Credential policies are sets of rules that define user sign-in behavior at various levels of the hierarchy. For example, to facilitate user account security, VOSS Automate authenticates user sign-in credentials before allowing access to the system. Additionally, administrators can configure settings for events such as failed sign-in attempts and lockout duration.

Credential policies can be applied at any hierarchy level. A credential policy applied at a particular hierarchy defines allowed user sign-in behavior at that hierarchy.

While credential policies are not mandatory at specific hierarchy levels, a default credential policy is defined at the sys.hcs level.

Administrators at lower levels can copy and edit the default policy, if required, or they can save the default credential policy at their own hierarchy level so that it can be applied to users at that level.

If an administrator at a specific level of the hierarchy has not created a credential policy at their hierarchy level, the credential policy is inherited from the closest level above.

If a Provider administrator has defined a credential policy, but a Customer administrator has not defined a credential policy, the customer hierarchy automatically inherits the credential policy from the Provider level.

For each administrator user where IP address throttling (sign-in Limiting per Source) is required, a credential policy should be manually created and assigned. This credential policy must have an IP address, and username and email throttling enabled.

Credential policies are not applicable for SSO authenticated users. For LDAP synced users, only the session timeouts are applicable.

Assign a Credential Policy to a User

Typically, a user inherits a credential policy from the nearest hierarchy node, at or above their location, wherever a default credential policy is defined. However, you can explicitly assign a credential policy to a user.

Assign a Credential Policy to an Administrator

Typically, an administrator inherits a credential policy from the nearest hierarchy node at or above their location, wherever a default credential policy is defined. However, you can explicitly assign a credential policy to an administrator.

Model Details: data/CredentialPolicy

An asterisk * in the title indicates the field is mandatory.
If a field has a default value, it is shown in the Description column.
If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title		Description	Details
Name *		Credential policy name.	Field Name: name Type: String
Idle Session Timeout (minutes)		Defines the number of minutes a session will remain active in case there is no activity in the session. Default: 20	Field Name: idle_session_timeout Type: Integer Minimum: 1 Maximum: 525600 Default: 20
Absolute Session Timeout (minutes)		Defines the maximum number of minutes a session can be active. A value of 0 disables absolute session timeout. Default: 1440	Field Name: absolute_session_timeout Type: Integer Maximum: 525600 Default: 1440
Password Expires (months) *		The interval at which the password expires, in months. Default: 6	Field Name: password_expires Type: String Default: 6 Choices: ["Never Expire", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12"]
User Must Change Password on First Login		Indicates that users must be forced to change password on the first login	Field Name: change_password_on_first_login Type: Boolean
Lock Duration (minutes)		The number of minutes that a user account must be locked for after the failed password attempts have reached the threshold. Default: 30	Field Name: failed_login_lock_duration Type: Integer Default: 30
Disable Failed Login Limiting per User		Disable failed login limiting per user.	Field Name: disable_failed_login_limiting_per_user Type: Boolean
Disable Failed Login User Account		Enabling this field will result in user account being disabled if failed login attempt reaches 'Failed Login Count per User' within 'Reset Failed Login Count per User (minutes)'. This field is disabled by default.	Field Name: disable_failed_login_user_account Type: Boolean
Failed Login Count per User		The maximum number of failed login attempts for a given user. This is also referred to as the burst size. Default: 20	Field Name: failed_login_count_per_user Type: Integer Default: 20
Reset Failed Login Count per User (minutes)		The number of minutes before the counter is reset for failed login attempts for a given user. This is typically the interval within which a single failure is permitted, also referred to as the permitted long-term rate of failure. Default: 5	Field Name: reset_failed_login_count_per_user Type: Integer Default: 5
Disable Failed Login Limiting per Source		Disable failed login limiting per source.	Field Name: disable_failed_login_limiting_per_source Type: Boolean
Failed Login Count per Source		The maximum number of failed login attempts for a given source IP address. This is also referred to as the burst size. Default: 10	Field Name: failed_login_count_per_source Type: Integer Default: 10
Reset Failed Login Count per Source (minutes)		The number of minutes before the counter is reset for failed login attempts for a given source. This is typically the interval within which a single failure is permitted, also referred to as the permitted long-term rate of failure. Default: 10	Field Name: reset_failed_login_count_per_source Type: Integer Default: 10
Number of Questions Asked During Password Reset		Determines the number of questions asked during a password reset. The number should be less than or equal to number of entries in Reset Question Pool if custom question are not allowed	Field Name: password_reset_questions_number Type: Integer
	Password Reset Question Pool	List of question from which password reset questions are drawn.	Field Name: password_reset_questions.[n] Type: Array
Password Reuse Time Limit		Period (number of days) from time of creation for which a password can not be reused. Defaults to 15 days. Only values between 0-365 (inclusive) are allowed. A 0 (zero) value means that password reuse time limit does not apply. Default: 15	Field Name: password_reuse_time_limit Type: Integer Maximum: 365 Default: 15
Minimum Password Length		Minimum length (number of characters) for password. Default: 8	Field Name: minimum_password_length Type: Integer Minimum: 8 Default: 8
Enable Password Complexity Validation		Enable password complexity validation, defaults to False. When set to True, passwords shall be validated against the password complexity rules.	Field Name: enable_password_complexity_validation Type: Boolean
Inactive days before disabling user account		The number of days a user can be inactive before disabling the account. With a value of 0 no checks are done.	Field Name: inactive_days_before_disabling_user Type: Integer Maximum: 100000
Session Login Limit Per User		The maximum number of concurrent login sessions permitted for a user. A zero (0) value means that user login sessions should not be restricted.	Field Name: session_login_limit_per_user Type: Integer
Number of Different Password Characters		The minimum number of character changes (inserts, removals, or replacements) required between the old and new passwords.	Field Name: num_different_password_characters Type: Integer
Minimum Password Age (days)		The number of days within which a user cannot change their password. A zero (0) value means that password age validation is disabled. The minumum value is 1 day and the maximum is 365 days.	Field Name: minimum_password_age Type: Integer Maximum: 365

Model: data/CredentialPolicy

Credential Policy

Assign a Credential Policy to a User

Assign a Credential Policy to an Administrator

Model Details: data/CredentialPolicy