Contact us at 408.675.5020 or

Home Page

Knowledge Base Search     Advanced

How the Self Service Module Works

Article ID: 1721
Last updated: 22 Sep, 2018

The Self Service module provides users with a web-based portal to manage their forgot password settings, modify their personal information and add or remove themselves from specific email-enabled Directory groups. Here are some planning considerations:

How it Works

For the Self-Service Module:

  1. Identity Maestro Self-Service Role Group is a primary directory group that is used to identity users who will be included in a Self-Service assignment.
  2. Self-Service Assignment is a collection of self-service options that are configured and then assigned to Identity Maestro Self-Service Role groups.
  3. Forgot Password is an engine that supports a user's ability to change their own password using pre-configured forgot password questions and answers.
  4. Self-Service Forms is similar to Manage Identification Forms that allow users to view and modify their personal information that is stored in the primary Directory.
  5. Self-Service Custom Tasks are custom tasks that can be configured and enabled in Self-Service Assignments.
  6. Self-Service Email Templates are a set of email templates that the Forgot Password engine uses to advise users and administrators when someone attempts to use the forgot password feature.

If a group is assigned to a Self Service Role Group assignment, the SELF-SERVICE tab will be visible to members of that group when they login to the Identity Maestro portal.  If the Forgot Password feature is enabled in the Self-Service Assignment, members of that group will be able to change passwords using without having to login by using the Forgot Your Password? link.

Planning Factors for the Self Service Module

Careful planning and preparations will result in the creation of the correctly functioning “self-service” assignments that will support users. Consider the following planning factors:

  • STEP 1 - Determine who needs Forgot your password and a Self-Service portal.
    • Assignments can be made to Directory groups that represent Self-Service roles, or by OU containers in the primary Directory.
    • Determine which passwords can be modified by the Forgot your password feature.
    • Determine which forgot password questions can be asked and which questions will be mandatory.
    • Determine which groups users will be able to add themselves to or remove themselves from.
    • Determine if an Self-Service assignment will be using a custom task form.
  • STEP 2 - Determine how to configure the Forgot Password engine options.
  • STEP 3 - Determine if a single Self-Service form will be suitable, or if forms are required for different OU containers, and determine how to configure each form field for read-only or read-write access.
  • STEP 4 - Determine if custom tasks will be used and how the forms for those custom tasks will be configured.
  • STEP 5 - Determine how to work the Slef-Service notification emails.

Forgot Password Configuration Scenarios

Identity Maestro Self-Service offers two distinct Forgot Password scenarios:

  • Default Scenario - Set Answers in the Self Service Portal: In this scenario, users must login to their Self-Service user portal to be prompted to set their forgot password questions and answers.  The critical requirement in this scenario is that the user must be provided a password to set their Forgot Password answers. This is the default scenario and relatively easy to configure. In this scenario, the Forgot Password feature will not work for users until they have set their forgot password answers. The key to configuring this scenario is to enable questions that are not bound to a Directory Attribute.

  • Use Forgot Password to Onboard Users:  In this scenario, the user will use Forgot Password to prove their identity by answering questions and then be prompted to save additional Forgot Password answers.  This scenario requires that the user be provided answers to questions that are stored as Directory attribute values, like Employee ID and email address.  This scenario is useful to enforce users saving Forgot Password answers as a prerequisite step to enable their user accounts and set their own password. This scenario requires more planning and a slightly more complicated setup.  Refer to Using Forgot Password to Onboard New Staff or Students to instructions to setup and test this scenario. This scenario is triggered by:

    • Creating at least one question that is bound to a Directory attribute, and


    • and enabling that question in the Forgot Password page of a Self-Service assignment.

The Importance of “Save” and “Apply Settings”

It is important to remember to Save changes before changing focus. 

