[Index]
Overview
Credential policies are sets of rules that define user sign-in behavior at various levels of the hierarchy. For example, to facilitate user account security, VOSS Automate authenticates user sign-in credentials before allowing access to the system. Additionally, administrators can configure settings for events such as failed sign-in attempts and lockout duration.
Credential policies can be applied at any hierarchy level. A credential policy applied at a particular hierarchy defines allowed user sign-in behavior at that hierarchy.
Related Topics
Default credential policy
While credential policies are not mandatory at specific hierarchy levels, a default credential policy is defined at the sys.hcs level.
Administrators at lower levels can copy and edit the default policy, if required, or they can save the default credential policy at their own hierarchy level so that it can be applied to users at that level.
Inherited credential policies
If an administrator at a specific level of the hierarchy has not created a credential policy at their hierarchy level, the credential policy is inherited from the closest level above.
If a Provider administrator has defined a credential policy, but a Customer administrator has not defined a credential policy, the customer hierarchy automatically inherits the credential policy from the Provider level.
Custom credential policies
A different credential policy can be defined for each user.
For each administrator user where IP address throttling (sign-in Limiting per Source) is required, a credential policy should be manually created and assigned. This credential policy must have an IP address, and username and email throttling enabled.
Related Topics
Credential policies, SSO authenticated users, and LDAP-synced users
Credential policies are not applicable for SSO authenticated users. For LDAP synced users, only the session timeouts are applicable.
Tip
Use the Action search to navigate Automate
This procedure assigns a credential policy.
Typically, a user inherits a credential policy from the nearest hierarchy node, at or above their location, wherever a default credential policy is defined. However, you can explicitly assign a credential policy to a user.
Log in as provider, reseller, or customer administrator.
Go to the Users page.
Click the user that you want to assign a credential policy to.
On the Account Information tab, from the Credential Policy drop-down, choose a credential policy to assign.
The menu contains all the credential policies available at or above the user's node in the hierarchy.
Note
If a user is signed in when the credential policy is changed, changes are not applied until the user signs out and signs in again.
Tip
Use the Action search to navigate Automate
This procedure assigns a credential policy to an administrator.
Typically, an administrator inherits a credential policy from the nearest hierarchy node at or above their location, wherever a default credential policy is defined. However, you can explicitly assign a credential policy to an administrator.
Log in as provider, reseller, or customer administrator.
Go to the Admins page.
Click the administrator that you want to assign a credential policy to.
On the Account Information tab, from the Credential Policy drop-down, choose a credential policy to assign.
The menu contains all the credential policies available at or above the administrator's node in the hierarchy.
Note
If an administrator is already logged on when the credential policy is changed, changes do not take effect until the administrator logs out and logs on again.
Tip
Use the Action search to navigate Automate
Overview
A default credential policy called HcsCredentialPolicy ships with Automate. However, you can deploy a customized credential policy at a provider, reseller, or customer hierarchy node.
When you set a customized credential policy as the default credential policy at a hierarchy node, all users and admins at or below that hierarchy node are subject to the customized credential policy, except for any users or admins that are explicitly assigned a different credential policy.
Related topics
Credential policy inheritance
Unless explicitly assigned a credential policy, users and admins are subject to the default credential policy set at a hierarchy node at or above their location. The default credential policy for the hierarchy node closest to the user or admin location is used. If no customized credential policies are deployed, all users and admins are subject to the HcsCredentialPolicy credential policy, which is the default credential policy at the sys.hcs level.
Deploy a customized credential policy
| Field | Description |
|---|---|
| Idle Session Timeout | The number of minutes a user session can be idle before being automatically logged off. The minimum setting is 1 minute and the maximum is 525600 minutes (365 days). The default is 20 minutes. |
| Absolute Session Timeout | The number of consecutive minutes a user can be logged in, regardless of session activity, before being automatically logged off. A value of 0 disables absolute session timeout. The maximum is 525600 minutes (365 days). The default is 1440 minutes (24 hours). |
| Password Expires | The number of months that can elapse between password resets. The default is 6 months. |
| User Must Change Password on First Login | Select this check box to force users to change their password on initial login. Default = clear. |
| Lock Duration | The number of minutes a lock will be held when user is locked out. The default is 30 minutes. |
| Disable Failed Login Limiting per User | Select this check box to not limit the number of times a user can fail to log in before the account is locked. Default = clear |
| Failed Login Count per User | Selecting this check box will result in user account being disabled if failed login attempt reaches 'Failed Login Count per User' within 'Reset Failed Login Count per User (minutes)'. This field is clear by default. |
| Reset Failed Login Count per User | After this number of minutes from the last login attempt, the failed login count is reset to 0. The default is 5 minutes. |
| Disable Failed Login Limiting per Source | Clear this check box to limit the number of times any user from the same IP address can fail to log in before the account is locked. Note: On Provider HCFM and Provider Decoupled deployments, the default is to disable the limit. (checked) On Enterprise deployments, the default is to enable the limit. (un-checked) Do not enable source login rate limiting for a credential policy that will apply to Self Service users. A separate credential policy is recommended for administrators and users that do not use Self Service if source login rate limiting is required. |
| Failed Login Count per Source | If source login rate limiting is enabled, enter the number of times any user from the same IP address can fail to log in before the IP address is blocked. The default is 10 times. |
| Reset Failed Login Count per Source | If source login rate limiting is enabled, this value is the number of minutes from the last login attempt from the IP address after which the failed login count is reset to 0. The default is 10 minutes. |
| Field | Description |
|---|---|
| Number of Questions Asked During Self Service Password Reset | Enter the number of security questions users or admins must answer when resetting their own password with the Forgot Password link. The default is 3. |
