Important Update: Community URLs redirect issues are partially resolved. Learn More. .

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Change only his password via REST or SOAP API ?

AftabChand
Contributor II

‎2019-03-04 06:08 AM

Hi RSA Link Community,

 

is there a way to allow a user to change only his password via the REST or SOAP API? The REST call “/api/core/system/userpassword” seems to be related with the permission “Manage Users” granted via a role. But with granting this permission the user has the permission to change ALL users’ passwords.

 

Thank you in advance.

 

Aftab Chand

0 Kudos
7 REPLIES 7

Arun.Prasad
Advocate II

‎2019-03-04 06:20 AM

Well, AFAIK, you either give them the access to "Manage Users" page or use some other API user to perform the password change. Could you please tell your requirement? Like how are you planning to provision this option to the end users? 

BradleyHanna
Contributor III

‎2019-03-04 07:27 AM

If you are using Windows Authentication and LDAP sync in Archer, you could write a PowerShell script that checks the Windows user and updates only that users password in Archer.  The script would need Access Control permissions, but the user would not have access to those permissions in Archer, as long as you protect the credentials of the Access Control user that the script uses.  You could even require that the user authenticate their windows account when the script runs.  This approach would take some work, but I don't think you can allow an unprivileged user the ability to change only their password via API.  I will test today.

BradleyHanna
Contributor III
In response to BradleyHanna

‎2019-03-04 07:31 AM

Then again your using LDAP sync, so the password syncs.  This approach would work with your users Windows accounts being used for verification though.

0 Kudos

DavidPetty
Archer Employee
Archer Employee

‎2019-03-04 08:13 AM

Unfortunately Archer doesn't have the type of granular access when it comes to the APIs.

 Advisory Consultant

LarsRudolff2
Contributor III
In response to BradleyHanna

‎2019-03-04 09:08 AM

Hi Community,

 

Aftab, myself and a couple of other colleagues currently testing some mobile scenarios where we want to use end user accounts to access the API. Since 100% of our customers use SSO, we're facing the challenge how we can authenticate the user (because AFAIK Archer uses the local password for API access, also for LDAP users). So the idea was to at least integrate a password change mechanism into the mobile app. This is bad enough but we do not have to force the user to log into Archer on his Laptop to change the local password.

 

Or are we missing something fundamental?

 

Lars

0 Kudos

BradleyHanna
Contributor III
In response to LarsRudolff2

‎2019-03-04 09:30 AM

If you are using LDAP sync, the password would be updated in Archer when the password is updated in the user's LDAP services profile.  If you cannot have all Archer users on your LDAP service, then you would need a middle man web page that could be used to change user passwords using an Archer Access Control Administrator user via the API.

0 Kudos

BodieMinster
Archer Employee
Archer Employee
In response to BradleyHanna

‎2019-03-04 09:56 AM

Actually, Archer does not store the password from the LDAP source, even if that column is mapped in the LDAP config. This is because the passwords stored in Active Directory are not encrypted, but hashed. As a result, they are not reversable, and storing the value in Archer would have no benefit.