User account policy settings
You can modify the CMM user account policy settings to create a Custom policy.
The individual user account policy settings are configured to default values according to the security policy setting, Legacy or Secure, that is set for the CMM. Modifying any of the individual user account policy settings automatically sets the CMM user account policy to Custom. User account policy settings cannot conflict with the security policy setting that has been set for Flex System chassis resources. An error will occur if you attempt to set values that are incompatible.
You can view or modify the user account security policy settings from their default values using the CMM web interface or the CMM CLI:
- In the CMM web interface, user account security policy settings are on the General tab of the Account Security Level page in the Global Login Settings window. The location of each setting is identified in Table 1. Access these settings as follows:
- Select User Accounts from the Mgt Module Management menu.
- Click Global Login Settings on the Accounts page on the User Accounts page.
- Click the General tab or the Account Security Level tab in the Global Login Settings window, as indicated for each setting.
- If you clicked the Account Security Level tab, select Custom Security Settings to access the custom settings.
- In the CMM CLI, access the user account security policy settings by using the various accseccfg command options (see accseccfg command for information about command use).
The following table lists the user account policy settings for the CMM, and their default values for the Legacy and High policy levels, if applicable. Also listed are the CMM web interface fields and CMM CLI accseccfg command options that can modify any values that can be changed in each interface.
| User account policy setting | Description | Default Legacy setting | Default High setting | Web interface field | CLI command |
|---|---|---|---|---|---|
| User authentication method | The method for authenticating CMM users (local, LDAP, or both) | Retains the set value | Retains the set value | User authentication method (General tab) | accseccfg -am |
| Maximum simultaneous user sessions | The number of concurrent login sessions allowed for each user through all CMM interfaces | Retains the set value | Retains the set value | Number of simultaneous active sessions for LDAP users (General tab) | accseccfg -mls |
| Log new login events from same user | Whether the CMM logs multiple simultaneous login sessions from the same user | Retains the set value | Retains the set value | Do not log new authentication events for the same user (General tab) | accseccfg -ici |
| Authentication logging timeout | The amount of time that the CMM will not log repeated logins by the same user | Retains the set value | Retains the set value | Authentication logging timeout (General tab) | accseccfg -alt |
| Web session inactivity timeout | The amount of time a web interface session can be inactive before it automatically terminates | Retains the set value | Retains the set value | Web inactivity session timeout (General tab) | accseccfg -wt |
| CLI session inactivity timeout | The amount of time a CLI session can be inactive before it automatically terminates | Retains the set value | Retains the set value | CLI inactivity session timeout (in seconds) (General tab) | accseccfg -ct |
| User inactivity alert | The amount of time a user account can be inactive before it generates an alert | No limit | 120 days | Inactivity alert period (in days) (Account Security Level tab) | accseccfg -ia |
| User inactivity disable | The amount of time a user account can be inactive before it is disabled and generates an alert | No limit | 180 days | Inactivity alert and disable period (in days) (Account Security Level tab) | accseccfg -id |
| Maximum login failures | The maximum number of failed login attempts by a user before the account is locked out | 20 attempts | 20 attempts | Maximum number of login failures (Account Security Level tab) | accseccfg -lf |
| Lockout period login failure | The amount of time a user account is locked out after the maximum number of unsuccessful login attempts has been reached | 2 minutes | 60 minutes | Lockout period after maximum login failures (in minutes) (Account Security Level tab) | accseccfg -lp |
| Complex password | Whether the CMM follows more secure complex password rules | Off | On | Complex password rules (Account Security Level tab) | accseccfg -cp |
| Minimum number of different password characters | The minimum number of different character types that must be used in a password. | Not checked | 2 characters | Minimum different characters in passwords (Account Security Level tab) | accseccfg -dc |
| Default 'USERID' account password must be changed on next login | The requirement that the default user must change the password at the next login in to the CMM | Off | On | Factory default 'USERID' account password must be changed on next login (Account Security Level tab) | accseccfg -de |
| Password change on first access | The requirement that users change their password the first time they log in to the CMM | Off | On | Force user to change password on first access (Account Security Level tab) | accseccfg -pc |
| Password expiration period | The amount of time a user password remains valid before requiring change | No limit | 90 days | Password expiration period (days) (Account Security Level tab) | accseccfg -pe |
| Minimum password change interval | The minimum amount of time between user password changes | No limit | 24 hours | Minimum password change interval (hours) (Account Security Level tab) | accseccfg -pi |
| Password reuse cycle | The number of password changes before a password can be reused | Not checked | 5 cycles | Minimum password reuse cycle (Account Security Level tab) | accseccfg -rc |