Assigning password reset authority

Password reset authority authorizes people or applications to reset passwords and to specify ID download counts.

Before you begin

To complete this task you must have the following access:
  • Administrator access to the server in the IBM® Domino® domain
  • Editor access to the Domino® Directory
  • Physical access to the certifier ID file of each user organization whose passwords will be reset. The certifier ID file is used to issue Password Reset Certificates to the password reset authorities.

Procedure

  1. Open the Domino® Administrator tool panel used to specify password reset authority. Use any of the following methods:
    • Open the panel as you create an ID vault: select the Configuration tab, click Tools > ID Vaults > Create, and then perform Step f.
    • Open the panel as you perform other ID vault management tasks: select the Configuration tab and the Security > ID Vaults view. Select a vault document in the view, click Tools > ID Vaults > Manage, and select the task Add or remove password reset authorities.
    • Select the Configuration tab and click Tools > ID Vaults > Password Reset Authority.
    • Select the People & Groups tab and click Tools > ID Vaults > Password Reset Authority.
  2. To assign password reset authority, perform the steps that correspond to the type of authority you are assigning.
    Table 1. Ways to Assign Password Reset Authority

    Type of password reset authority

    Steps

    Comments

    Authority for help desk personnel to reset user passwords through the Domino® Administrator

    1. From the Password reset authority by organization list select the organization or organizational unit of users whose passwords will be reset.
    2. From the list of available users, groups and servers or the list of organization units, select who will be allowed to reset the passwords of users in the organization highlighted in the previous step.
    3. Click Add to give the user, group, or organizational unit password reset authority for the organization or organizational unit highlighted. Or click Add To All to give the user, group, or organizational unit password reset authority for all organizations in thePassword reset authority by organization list.
    4. Repeat steps a through c as necessary.
    • Selecting a group creates individual Password Reset Certificates for each current member. Future changes in group membership do not cause corresponding changes to Password Reset Certificates.

    Authority for an agent password reset application

    1. From the Password reset authority by organization list select the organization or organizational unit of users whose passwords will be reset.
    2. From the Available users, groups and servers list, select the name of the user that has signed (or will sign) the application agent.
    3. Click Add to give the selected agent signer password reset authority for the organization or organizational unit highlighted.
    4. Keep the agent signer name highlighted and select Self-service password reset authority.
    5. From the Available users, groups and servers list, select the name of a server or group of servers on which you will deploy the application.
    6. Click Add to give the selected server or server group password reset authority for the organization or organizational unit highlighted.
    7. Repeat steps as necessary.
    • The Server document of each authorized server must give the agent signer Sign or run restricted LotusScript/Java agents. A server does not have to have a replica of the vault.
    • To sign the agent, from Domino® Designer, switch to the user ID that has or will have password reset authority, click Code > Agents and double-click, select the agent, and then click Sign.
    • If you select a server group name, a Password Reset Certificate is issued to each server that is currently a member of the group. Future changes in group membership do not cause corresponding changes to Password Reset Certificates.
    • Select Self-service password reset authority for the agent signer even if the users of the application are help desk personnel who will reset passwords for users.

    Authority for a non-agent password reset application

    1. From the Password reset authority by organization list select the organization or organizational unit of users whose passwords will be reset.
    2. From the Available users, groups and servers list, select the name of a user or server under which the application is authorized to run.
    3. Click Add to give the selected user or server name password reset authority for the organization or organizational unit highlighted.
    4. If you added a user name, keep the user name highlighted, and select Self-service password reset authority.
    5. Repeat steps as necessary.
    • Select Self-service password reset authority for a user name even if the users of the application are help desk personnel who will reset password for users.