无法通过Tivoli Identity Manager 5.1中的用户控制台请求A / C

Question

I want to understand how ACL's works in Tivoli Identity Manager. I am trying to request for an a/c on a service from a user console but getting an error :

" The request cannot be submitted because the synchronization password does not comply with the password rules that govern the service. Change or reset the synchronization password to comply with the following password rules."

I have set default password to "12345" in provisioning policy and password length from 0 to 8 in password policy and have grant 'ADD' operation in ACL, still dont know what wrong am i doing. pLease suggest

Below is the rule under default Identity policy for ITIM.

function createIdentity()  {   
var EXISTING_CASE=0;   
var UPPER_CASE=1;   
var LOWER_CASE=2;   
var tf = false;   
var identity = "";   
var baseidentity = "";   
 var counter = 0;   
var locale = subject.getProperty("erlocale");   
var fAttrKey = "uid";   
var sAttrKey = "";   
var idx1 = 0;   
var idx2 = 0;   
var fCase = 2;   
var sCase = 2;   
if ((locale != null) && (locale.length > 0)) {     
 locale = locale[0];   
}
if (locale == null || locale.length == 0)
locale = "";   
 var firstAttribute = "";   
 var secondAttribute = "";   
 if (((fAttrKey != null) && (fAttrKey.length > 0)) || ((sAttrkey != null) &&     (sAttrkey.length > 0))) {
 if ((fAttrKey != null) && (fAttrKey.length > 0)) {       
firstAttribute = subject.getProperty(fAttrKey);       
if (((firstAttribute != null) && (firstAttribute.length > 0)))         
 firstAttribute = firstAttribute[0];       
 if (firstAttribute == null || firstAttribute.length == 0)          
 firstAttribute = "";       
 else {         
 firstAttribute=IdentityPolicy.resolveAttribute(fAttrKey,firstAttribute);         
 if ((idx1>firstAttribute.length) || (idx1==0))            
   idx1=firstAttribute.length;         
 firstAttribute = firstAttribute.substring(0,idx1);       
 }       
if (fCase == UPPER_CASE)         
 firstAttribute = firstAttribute.toUpperCase(locale);       
 else if (fCase == LOWER_CASE)          
 firstAttribute = firstAttribute.toLowerCase(locale);     
}     
if ((sAttrKey != null) && (sAttrKey.length > 0)) {       
secondAttribute = subject.getProperty(sAttrKey);       
 if (((secondAttribute != null) && (secondAttribute.length > 0)))          
 secondAttribute = secondAttribute[0];       
 if (secondAttribute == null || secondAttribute.length == 0)          
 secondAttribute = "";       
 else {         
 secondAttribute=IdentityPolicy.resolveAttribute(sAttrKey,secondAttribute);         
 if ((idx2>secondAttribute.length) || (idx2==0))            
   idx2=secondAttribute.length;         
 secondAttribute = secondAttribute.substring(0,idx2);       
 }       
 if (sCase == UPPER_CASE)          
 secondAttribute = secondAttribute.toUpperCase(locale);       
 else if (sCase == LOWER_CASE)          
 secondAttribute = secondAttribute.toLowerCase(locale);     
 }     
 baseidentity = firstAttribute + secondAttribute;   
 }   
 if ((baseidentity == null) || (baseidentity.length == 0)) {     
var givenname = subject.getProperty("givenname");     
 if (((givenname != null) && (givenname.length > 0)))        
 givenname = givenname[0];     
  if(givenname == null || givenname.length == 0)        
 givenname = "";     
 else        
  givenname = givenname.substring(0,1);     
  baseidentity = givenname + subject.getProperty("sn")[0];   
  }   
  tf = IdentityPolicy.userIDExists(baseidentity, false, false);   
 if (!tf)      
 return baseidentity;   
  while (tf) {     
 counter+=1;     
  identity = baseidentity + counter;     
  tf = IdentityPolicy.userIDExists(identity, false, false);   
 }   
 return identity; 
 }  

 return createIdentity();

Answer 1

I am going to assume when you are requesting access you don't already have an account for the service. Hence, it is trying to create a new account for that service before provisioning the access. When the new account is created, it will use the password from the identity for the service if you have global password synchronization turned on.

The password set on the identity (erSynchPassword) does not meet the password requirements for the individual service. Try changing the password on the identity and make sure that the password meets the service's password requirements. Or, temporarily for testing, disable the password policy that applies to that service and attempt to request access.

If this is a development question, personally I would disable all password policies temporarily to determine if the problem is really a password policy issue. That is the easiest way to troubleshoot the error you are seeing.