[OPENAM-5695] Allow admin users to update user's password without the old password Created: 20/Mar/15  Updated: 20/Nov/16  Resolved: 22/Sep/15

Status: Resolved
Project: OpenAM
Component/s: rest
Affects Version/s: 11.0.2, 11.0.3, 12.0.0, 13.0.0
Fix Version/s: 12.0.3, 13.0.0

Type: New Feature Priority: Major
Reporter: Quentin CASTEL [X] (Inactive) Assignee: Quentin CASTEL [X] (Inactive)
Resolution: Fixed Votes: 1
Labels: EDISON, release-notes
Remaining Estimate: 0h
Time Spent: 16h
Original Estimate: 6h

Issue Links:
relates to OPENAM-6916 Since OPENAM-5695, users with the rig... Resolved
Sprint: Sprint 81 - Sustaining, Sprint 83 - Sustaining, Sprint 84 - Sustaining, Sustaining Sprint 12
Support Ticket IDs:


Admin users should have the necessary delegation permissions to update the user's password without the old password.
This operation should be possible with the updating identity REST API as follow:

curl --request PUT --header "iplanetDirectoryPro: AQIC5...Y3MTAx*"
 --header "Content-Type: application/json"
 --data '{ "userpassword": "secret1" }'

if the user who is being updated is actually the same user as who performs the operation, the request should be rejected (to enforce that changing the current user's password requires the current password), otherwise the request should be let through, and let it to potentially fail due to not having the necessary delegation permissions that would allow the update of the user entry.

Comment by Alan Beecraft [ 30/Jul/15 ]

OPENAM-6443 is very similar to this RFE so I asked the customer if the solution for OPENAM-6443 will meet their requirements and this is their response:

The two cases are similar : the goal is to change another users password via the JSON REST API without providing the old users password:
OPENAM-6443 - this is a bug about using the amadmin token to do this
OPENAM-5695 is an RFE that all AdminUsers should be able to do this (this was still working OK in 11.0.2 in the JSON REST API)

In this sense we really need the implementation of 5695 as our application does not use the amadmin user but a different privileged user. We want to have all AdminUsers be able to change another users password without providing the users old password.
What we're expecting is a permanent implementation of this feature in OpenAM 12 so that we are not blocked to upgrade.

Comment by Quentin CASTEL [X] (Inactive) [ 22/Sep/15 ]

Fixed in 12.0.3 r15838
Fixed in 13.0.0 r15798

Comment by Jake Feasel [ 25/Sep/15 ]

This JIRA does not show the full REST call necessary to reset a password. Also, it doesn't make sense that admins should have to enter the old password for themselves - compare with unix "root" passwd behavior and the windows administrative password reset GUI - neither require entering your old password when you are an admin.

Generated at Mon Jan 18 19:16:50 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.