Organization administration

In order for a user to have rights to add, edit and delete organizations, he or she needs to have access to the role Administrator for the claim type urn:anyid:role and Administrator for Identify REST API role claim.

Organizations are similar to folders (from Windows) in that they are used to administer and sort objects of various types. In Safewhere Identify, these objects are Users, Groups, Claims, Claim Transformations, Connections etc.

organization-1-intro

By default, there will always be one root organization that cannot be deleted.

Note: In a future version, we will implement a stricter access rule: If you are a member of the root organization (meaning that your user account is registered directly under this organization), then you will have access to all organizations in the system as well as objects in them. If you are a member of a child organization, you will not be able to see the parent organization(s) and objects located in these. You can only see your own “branch” of the organizational hierarchy.Note: In a future version, we will implement a stricter access rule: If you are a member of the root organization (meaning that your user account is registered directly under this organization), then you will have access to all organizations in the system as well as objects in them. If you are a member of a child organization, you will not be able to see the parent organization(s) and objects located in these. You can only see your own “branch” of the organizational hierarchy.

To add an organization, you can go to the Organizations tab:

organization-5-click-to-add-new-organization

The organization form has just six fields:

organization-5-new-organization2

Name: Should be set to the organization name that will be known in Safewhere*Identify.

Display Name: Should be set to the display name for the organization. This field supports localization.

Number of days before password must be changed: Should be set to the number of days that users are allowed to log in to Safewhere*Identify without changing the password. After this number of days is reached since a user was last registered as changing the password, he or she will be forced to change it upon logging in.

Number of days before password expiration: Should always be set to a higher number than that set for Password – Days before Change Required. When a user has not changed the password in this number of days, he will no longer be allowed to log in using the “username and password” Authentication Connection page.

Minimum password age: The Minimum password age policy setting determines the period (in days) that a password must be used before a user can change it. This value must be greater than or equal to 0. You can allow password changes immediately by setting it to 0. The Minimum password age must be less than both Number of days before password must be changed and Number of days before password expiration.

When the Minimum password age policy is configured, whether users' passwords can be changed depends on a number of factors:

  • Administrators can always reset users’ passwords. Administrators are users who have the Administrator role or the UserAdmin role.
  • Password reset links sent by Administrators allow for updating passwords regardless of when the last time users updated their passwords were.
  • Non-administrator users need to wait until after the password age period to reset their passwords regardless of who have changed their passwords the last time.
  • When users forget their passwords, they can use the Forgot password feature to request for reset password links. However, if their passwords are still in the Minimum password age period, they cannot reset their passwords yet.
  • When administrators set users up to force reset their passwords after the next logins, the Change password page is opened after they log in and they can change their passwords regardless of when the last time they did so. However, users will not be able to update passwords in the following edge case:

    1. A user is set to force reset password.
    2. The user somehow has the My profile page opened (thus, no need to log in) or can use REST API. The user updates password and thus clears out the force reset flag. In reality, this rarely happens because normal users do not have permission to use these features.
    3. After that, the user performs a login and is asked to update their password. Because the password has just been updated, the Minimum password age policy prevents the update from happening.
      edit-user-force-change-password

New user must change password first time they log in: Checking this button simply means that the first time that the users log in to Identify*Admin, they are forced to change their current password to a new one. This can be used for situations where the initial password was autogenerated and you want to make sure they change it to one that does not exist as cleartext.

Click on an organization to view its sub-organizations:

organization-2-parent-organization

organization-3-childs-organization

If you want to go up you can click on a parent organization:

organization-4-go-back-parent-organization

Edit an existing organization

organization-6-click-to-edit-organization

organization-6-edit-organization2

Delete an existing organization

organization-7-click-to-delete-organization

organization-7-delete-organization