[Index]

Model: data/CredentialPolicy

Credential Policy

VOSS-4-UC helps secure user accounts by authenticating user sign-in credentials before allowing system access. Administrators can specify settings for, among other things, failed sign-in attempts, lockout durations, password reset questions, and so on. The number of questions in the Password Reset Question Pool must be equal to (or more than) the number set in the Number of Questions Asked During Password Reset field. Collectively, these rules form a credential policy, which can be applied at any hierarchy level, and determine user sign-in behavior at that specific level.

A credential policy is not mandatory at specific levels in the hierarchy. However, a default credential policy is provided at the sys.hcs level. Administrators at lower levels can copy and edit this default policy if necessary. Administrators can also save it at their own hierarchy level so that it can be applied to the associated users at that level. If the administrators at the various levels do not create a credential policy at their level, it is inherited from the closest level above them. If a Provider Administrator has defined a credential policy, but a Customer Administrator has not, the customer automatically inherits the credential policy from the Provider. A different credential policy can also be defined for each user.

For each administrator user where IP address throttling (sign-in Limiting per Source) is required, manually create and assign a credential policy. The credential policy must have IP address, and username and email throttling enabled.

The default credential policy is defined at the sys.hcs level.

Note

Credential Policies are not applicable for SSO authenticated users. For LDAP Synched users, only the session timeouts are applicable.

Assign a Credential Policy to a User

In general, a user inherits a credential policy from the nearest hierarchy node at or above the user's location that has a default credential policy set. However, you can explicitly assign a credential policy to a user.

Procedure

  1. Log in as provider, reseller, or customer administrator.

  2. Choose User Management > Users.

  3. Click the user that you want to assign a credential policy to.

  4. Click the Account Information tab.

  5. From the Credential Policy drop-down, choose a credential policy to assign.

    The menu contains all the credential policies available at or above the user's node in the hierarchy.

  6. Click Save.

Note

If a user is signed in when the credential policy is changed, changes are not applied until the user signs out and signs in again.

Assign a Credential Policy to an Administrator

In general, an administrator will inherit a credential policy from the nearest hierarchy node at or above the administrator's location that has a default credential policy set. However, you can explicitly assign a credential policy to an administrator.

Procedure

  1. Log in as provider, reseller, or customer administrator.

  2. Choose User Management > Admins.

  3. Click the administrator that you want to assign a credential policy to.

  4. Click the Account Information tab.

  5. From the Credential Policy drop-down, choose a credential policy to assign.

    The menu contains all the credential policies available at or above the administrator's node in the hierarchy.

  6. Click Save.

Note

If an administrator is already logged on when the credential policy is changed, changes do not take effect until the administrator logs out and logs on again.

Defines rules the govern management of user credentials.

Model Details: data/CredentialPolicy

Title Description Details
Name * Credential policy name.
  • Field Name: name
  • Type: String
Idle Session Timeout (minutes) Defines the number of minutes a session will remain active in case there is no activity in the session. Default: 20
  • Field Name: idle_session_timeout
  • Type: Integer
  • Minimum: 1
  • Maximum: 525600
  • Default: 20
Absolute Session Timeout (minutes) Defines the maximum number of minutes a session can be active. A value of 0 disables absolute session timeout. Default: 1440
  • Field Name: absolute_session_timeout
  • Type: Integer
  • Maximum: 525600
  • Default: 1440
Password Expires (months) * The interval at which the password expires, in months. Default: 6
  • Field Name: password_expires
  • Type: String
  • Default: 6
  • Choices: ["Never Expire", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12"]
User Must Change Password on First Login Indicates that users must be forced to change password on the first login
  • Field Name: change_password_on_first_login
  • Type: Boolean
Lock Duration (minutes) The number of minutes that a user account must be locked for after the failed password attempts have reached the threshold. Default: 30
  • Field Name: failed_login_lock_duration
  • Type: Integer
  • Default: 30
Disable Failed Login Limiting per User Disable failed login limiting per user.
  • Field Name: disable_failed_login_limiting_per_user
  • Type: Boolean
Disable Failed Login User Account Enabling this field will result in user account being disabled if failed login attempt reaches 'Failed Login Count per User' within 'Reset Failed Login Count per User (minutes)'. This field is disabled by default.
  • Field Name: disable_failed_login_user_account
  • Type: Boolean
Failed Login Count per User The maximum number of failed login attempts for a given user. This is also referred to as the burst size. Default: 20
  • Field Name: failed_login_count_per_user
  • Type: Integer
  • Default: 20
Reset Failed Login Count per User (minutes) The number of minutes before the counter is reset for failed login attempts for a given user. This is typically the interval within which a single failure is permitted, also referred to as the permitted long-term rate of failure. Default: 5
  • Field Name: reset_failed_login_count_per_user
  • Type: Integer
  • Default: 5
Disable Failed Login Limiting per Source Disable failed login limiting per source.
  • Field Name: disable_failed_login_limiting_per_source
  • Type: Boolean
Failed Login Count per Source The maximum number of failed login attempts for a given source IP address. This is also referred to as the burst size. Default: 10
  • Field Name: failed_login_count_per_source
  • Type: Integer
  • Default: 10
Reset Failed Login Count per Source (minutes) The number of minutes before the counter is reset for failed login attempts for a given source. This is typically the interval within which a single failure is permitted, also referred to as the permitted long-term rate of failure. Default: 10
  • Field Name: reset_failed_login_count_per_source
  • Type: Integer
  • Default: 10
Number of Questions Asked During Password Reset Determines the number of questions asked during a password reset. The number should be less than or equal to number of entries in Reset Question Pool if custom question are not allowed
  • Field Name: password_reset_questions_number
  • Type: Integer
Password Reset Question Pool List of question from which password reset questions are drawn.
  • Field Name: password_reset_questions.[n]
  • Type: Array
Password Reuse Time Limit Period (number of days) from time of creation for which a password can not be reused. Defaults to 15 days. Only values between 0-365 (inclusive) are allowed. A 0 (zero) value means that password reuse time limit does not apply. Default: 15
  • Field Name: password_reuse_time_limit
  • Type: Integer
  • Maximum: 365
  • Default: 15
Minimum Password Length Minimum length (number of characters) for password. Default: 8
  • Field Name: minimum_password_length
  • Type: Integer
  • Minimum: 8
  • Default: 8
Enable Password Complexity Validation Enable password complexity validation, defaults to False. When set to True, passwords shall be validated against the password complexity rules.
  • Field Name: enable_password_complexity_validation
  • Type: Boolean
Inactive days before disabling user account The number of days a user can be inactive before disabling the account. With a value of 0 no checks are done.
  • Field Name: inactive_days_before_disabling_user
  • Type: Integer
  • Maximum: 100000
Session Login Limit Per User The maximum number of concurrent login sessions permitted for a user. A zero (0) value means that user login sessions should not be restricted.
  • Field Name: session_login_limit_per_user
  • Type: Integer
Number of Different Password Characters The minimum number of character changes (inserts, removals, or replacements) required between the old and new passwords.
  • Field Name: num_different_password_characters
  • Type: Integer
Minimum Password Age (days) The number of days within which a user cannot change their password. A zero (0) value means that password age validation is disabled. The minumum value is 1 day and the maximum is 365 days.
  • Field Name: minimum_password_age
  • Type: Integer
  • Maximum: 365