.. _deploy_a_customized_credential_policy: Customized Credential Policy ------------------------------ .. _18.1-Patch-Bundle-3|EKB-555: .. _21.3|EKB-4773: A default credential policy called HcsCredentialPolicy ships with VOSS Automate. However, you can deploy a customized credential policy at a provider, reseller, or customer hierarchy node. When you set a customized credential policy as the default credential policy at a hierarchy node, all users and admins at or below that hierarchy node are subject to the customized credential policy, except for any users or admins that are explicitly assigned a different credential policy. Credential Policy Inheritance ............................. Unless explicitly assigned a credential policy, users and admins are subject to the default credential policy set at a hierarchy node at or above their location. The default credential policy for the hierarchy node closest to the user or admin location is used. If no customized credential policies are deployed, all users and admins are subject to the HcsCredentialPolicy credential policy, which is the default credential policy at the sys.hcs level. Deploy a Customized Credential Policy ...................................... 1. Log in as provider, reseller, or customer administrator. 2. Set the hierarchy path to the node where you want to deploy a customized credential policy. 3. Choose **Role Management > Credential Policy**. 4. Either clone the HcsCredentialPolicy credential policy, or add a new credential policy: * To clone the HcsCredentialPolicy policy, click **HcsCredentialPolicy**, then click **Action > Clone**. * To add a new credential policy, click **Add**. The credential policy settings default to the settings for HcsCredentialPolicy. 5. Provide a name for the credential policy. 6. Modify the credential policy settings as needed. .. tabularcolumns:: |p{4cm}|p{11cm}| +------------------------+--------------------------------------------+ | Field | Description | +========================+============================================+ | | The number of minutes a user session can | | | be idle before being automatically logged | | Idle Session Timeout | off. The minimum setting is 1 minute and | | | the maximum is 525600 minutes (365 days). | | | The default is 20 minutes. | +------------------------+--------------------------------------------+ | | The number of consecutive minutes a user | | | can be logged in, regardless of session | | Absolute Session | activity, before being automatically | | Timeout | logged off. A value of 0 disables | | | absolute session timeout. The maximum is | | | 525600 minutes (365 days). The default is | | | 1440 minutes (24 hours). | +------------------------+--------------------------------------------+ | | The number of months that can elapse | | Password Expires | between password resets. The default is 6 | | | months. | +------------------------+--------------------------------------------+ | User Must Change | Select this check box to force users to | | Password on First | change their password on initial login. | | Login | Default = clear. | +------------------------+--------------------------------------------+ | | The number of minutes a lock will be held | | Lock Duration | when user is locked out. The default is | | | 30 minutes. | +------------------------+--------------------------------------------+ | | Select this check box to not limit the | | Disable Failed Login | number of times a user can fail to log in | | Limiting per User | before the account is locked. | | | Default = clear | +------------------------+--------------------------------------------+ | Failed Login Count per | Selecting this check box will result in | | User | user account being disabled if failed | | | login attempt reaches 'Failed Login Count | | | per User' within 'Reset Failed Login | | | Count per User (minutes)'. This field is | | | clear by default. | +------------------------+--------------------------------------------+ | | After this number of minutes from the | | Reset Failed Login | last login attempt, the failed login | | Count per User | count is reset to 0. The default is 5 | | | minutes. | +------------------------+--------------------------------------------+ | | Clear this check box to limit the number | | | of times any user from the same IP address | | | can fail to log in before the account is | | | locked. | | Disable Failed Login | | | Limiting per Source | Note: | | | | | | On Provider HCFM and Provider Decoupled | | | deployments, the default is to disable the | | | limit. (checked) | | | | | | On Enterprise deployments, the default is | | | to enable the limit. (un-checked) | | | | | | Do not enable source login rate limiting | | | for a credential policy that will apply | | | to Self Service users. A separate | | | credential policy is recommended for | | | administrators and users that do not use | | | Self Service if source login rate | | | limiting is