[Index]
Overview
Credential policies are sets of rules that define user sign-in behavior at various levels of the hierarchy. For example, to facilitate user account security, VOSS Automate authenticates user sign-in credentials before allowing access to the system. Additionally, administrators can configure settings for events such as failed sign-in attempts and lockout duration.
Credential policies can be applied at any hierarchy level. A credential policy applied at a particular hierarchy defines allowed user sign-in behavior at that hierarchy.
Related Topics
Default Credential Policy
While credential policies are not mandatory at specific hierarchy levels, a default credential policy is defined at the sys.hcs level.
Administrators at lower levels can copy and edit the default policy, if required, or they can save the default credential policy at their own hierarchy level so that it can be applied to users at that level.
Inherited Credential Policies
If an administrator at a specific level of the hierarchy has not created a credential policy at their hierarchy level, the credential policy is inherited from the closest level above.
If a Provider administrator has defined a credential policy, but a Customer administrator has not defined a credential policy, the customer hierarchy automatically inherits the credential policy from the Provider level.
Custom Credential Policies
A different credential policy can be defined for each user.
For each administrator user where IP address throttling (sign-in Limiting per Source) is required, a credential policy should be manually created and assigned. This credential policy must have an IP address, and username and email throttling enabled.
Related Topics
Credential Policies, SSO Authenticated Users, and LDAP Synced Users
Credential policies are not applicable for SSO authenticated users. For LDAP synced users, only the session timeouts are applicable.
VOSS-4-UC helps secure user accounts by authenticating user login credentials before allowing system access. Administrators can specify settings for, among other things, failed login attempts, lockout durations, password reset questions, and so on. The number of questions in the Password Reset Question Pool must be equal to (or more than) the number set in the Number of Questions Asked During Password Reset field. Collectively, these rules form a credential policy, which can be applied at any hierarchy level, and determine user login behavior at that specific level.
A credential policy is not mandatory at specific levels in the hierarchy. However, a default credential policy is provided at system level. Administrators at lower levels can copy and edit this default policy if required, and save it at their own hierarchy level so that it can be applied to the associated users at that level. If the administrators at the various levels do not create a credential policy at their level, it is inherited from the closest level above them. For example, if a Provider Administrator has defined a credential policy, but a Customer Administrator below them has not, the customer automatically inherits the credential policy from the Provider level. A different credential policy can also be defined for each user.
For example, for each administrator user where IP address throttling (Login Limiting per Source) is required, you should manually create and assign a credential policy (for example with both IP address and username/email throttling enabled) to the data/User instance.
The credential policy can be used to manage such password features as:
The number of days from the date of creation for which a password can not be reused. The default is 15.
The number of character changes (inserts, removals, or replacements) that a password should have from a previous password. The default is 0 (disabled).
The number of days within which a user's password cannot be changed. The default set to 0, which means that this re-use option is disabled.
The number of days can be set from 1 to a maximum value of 365 days (24 hour units from the activation time). When entered, the maximum value cannot be more than the period specified in the Password Expires (months) field of the credential policy; calculating one month as 30 days.
This Minimum Password Age value only applies:
In other words, if an administrator resets or changes of the user's password, and enables the user's Change Password on Next Login option, the value is not affected.
The default credential policy is stored with other default hierarchy settings. See Default Hierarchy Settings for more details.
See Configure Credential Policy for information on how to configure a credential policy for a specific hierarchy level, and Credential Policies Rate Limiting for more details on rate limiting of failed login attempts.
The table below illustrates the conditions that credential policy rules apply, by administrator or user changes as well as the source of the password reset check box (data/User).
| data/User | data/Credential Policy | ||||
|---|---|---|---|---|---|
| Generic Password Validation | User Specific Password Validation | ||||
| Condition | Change Password on Next Login | Minimum Password Length | Password Reuse Time Limit | Number of Different Password Characters | Minimum Password Age (days) |
| Admin changes user's password | N/A | applied | applied | not applied | not applied |
| User changes own password | Enabled | applied | applied | applied | not applied |
| User changes own password | Disabled | applied | applied | applied | applied |
This procedure assigns a credential policy.
Typically, a user inherits a credential policy from the nearest hierarchy node, at or above their location, wherever a default credential policy is defined. However, you can explicitly assign a credential policy to a user.
Log in as provider, reseller, or customer administrator.
Go to (default menu) User Management > Users.
Click the user that you want to assign a credential policy to.
On the Account Information tab, from the Credential Policy drop-down, choose a credential policy to assign.
The menu contains all the credential policies available at or above the user's node in the hierarchy.
Note
If a user is signed in when the credential policy is changed, changes are not applied until the user signs out and signs in again.
VOSS-4-UC makes use of two types of failed login attempt or reset question reply rate limiting. These make use of a token bucket algorithm.
This procedure assigns a credential policy to an administrator.
