Skip to main content

I want to create a user in IAM which is only for service purposes. Nobody has ever to login on this user.
Because we have many environments, I want to automate this.
Creating the user is not a problem, but i do not know how to set the password with encryption.

I see i need the password, a salt and the password-hash and then i understand that i can use the sql script:

insert into usr_authentication (

      tenant_id]
      ,usr_id]
      ,password_hash]
      , password_salt]
      ,]password_algorithm]
) Values ( … )

but in what way can i determine the values of the hash?

Hello ericbosman,

The task that is shown in the screenshot below can be called through the API of IAM as well.

 

The API call would look something like this:

POST

/indicium/iam/iam/usr(tenant_id=x, usr_id=’x’)/task_set_usr_password
Content-Type: application/json
{
    “new_password”: “MyPassword”,
    “confirm_password”: "MyPassword”
}

If you don't want to perform an API call, and assuming that you don't want to use task in a GUI either, then you could also automate this with a system flow. Starting by creating a process flow like this:
Application connector → Http connector

Where the Application connector reads some parameters (Indicium URL, tenant_id, usr_id, password) from some kind of staging table (which you will have to make yourself) and then performs the API call shown above for you. You can then have this process flow be scheduled to run every 5 seconds or so. With this, you can trigger this process flow by a single insert statement into the staging table.

You could also create a similar solution but use the following process flow.

Application connector → Hash password → Database connector

The Hash password process action will allow you to hash the password and it will output the three columns that you are looking for. The database connector allows you to run a SQL statement on any database on any database server that you have access to (which seems to be useful since you said “many environments”). It requires a connection string, which you could format in a process procedure based on some parameters like database server, database name and perhaps some credentials. This solution will allow you to combine some steps and create the user with all of its properties and set the password with a single insert statement.

Both of these process flows could be defined only once in any application in any IAM and be used to create users in any IAM.

I hope this helps.


Vincent,

Thanks for your reaction.

I will try to use the API call

Greetings,

Eric


Hello Vincent,
If tried many variations, but no results.
I tried the next combination (with Postman) for changing password.
  Post
  url: https://<xxx>/indicium/iam/iam/usr?$deselect=profile_picture_data&$select=tenant_id,usr_id&$filter=((tenant_id eq 1) and (usr_id eq %27dklaassen%27))/task_set_usr_password
  Body - raw - Json
  {
    "new_password": "qwertyxx",
    "confirm_password": "qwertyxx"
  }

I always get an 500 error

But if I do the next:
  Get
  url: https://<xxx>/indicium/iam/iam/usr?$deselect=profile_picture_data&$select=tenant_id,usr_id&$filter=((tenant_id eq 1) and (usr_id eq %27dklaassen%27))
I get a 200 OK and the Body I receive is:
  {
    "@odata.context": "https://acto-d-upgradetest-evo.acto.nl/iam/iam/$metadata#usr",
    "value": >
        {
            "tenant_id": 1,
            "usr_id": "dklaassen"
        }
    ]
  }

The Autorisation in both test is of an IAM user which is a IAM main administrator

Can you tell me, what am i doiing wrong?
Eric


Hello ericbosman,

The URL that you are using for the task is not valid. It is necessary to apply a key filter (between  parentheses after the table name) instead of $filter.

Could you try it like this?

https://<xxx>/indicium/iam/iam/usr(tenant_id=1, usr_id='dklaassen’)/task_set_usr_password

I hope this helps.


Not really, i have tried this before

This results in:

Post

https://<xxx>/indicium/iam/iam/usr(tenant_id=1, usr_id='dklaassen’)/task_set_usr_password

Body - raw - Json
  {
    "new_password": "qwertyxx",
    "confirm_password": "qwertyxx"
  }

I receive an 400 error (Invalid OData URL.)


Hello ericbosman,

When I copy your URL, it is indeed invalid due to incorrect quotation marks that are used around dklaassen. After fixing those, it works as expected.

https://<xxx>/indicium/iam/iam/usr(tenant_id=1, usr_id='dklaassen')/task_set_usr_password

It’s possible that the quotation marks are wrong when copying and pasting to/from the community. Try my URL and if necessary, manually fix the quotation marks by regular, single quotes.

I hope this helps.


Hello Vincent,

(every where in this post i have changed the real username to <###>, because I am using now a different username)


I have used now the following url:
https://<***>/indicium/iam/iam/usr(tenant_id=1,usr_id='<###>')/task_set_usr_password

I checked this url works, by first trying a GET with it, and it returned a complete json with all the userids and data.

So I'm sure the url is correct

After this i tried the POST (got an error 500) and so I checked the indicium error log.
In the indicium error log the following error appeared:
2022-07-26T15:34:14.4152137+02:00 0HMJEA0A3PB93:00000002 [err] System.Exception: The following query failed with an exception: 'INSERT INTO [usr] DEFAULT VALUES'  ---> Microsoft.Data.SqlClient.SqlException: Cannot insert the value NULL into column 'tenant_id', table 'acto_D_upnew_EVO_IAM.dbo.usr_general'; column does not allow nulls. INSERT fails.

So I expanded the Body with the field: tenant_id

After that the next error appeared in the indicium error log.

In the end I got the following Body:

{
"tenant_id": 1,
"usr_id": "<###>",
"first_name": "eric",
"name": "eric bosman",
"gender": 0,
"appl_lang_id": "NL",
"write_back_up_type_id": 5,
"authentication_type": 3,
"two_factor_authentication_type": 0,
"allow_fallback_to_email": 0,
"allow_change_password": 1,
"password_changed_count": 0,
"password_forgotten_count": 0,
"password_expiration_policy": 2,
"new_password": "qwertyxx",
"confirm_password": "qwertyxx"
}

 

But now I get the following error

2022-07-26T15:51:22.1481880+02:00 0HMJEA0A3PB96:00000001 1ERR] System.Exception: The following query failed with an exception: 'INSERT INTO Ousr] ( tenant_id],]usr_id],]first_name],]name],]gender],]appl_lang_id],]authentication_type],]two_factor_authentication_type],]allow_fallback_to_email],]allow_change_password],]password_expiration_policy],]password_changed_count],]password_forgotten_count],]write_back_up_type_id]) VALUES (@p0, @p1, @p2, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10, @p11, @p12, @p13)'  ---> Microsoft.Data.SqlClient.SqlException: Violation of PRIMARY KEY constraint 'usr_general_pk'. Cannot insert duplicate key in object 'dbo.usr_general'. The duplicate key value is (1, <###>).

And now I'm stuck, because i want to update the password of an existing user, and it seems like it is trying to create a new user.

??

Bye, Eric
 


Hello Eric,

Which version of IAM are you using?


We are using IAM 2022.1


Hello Eric,

I just realized that you might not be using Indicium Universal, this would explain the behavior that you are seeing. If this is indeed the case, could you try my original request on Indicium Universal?

I hope this helps.


YES, YES, YES

That was the problem, now it works right away…

Thanks for your help…

Eric