Help Desk User Profile Protection
Overview
End user calls a company's support desk and requests for any hep. Help desk user will require to provide end user's name, then help desk a search in the system and either user not found either found and helpdesk may need to verify end user identity. OpenIAM will ask for questions, that the Helpdesk operator asks the person on the phone. If the end users questions are correct, then system confirms that verification passed and OpenIAM will show end user profile to Help desk user. Implementation is based on system property (org.openiam.am.helpdesk.role.id) that keep information about roles that are protecting edit user pages from Helpdesk access. If user is a member of selected roles and he requests access to page (edit user page in Webconsole, user profile in Selfservice) then authorization engine will take place. If it successfully (user is a member of roles from system configuration) system asks help desk operator some security question, that operator ask from end user who needs a help. if end user answer correctly, then system grands access to Helpdesk operator and he can provide support to end user. If 3 attempts were failed (number of fail attempts is configurable) due to incorrect answers, the page will be blocked for help desk. Unblocking will be performed by batch script based on batch task Cron job.
The set of questions will be compiled based on user profile information. Number of questions that will be asked and number of incorrect answers before blocking will be configurable in Password Policy.
Question set compiler
To compile the set of questions OpenIAM will analyze users contact info and some fields from user object. On initial this is proposed to use:
- Emails
- Title
- Initials
- Employee ID
- Birth day
- User Secret - encrypted with user key
System will generate questions for not null objects and request answer from Helpdesk operator.
For example: system is configured to have 3 security questions for help desk. End user account:
| First Name | Last Name | Title | Employee ID | Birthday | Initials | Email address |
|---|---|---|---|---|---|---|
| John | Silver | Developer | 11/11/1986 | P | john.silver@company.org |
Use case: John Silver is calling a Help Desk, provides first/last names and phone number (usually help desk can see it). This information will be enough to find unique account in the system (search parameters). Help desk click edit button, OpenIAM gets user by ID and check fields from the list. If Title is not empty OpenIAM will use it to generate a question, if EmployeeId is empty then system will skip this question, etc. If it is not possible to collect required number of questions then only max possible number will be provided to help desk. Last question always is a user's secret. If user's secret was not set then it will be not possible to help desk to provide support to end user by phone and user must use other ways to solve his question. User Secret is asked on first ime login if property org.openiam.am.helpdesk.role.ids is set. If this property is not set then User Secret will be skipped.
System does not allow to change user secret but User Secret could be reset by Reset account functionality.
Pic 1 - org.openiam.am.helpdesk.role.id system properties to keep helpdesk role. If empty - helpdesk workflow is disabled
Pic 2 - Password policies that control number of max asked questios and number of max fail questions.
Pic 3 - Page for security question filling by end user. Available if property "Helpdesk protected role" is not empty
Pic 4 - Implementation of page for protection questions filling by helpdesk
Pic 5- End user didn't fill secret word
Audit Logging
Registered event that enduser saved secret word (AuditAction = SECRET_WORD_SAVED)
Registered event of attempt to unlock protected page with provided answers (AuditAction = HELPDESK_UNLOCK_ATTEMPT)
