Customized Credential Policy

A default credential policy called HcsCredentialPolicy ships with VOSS Automate. However, you can deploy a customized credential policy at a provider, reseller, or customer hierarchy node.

When you set a customized credential policy as the default credential policy at a hierarchy node, all users and admins at or below that hierarchy node are subject to the customized credential policy, except for any users or admins that are explicitly assigned a different credential policy.

Credential Policy Inheritance

Unless explicitly assigned a credential policy, users and admins are subject to the default credential policy set at a hierarchy node at or above their location. The default credential policy for the hierarchy node closest to the user or admin location is used. If no customized credential policies are deployed, all users and admins are subject to the HcsCredentialPolicy credential policy, which is the default credential policy at the sys.hcs level.

Deploy a Customized Credential Policy

  1. Log in as provider, reseller, or customer administrator.

  2. Set the hierarchy path to the node where you want to deploy a customized credential policy.

  3. Choose Role Management > Credential Policy.

  4. Either clone the HcsCredentialPolicy credential policy, or add a new credential policy:

    • To clone the HcsCredentialPolicy policy, click HcsCredentialPolicy, then click Action > Clone.

    • To add a new credential policy, click Add. The credential policy settings default to the settings for HcsCredentialPolicy.

  5. Provide a name for the credential policy.

  6. Modify the credential policy settings as needed.

Field

Description

Idle Session Timeout

The number of minutes a user session can be idle before being automatically logged off. The minimum setting is 1 minute and the maximum is 525600 minutes (365 days). The default is 20 minutes.

Absolute Session Timeout

The number of consecutive minutes a user can be logged in, regardless of session activity, before being automatically logged off. A value of 0 disables absolute session timeout. The maximum is 525600 minutes (365 days). The default is 1440 minutes (24 hours).

Password Expires

The number of months that can elapse between password resets. The default is 6 months.

User Must Change Password on First Login

Select this check box to force users to change their password on initial login. Default = clear.

Lock Duration

The number of minutes a lock will be held when user is locked out. The default is 30 minutes.

Disable Failed Login Limiting per User

Select this check box to not limit the number of times a user can fail to log in before the account is locked. Default = clear

Failed Login Count per User

Selecting this check box will result in user account being disabled if failed login attempt reaches ‘Failed Login Count per User’ within ‘Reset Failed Login Count per User (minutes)’. This field is clear by default.

Reset Failed Login Count per User

After this number of minutes from the last login attempt, the failed login count is reset to 0. The default is 5 minutes.

Disable Failed Login Limiting per Source

Clear this check box to limit the number of times any user from the same IP address can fail to log in before the account is locked. The default is to disable the limit.

Note:

Do not enable source login rate limiting for a credential policy that will apply to Self Service users. A separate credential policy is recommended for administrators and users that do not use Self Service if source login rate limiting is required.

Failed Login Count per Source

If source login rate limiting is enabled, enter the number of times any user from the same IP address can fail to log in before the IP address is blocked. The default is 10 times.

Reset Failed Login Count per Source

If source login rate limiting is enabled, this value is the number of minutes from the last login attempt from the IP address after which the failed login count is reset to 0. The default is 10 minutes.

Field

Description

Number of Questions Asked During Password Reset

Enter the number of security questions users or admins must answer when resetting their own password with the Forgot Password link. The default is 3.

Password Reset Question Pool

Contains a list of possible security questions that users or admins must answer when resetting their own password with the Forgot Password link.

Password Reuse Time Limit

The number of days from the date the password was created that the password cannot be reused. The valid range is 0-365 days. The default is 15 days. Setting it to 0 disables the reuse time limit.

Minimum Password Length

The minimum length of a password in characters. The minimum allowed value is 8. The default is 8.

Enable Password Complexity Validation

Select this check box to enable the rule on how complex a password must be.

The complexity rule requires a password to contain at least one of each of the following:

  • Uppercase letter

  • Lowercase letter

  • Digit

  • Special character (see below)

Inactive Days Before Disabling User Account

The number of days users or admins can go between logging in without having their account disabled. Setting it to 0 disables the inactive time limit. The default is 0.

Session Login Limit Per User

The number of concurrent login sessions a user may have. Setting it to 0 disables the session login limit. The default is 0.

If the session limit value is set to 1 or more and the user exceeds the session limit when starting a new session, the oldest login session will be disconnected.

Number of Different Password Character

The minimum number of character changes (inserts, removals, or replacements) required between the old and new passwords.

Minimum Password Age

The number of days within which a user cannot change their password. A zero (0) value means that password age validation is disabled. The minimum value is 1 day and the maximum is 365 days.

Acceptable special characters are:

` ~ ! @ # $ % ^ & * ( ) - _ = + [ { ] } | \\ : ; ' " , < . > / ?

Note

It is recommended that you make a credential policy only more restrictive than HcsCredentialPolicy in order to not have a policy that is too insecure.

  1. Click Save.

    Note

    If a user is already logged in when the credential policy is changed, changes do not take effect until the user logs out and logs in again.

  2. Choose Role Management > Default Credential Policy.

  3. Provide a name for the Default Credential Policy at this hierarchy node.

  4. From the Credential Policy drop-down, choose the credential policy you just cloned or added.

  5. Click Save.

    Every user and administrator at or below the hierarchy node is now subject to the default credential policy, unless the user or administrator was explicitly assigned a different credential policy.

Note

Timeout limits will initiate the display of timeout limit notifications in the Admin Portal - see: Timeout Limit Notifications.