Typically, an administrator inherits a credential policy from the nearest hierarchy node at or above their location, wherever a default credential policy is defined. However, you can explicitly assign a credential policy to an administrator.
Log in as provider, reseller, or customer administrator.
Go to (default menu) User Management > Admins.
Click the administrator that you want to assign a credential policy to.
On the Account Information tab, from the Credential Policy drop-down, choose a credential policy to assign.
The menu contains all the credential policies available at or above the administrator's node in the hierarchy.
Note
If an administrator is already logged on when the credential policy is changed, changes do not take effect until the administrator logs out and logs on again.
Per-user failed login attempt rate limiting also applies to reset question replies and works as follows:
Per-source rate limiting process is similar to the per-user variant and works as follows:
Administrators can configure credential policies that can be used by users at their own hierarchy level:
Navigate to the relevant hierarchy level.
Choose Role Based Access > Credential Policies.
Choose the Default credential policy.
Click Action on the button bar and choose Clone to make a copy of the default credential policy.
Enter a new credential policy name, and edit the fields as required.
See Credential Policies and Credential Policy Field Reference for details.
Click Save to save the new credential policy.
Click Add to create additional credential policies if required.
A Credential Policy can be used to manage the user password complexity as well as its re-use.
The following default criteria apply to password complexity:
The following defaults apply for password re-use and are managed by the credential policy:
The default number of days from the date of creation for which a password can not be reused, is 15 days.
The default number of character changes (inserts, removals, or replacements) that a password should have from a previous password, is 0.
The number of days within which a user's password cannot be changed, is by default set to 0, which means that this re-use option is disabled.
The number of days can be set from 1 to a maximum value of 365 days (24 hour units from the activation time). This Minimum Password Age value only applies to users changing their own password. In other words, if an administrator resets or changes of the user's password, it is not affected by the value.
If a user's account information includes any settings, these take the highest precedence. This is followed by the Credential Policy at or up in the hierarchy that has been set as the default Credential Policy. Finally, 'Default' Credential Policy for the system - with the settings as indicated above, will apply.
Defines rules the govern management of user credentials.
| Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name * | Credential policy name. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Idle Session Timeout (minutes) | Defines the number of minutes a session will remain active in case there is no activity in the session. Default: 20 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Absolute Session Timeout (minutes) | Defines the maximum number of minutes a session can be active. A value of 0 disables absolute session timeout. Default: 1440 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Password Expires (months) * | The interval at which the password expires, in months. Default: 6 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| User Must Change Password on First Login | Indicates that users must be forced to change password on the first login |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Lock Duration (minutes) | The number of minutes that a user account must be locked for after the failed password attempts have reached the threshold. Default: 30 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Disable Failed Login Limiting per User | Disable failed login limiting per user. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Disable Failed Login User Account | Enabling this field will result in user account being disabled if failed login attempt reaches 'Failed Login Count per User' within 'Reset Failed Login Count per User (minutes)'. This field is disabled by default. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Failed Login Count per User | The maximum number of failed login attempts for a given user. This is also referred to as the burst size. Default: 20 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Reset Failed Login Count per User (minutes) | The number of minutes before the counter is reset for failed login attempts for a given user. This is typically the interval within which a single failure is permitted, also referred to as the permitted long-term rate of failure. Default: 5 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Disable Failed Login Limiting per Source | Disable failed login limiting per source. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Failed Login Count per Source | The maximum number of failed login attempts for a given source IP address. This is also referred to as the burst size. Default: 10 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Reset Failed Login Count per Source (minutes) | The number of minutes before the counter is reset for failed login attempts for a given source. This is typically the interval within which a single failure is permitted, also referred to as the permitted long-term rate of failure. Default: 10 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Number of Questions Asked During Password Reset | Determines the number of questions asked during a password reset. The number should be less than or equal to number of entries in Reset Question Pool if custom question are not allowed |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Password Reset Question Pool | List of question from which password reset questions are drawn. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Password Reuse Time Limit | Period (number of days) from time of creation for which a password can not be reused. Defaults to 15 days. Only values between 0-365 (inclusive) are allowed. A 0 (zero) value means that password reuse time limit does not apply. Default: 15 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Minimum Password Length | Minimum length (number of characters) for password. Default: 8 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Enable Password Complexity Validation | Enable password complexity validation, defaults to False. When set to True, passwords shall be validated against the password complexity rules. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Inactive days before disabling user account | The number of days a user can be inactive before disabling the account. With a value of 0 no checks are done. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Session Login Limit Per User | The maximum number of concurrent login sessions permitted for a user. A zero (0) value means that user login sessions should not be restricted. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Number of Different Password Characters | The minimum number of character changes (inserts, removals, or replacements) required between the old and new passwords. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Minimum Password Age (days) | The number of days within which a user cannot change their password. A zero (0) value means that password age validation is disabled. The minumum value is 1 day and the maximum is 365 days. |
|
|||||||||||||||||||||||||||||||||||||||||||||||