| Password Reset Question Pool | Contains a list of possible security questions that users or admins must answer when resetting their own password with the Forgot Password link. |
| Password Reuse Time Limit | The number of days from the date the password was created that the password cannot be reused. The valid range is 0-365 days. The default is 15 days. Setting it to 0 disables the reuse time limit. |
| Minimum Password Length | The minimum length of a password in characters. The minimum allowed value is 8. The default is 8. When a password is entered that does not meet the length as specified here, an error message will display to indicate the minimum length entered here. |
| Enable Password Complexity Validation | Select this check box to enable the rule on how complex a password must be. The complexity rule requires a password to contain at least one of each of the following:
|
| Inactive Days Before Disabling User Account | The number of days users or admins can go between logging in without having their account disabled. Setting it to 0 disables the inactive time limit. The default is 0. |
| Session Login Limit Per User | The number of concurrent login sessions a user may have. Setting it to 0 disables the session login limit. The default is 0. If the session limit value is set to 1 or more and the user exceeds the session limit when starting a new session, the oldest login session will be disconnected. |
| Number of Different Password Character | The minimum number of character changes (inserts, removals, or replacements) required between the old and new passwords. |
| Minimum Password Age | The number of days within which a user cannot change their password. A zero (0) value means that password age validation is disabled. The minimum value is 1 day and the maximum is 365 days. |
Acceptable special characters are:
` ~ ! @ # $ % ^ & * ( ) - _ = + [ { ] } | \\ : ; ' " , < . > / ?
Note
It is recommended that you make a credential policy only more restrictive than HcsCredentialPolicy in order to not have a policy that is too insecure.
Click Save.
Note
If a user is already logged in when the credential policy is changed, changes do not take effect until the user logs out and logs in again.
Go to Default Credential Policy.
Provide a name for the Default Credential Policy at this hierarchy node.
From the Credential Policy drop-down, choose the credential policy you just cloned or added.
Click Save.
Every user and administrator at or below the hierarchy node is now subject to the default credential policy, unless the user or administrator was explicitly assigned a different credential policy.
Note
Timeout limits will initiate the display of timeout limit notifications in the Admin Portal - see: Timeout Limit Notifications.
Defines rules the govern management of user credentials.
| Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name * | Credential policy name. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Idle Session Timeout (minutes) | Defines the number of minutes a session will remain active in case there is no activity in the session. Default: 20 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Absolute Session Timeout (minutes) | Defines the maximum number of minutes a session can be active. A value of 0 disables absolute session timeout. Default: 1440 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Password Expires (months) * | The interval at which the password expires, in months. Default: 6 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| User Must Change Password on First Login | Indicates that users must be forced to change password on the first login |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Lock Duration (minutes) | The number of minutes that a user account must be locked for after the failed password attempts have reached the threshold. Default: 30 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Disable Failed Login Limiting per User | Disable failed login limiting per user. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Disable Failed Login User Account | Enabling this field will result in user account being disabled if failed login attempt reaches 'Failed Login Count per User' within 'Reset Failed Login Count per User (minutes)'. This field is disabled by default. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Failed Login Count per User | The maximum number of failed login attempts for a given user. This is also referred to as the burst size. Default: 20 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Reset Failed Login Count per User (minutes) | The number of minutes before the counter is reset for failed login attempts for a given user. This is typically the interval within which a single failure is permitted, also referred to as the permitted long-term rate of failure. Default: 5 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Disable Failed Login Limiting per Source | Disable failed login limiting per source. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Failed Login Count per Source | The maximum number of failed login attempts for a given source IP address. This is also referred to as the burst size. Default: 10 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Reset Failed Login Count per Source (minutes) | The number of minutes before the counter is reset for failed login attempts for a given source. This is typically the interval within which a single failure is permitted, also referred to as the permitted long-term rate of failure. Default: 10 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Number of Questions Asked During Password Reset | Determines the number of questions asked during a password reset. The number should be less than or equal to number of entries in Reset Question Pool if custom question are not allowed |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Password Reset Question Pool | List of question from which password reset questions are drawn. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Password Reuse Time Limit | Period (number of days) from time of creation for which a password can not be reused. Defaults to 15 days. Only values between 0-365 (inclusive) are allowed. A 0 (zero) value means that password reuse time limit does not apply. Default: 15 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Minimum Password Length | Minimum length (number of characters) for password. Default: 8 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Enable Password Complexity Validation | Enable password complexity validation, defaults to False. When set to True, passwords shall be validated against the password complexity rules. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Inactive days before disabling user account | The number of days a user can be inactive before disabling the account. With a value of 0 no checks are done. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Session Login Limit Per User | The maximum number of concurrent login sessions permitted for a user. A zero (0) value means that user login sessions should not be restricted. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Number of Different Password Characters | The minimum number of character changes (inserts, removals, or replacements) required between the old and new passwords. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Minimum Password Age (days) | The number of days within which a user cannot change their password. A zero (0) value means that password age validation is disabled. The minumum value is 1 day and the maximum is 365 days. |
|
|||||||||||||||||||||||||||||||||||||||||||||||