Maximo Open Forum

Hi,

We want maximo to send a notification when users password is going to expire. Can anyone share some insights on how this can be done? Can this be done within maximo or network team has to be involved?

It depends on where the password resides. If you are using LDAP or SAML for authentication, Maximo will not track when the user's password will expire. If you are using a username/password configured in Maximo, you can look at the maxuser table at the pwexpiration field (which is the date that the password will expire). 

Normally for sending communications someone would use something like an escalation. If you do this as an escalation on maxuser, you want to make sure you run it infrequently (IE once a day) because you need to set the escalation to repeat. If you ran this frequently (say every 5 minutes), you would bombard your user with emails. 

Thanks,Steve. I did not find any value in the pwexpiration field perhaps because we have SAML authentication( as we do not use LDAP, use VMSYNC) . But I found password duration field in maxgroup having values. 

If you are using Maximo authentication (not LDAP/SAML), the password expiration is complicated. I actually had a RFE (before we had ideas) about ways to improve this but it wasn't approved and this all changes in MAS since Manage is no longer the owner of the user/password. 

There is a dialog in the Security Group (and Users) application called Security Controls. In there is a "Password Lasts this Number of Days". This is used to default the expiration value on new security groups that get created. Then every security group needs to have an expiration set. You do this by opening the security group in the Security Groups application and clicking the "Override Password Duration". If the value is null (which it will be out of box for EVERYONE/MAXEVERYONE and all the groups that existed prior to someone setting that setting), then the user will have no expiration. You need to go through all the groups to set it.

And then, the user needs to change their password or an admin reset their password. Only at that point will the expiration date be set on the user record.


Since you are not sure if you have LDAP enabled, click your profile icon in the top right corner and choose "Password Information". If it lets you input and change your password, you are using local Maximo authentication. If it does not, you are using LDAP or SAML and need an alternative. 

Java includes methods for connecting to LDAP providers. If you really need to, it is possible to write your own autoscript cron task that will fire once a day, use those libraries to query LDAP for your users, and update Maximo user records or send appropriate notifications. I have developed a custom "LDAPSYNC" that did user deactivations as well as phone and email deletes in Maximo, so this is definitely an option. That said, as Steven mentioned, do keep in MAS in mind.

We developed a CAC authentication front end to use with a DoD instance of Maximo.  We do not use the native password expiration process. We added a field to the maxuser table  and added a process to record the last login date. We then created escalations to send email notifications notifying users that they would be blocked if they do not log in by a specific date and set the status to blocked after the specified date.  After and additional interview we set the user status to Inactive.