  • While working in a Step 1: Manage User Access Control, ensure that you Save changes before changing to a different tabbed page view or a different assignment.  If you forget to Save changes  you may lose the work you just did in that assignment.
  • While working in a Step 2: Configure "Forgot Password", ensure that you Save changes before changing to a different step. If you forget to Save changes, you may lose work you just did in this step.
  • While working in a Step 3: Manage Self-Service Forms and Step 4: Manage Task Forms, ensure that you Save changes before changing to a different field or to a different form.  If you forget to Save changes and change focus, you will lose the work you just did in that field.
  • While working in a Step 5: Manage Email Templates, ensure that you Save changes before changing to a different email template. If you forget to Save changes, you may lose work you just did in that template.
  • You must choose OPTIONS > Apply Settings before you can switch to the Operator panel and test Self-Service.

How the Setup Wizard Configured Self-Service

The Setup Wizard added the following:

The Setup Wizard Added Identity Maestro Role Groups for Self Service

The Setup Wizard builds an Identity Maestro container with the following users and groups to support Self-Service role-based management.

  • IM Self-Service Role - contains users that will be assigned to a default Self-Service assignment for testing and production use.  The Setup Wizard adds the imuser to this group.
  • imuser - is a normal user that can be used to test Self-Service including Forgot Password.  The Setup Wizard set the default password for this user as Demo!23456.

The Setup Wizard also creates a Sample container that acts as a sandbox container that can be used to test create forms against, which has a sample-self group.

All users in the Sample container are configured with Asdf!234 set at the password, are disabled by default, and are members of the sample-self group.

The Setup Wizard Added Default Self Service Assignments

The Setup Wizard create the following create forms.

  • Identity Maestro\IM Self-Service Role is an assignment designed for testing but can also be used for testing.  The imuser user is a member of this assignment.
  • Identity Maestro\Sample\sample-self is an assignment designed for testing using the Sample users.  All users in the Identity Maestro\Sample container are members of this assignment..

The Setup Wizard Added a Default Self Service Form

The Setup Wizard will create a default Self-Service Form which is applied at the primary Directory level.

Identity Maestro administrators should examine each field and confirm if the field should be set to read-only or if you want to allow the user to modify the value of that field for their own user account.

The Setup Wizard Added Default Self Service Role Group Membership to Create Profiles

The Setup Wizard creates default Create Profiles for Sample users.  Those Create Profiles are not configured with the group to add new users to.  If you want to add the sample-create group to that list:

  1. In the ADMINISTRATION panel, select the CREATE module and the desired Sample Create Profile.
  2. Select the Additional Memberships tab and click the Add new button. 
  3. In the Add Group or Distribution List window, click the browse icon for the Name field, navigate to and select the Identity Maestro\Sample\sample-self group.

  4. Click Accept.
  5. Verify that the sample-self group appears in the Additional Memberships list and Save the change.

  6. Repeat steps 1 to 5 for each of the Sample Create Profiles that you want to modify.
  7. Select OPTIONS > Apply Settings to apply the changes to the default Identity Maestro website.

Which Manage Tasks Support Self Service Settings for Users

Identity Maestro includes two MANAGE tasks that can be used by Identity Maestro operators to assist users with their Forgot Password questions and answers.

The Forgot Password Questions task provides the Identity Maestro operator with the ability to set, reset or clear Forgot Password answers for the user, to set a question as required, and to add a new question for the user. Note: Identity Maestro operators cannot see a user's existing Forgot Password answers.  Use the Veruiy Forgot Password task to confirm if what the user is trying is actually a valid answer.

Saved changes will be immediately applied to users using the Forgot Password feature at the login screen.

The Verify Forgot Password feature is used to verify if a user's Forgot Password answers are correct. Operator's can use this as a form of verification that they are speaking with the correct individual, and to test that changes made with the Forgot Password Questions task (above) are working as expected.

Selecting this task will open a dialogue window where an Operator can test Forgot Password answers for the user.  If an answer is incorrect, the UI will explain the issue.

This article was:   Helpful | Not helpful Report an issue

Article ID: 1721
Last updated: 22 Sep, 2018
Revision: 19
Views: 133
Comments: 0
print  Print email  Email to friend share  Share pool  Add to pool comment  Add comment
Prev     Next
Self Service: Configure       Step 1: Manage User Account Access