actions using the LDAP connection of the logged in user. The user must have appropriate privileges in the LDAP directory.

    User Detail Display Name

    Specify the display name that identifies the user on the user detail screen. You can use macros to display the name of the user.

    Token Send Method

    Select a method for sending token code the user. The available methods include:

    None

    Self Service Password Reset does not perform the token verification.

    Email Only

    Self Service Password Reset sends the token to the user’s email address.

    SMS Only

    Self Service Password Reset send the token through SMS.

    Both

    Self Service Password Reset sends the token to both the user’s email and SMS.

    Email First

    Self Service Password Reset tries to send token through email; if no email address is available, it sends the token through SMS.

    SMS First

    Self Service Password Reset tries to send token through SMS; if no SMS number is available, it sends the token to the user’s email.

    Operator choice

    If both mobile number and email address are available, the help desk operator can decide which method to use.

  5. Click default > Options to configure the options for the Help Desk module with the following information:

    Viewable Status Fields

    Select the fields that are available to help desk administrators to view. The fields display the status of the users.

    Set Password UI Mode

    Select a mode from the list to allow help desk administrators to set passwords. This is applicable for the users who have proper LDAP permissions. The options include:

    None

    Help desk administrators cannot change passwords for users.

    Type new password

    Requires the help desk administrators to type a new password to change the password for a user.

    Auto generate a list of random passwords to choose from

    Help desk administrators can select a password from the automatically generated passwords list and assign it to the user.

    Auto generate a list of random passwords and allow typing on new password

    Help desk administrators can set a password by selecting an automatically generated password or by typing it.

    Set the password to a random value unknown to the Help Desk operator

    The help desk administrator cannot view or provide the new password to the user. However, the system sets passwords for users to a random value and sends the value to the users through the specified send method.

    Enable Unlock

    Enable this option to enable help desk administrators to unlock an intruder locked account.

    Enable Clear Responses Button

    Enable this option to allow the help desk operator to use a button for clearing the stored responses of the user.

    Enable Clear One Time Password Settings Button

    Enable this option to allow the help desk operator to click a button and clear the stored one-time password settings of the user.

    Enable Delete User Button

    Enable this option to allow help desk operator to delete the user account from the LDAP directory.

    Mask Password Value

    Enable this option if you want to mask the password that the help desk user types for changing the user’s password.

  6. Click default > Verification to configure the verification options for the Help Desk module with the following information:

    Verification Methods

    Select the appropriate help desk verification methods. You can use LDAP attributes, SMS and email token verification, and OTP (mobile device) verification.

    Help Desk Verification Form

    Define a verification form for the help desk.

  7. Enable the Help Desk module.

    1. Click Modules > Authenticated > Help Desk > Settings > Enable Help Desk Module.

    2. Select Enable to enable the Help Desk module.

  8. In the toolbar, click Save changes.