required. | +------------------------+--------------------------------------------+ | | If source login rate limiting is enabled, | | Failed Login Count per | enter the number of times any user from | | Source | the same IP address can fail to log in | | | before the IP address is blocked. The | | | default is 10 times. | +------------------------+--------------------------------------------+ | | If source login rate limiting is enabled, | | | this value is the number of minutes from | | Reset Failed Login | the last login attempt from the IP | | Count per Source | address after which the failed login | | | count is reset to 0. The default is 10 | | | minutes. | +------------------------+--------------------------------------------+ .. tabularcolumns:: |p{2.5cm}|p{11.5cm}| +------------------------+-------------------------------------------------------------+ | Field | Description | +========================+=============================================================+ | Number of Questions | Enter the number of security questions | | Asked During Password | users or admins must answer when | | Reset | resetting their own password with the | | | **Forgot Password** link. The default is 3. | +------------------------+-------------------------------------------------------------+ | | Contains a list of possible security | | Password Reset | questions that users or admins must | | Question Pool | answer when resetting their own password | | | with the **Forgot Password** link. | +------------------------+-------------------------------------------------------------+ | | The number of days from the date the | | | password was created that the password | | Password Reuse Time | cannot be reused. The valid range is | | Limit | 0-365 days. The default is 15 days. | | | Setting it to 0 disables the reuse time | | | limit. | +------------------------+-------------------------------------------------------------+ | Minimum Password | The minimum length of a password in | | Length | characters. The minimum allowed value is | | | 8. The default is 8. | +------------------------+-------------------------------------------------------------+ | | Select this check box to enable the rule on how complex a | | | password must be. | | | | | | The complexity rule requires a password | | Enable Password | to contain at least one of each of the | | Complexity Validation | following: | | | | | | * Uppercase letter | | | * Lowercase letter | | | * Digit | | | * Special character (see below) | +------------------------+-------------------------------------------------------------+ | Inactive Days Before | The number of days users or admins can go | | Disabling User Account | between logging in without having their | | | account disabled. Setting it to 0 disables | | | the inactive time limit. The default | | | is 0. | +------------------------+-------------------------------------------------------------+ | Session Login Limit | The number of concurrent login sessions | | Per User | a user may have. Setting it to 0 disables | | | the session login limit. The | | | default is 0. | | | | | | If the session limit value is set to 1 or more and the user | | | exceeds the session limit when starting a new session, | | | the oldest login session will be disconnected. | +------------------------+-------------------------------------------------------------+ | Number of Different | The minimum number of character changes | | Password Character | (inserts, removals, or replacements) | | | required between the old and new | | | passwords. | +------------------------+-------------------------------------------------------------+ | Minimum Password Age | The number of days within which a user | | | cannot change their password. A zero (0) | | | value means that password age validation | | | is disabled. The minimum value is 1 day | | | and the maximum is 365 days. | +------------------------+-------------------------------------------------------------+ Acceptable special characters are: :: ` ~ ! @ # $ % ^ & * ( ) - _ = + [ { ] } | \\ : ; ' " , < . > / ? .. note:: It is recommended that you make a credential policy only more restrictive than HcsCredentialPolicy in order to not have a policy that is too insecure. 7. Click **Save**. .. note:: If a user is already logged in when the credential policy is changed, changes do not take effect until the user logs out and logs in again. 8. Choose **Role Management > Default Credential Policy**. 9. Provide a name for the Default Credential Policy at this hierarchy node. 10. From the **Credential Policy** drop-down, choose the credential policy you just cloned or added. 11. Click **Save**. Every user and administrator at or below the hierarchy node is now subject to the default credential policy, unless the user or administrator was explicitly assigned a different credential policy. .. note:: Timeout limits will initiate the display of timeout limit notifications in the Admin Portal - see: :ref:`timeout_limit_notifications`.