.. _credential_policies:

Credential Policies
-------------------

VOSS-4-UC helps secure user accounts by authenticating user sign-in credentials
before allowing system access. Administrators can specify settings for, among
other things, failed sign-in attempts, lockout durations, password reset questions,
and so on. The number of questions in the Password Reset Question Pool must be
equal to (or more than) the number set in the Number of Questions Asked During
Password Reset field. Collectively, these rules form a credential policy, which
can be applied at any hierarchy level, and determine user sign-in behavior at
that specific level.

A credential policy is not mandatory at specific levels in the hierarchy.
However, a default credential policy is provided at the sys.hcs level.
Administrators at lower levels can copy and edit this default policy if
necessary. Administrators can also save it at their own hierarchy level so
that it can be applied to the associated users at that level. If the
administrators at the various levels do not create a credential policy at
their level, it is inherited from the closest level above them. If a
Provider Administrator has defined a credential policy, but a Customer
Administrator has not, the customer automatically inherits the credential
policy from the Provider. A different credential policy can also be
defined for each user.

For each administrator user where IP address throttling (sign-in Limiting
per Source) is required, manually create and assign a credential policy.
The credential policy must have IP address, and username and email
throttling enabled.

The default credential policy is defined at the sys.hcs level.

.. note::
   
   Credential Policies are not applicable for SSO authenticated users.
   For LDAP Synched users, only the session timeouts are applicable.