Self Service Password Reset provides a Help Desk module that helps you define criteria for help desk administrators. Help desk administrators can view user account data except for passwords, such as password modification, login details, last password change, account status, and so on.
You can create required number of help desk profiles and configure appropriate settings for each profile. For more information, see Configuring Profiles.
Self Service Password Reset allows help desk administrators to search user details by using the wildcard search. For example, if the help desk user types a*b in the search field, the search result displays the list of users with names that include the letter a followed by any letter and then include the letter b as the last letter of the name. Self Service Password Reset also allows auto-complete (Ajax) searches that search the user details while they type.
The major tasks of help desk administrators include resetting passwords, unlocking intruder locked accounts, assigning temporary passwords, managing users' challenge-responses, and deleting a user account. Enable these settings to allow help desk administrators to perform their tasks.
To perform help desk administrator activities, a user must be a member of an LDAP directory group that has required rights. If a user is a member of the correct LDAP directory group, when the user logs into Self Service Password Reset, they now see the Help Desk module as a new tile on the home page.
In the following scenarios, users cannot reset their passwords using the configured challenge-responses and call the help desk to reset passwords for them:
When users forget the saved answers to the challenge questions.
When users have not set up challenge-responses.
To configure the Help Desk module:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Modules > Authenticated > Help Desk > Profiles > default > Details, then configure the details of the default profile for the Help Desk module with the following information:
Specify the set of users for a profile, so that the configuration setting that you specify for the profile is applicable for that set of users.
You can use LDAP Group or LDAP filters to query the LDAP directory for users.
Select the appropriate profile from the list, then select the LDAP search filter. For example:
(&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(sAMAccountName=*%USERNAME%*)(userprincipalname=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))
Select the appropriate profile from the list, then specify the LDAP Group DN. For example:
cn=admins,o=company or cn=administrators,cn=builtin,dc=example,dc=com
Specify the user attributes that you want to display to help desk administrators in the search result. You can also add a new form field by clicking Add Item.
Specify an LDAP search filter to query the directory. Substitute %USERNAME% for a user-supplied user name. If not specified, the system auto calculates a search filter based on the Help Desk Search Form. For example:
(&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(sAMAccountName=*%USERNAME%*)(userprincipalname=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))
(&(objectClass=Person)(|((cn=*%USERNAME%*)(uid=*%USERNAME%*)(givenName=*%USERNAME%*)(sn=*%USERNAME%*))))
Specify the LDAP search base. If you leave this field blank, the system uses the default LDAP search bases.
Specify the user attributes that you want to display to help desk administrators for an individual user. You can add, delete, and add new fields that the help desk administrators see.
Specify the limit of the search result for the help desk user.
Select this option to send the reset password to users. You set the method of sending the password under Forgotten Password > New Password Send Method.
Specify the actions that the system executes after a help desk administrator modifies a user's password. You can use macros. Specify a descriptive name for the action, then click OK to display the available options.
Specify the actions that a help desk administrator can perform. You can use macros. Specify a descriptive name for the action, then click OK to display the available options.
Specify the number of seconds after which an authenticated help desk administrator’s session requires re-authentication.
Select this option if you want the help desk administrators to follow the same password policies that a user does while setting their passwords.
Select a mode to allow help desk administrators to clear responses after setting passwords, which a user provides during password change request. The available options include:
Asks whether to remove the user’s secret questions and answers.
Neither removes nor asks for removing the user’s secret questions and answers.
Automatically removes the user’s secret questions and answers.
Enable this setting if you want the password to expire when the user logs in with the new password that the help desk administrator has set.
Select this option to use the application proxy connection for all the actions that you initiated in the help desk module.
If deselected, the system initiates the actions using the LDAP connection of the logged in user. The user must have appropriate privileges in the LDAP directory.
Specify the display name that identifies the user on the user detail screen. You can use macros to display the name of the user.
Select a method for sending token code the user. The available methods include:
Self Service Password Reset does not perform the token verification.
Self Service Password Reset sends the token to the user’s email address.
Self Service Password Reset send the token through SMS.
Self Service Password Reset sends the token to both the user’s email and SMS.
Self Service Password Reset tries to send token through email; if no email address is available, it sends the token through SMS.
Self Service Password Reset tries to send token through SMS; if no SMS number is available, it sends the token to the user’s email.
If both mobile number and email address are available, the help desk operator can decide which method to use.
Click default > Options to configure the options for the Help Desk module with the following information:
Select the fields that are available to help desk administrators to view. The fields display the status of the users.
Select a mode from the list to allow help desk administrators to set passwords. This is applicable for the users who have proper LDAP permissions. The options include:
Help desk administrators cannot change passwords for users.
Requires the help desk administrators to type a new password to change the password for a user.
Help desk administrators can select a password from the automatically generated passwords list and assign it to the user.
Help desk administrators can set a password by selecting an automatically generated password or by typing it.
The help desk administrator cannot view or provide the new password to the user. However, the system sets passwords for users to a random value and sends the value to the users through the specified send method.
Enable this option to enable help desk administrators to unlock an intruder locked account.
Enable this option to allow the help desk operator to use a button for clearing the stored responses of the user.
Enable this option to allow the help desk operator to click a button and clear the stored one-time password settings of the user.
Enable this option to allow help desk operator to delete the user account from the LDAP directory.
Enable this option if you want to mask the password that the help desk user types for changing the user’s password.
Click default > Verification to configure the verification options for the Help Desk module with the following information:
Select the appropriate help desk verification methods. You can use LDAP attributes, SMS and email token verification, and OTP (mobile device) verification.
Define a verification form for the help desk.
Enable the Help Desk module.
Click Modules > Authenticated > Help Desk > Settings > Enable Help Desk Module.
Select Enable to enable the Help Desk module.
In the toolbar, click Save changes.