Configuring user security settings
The user-account security settings configure the password, login, and user-session settings for local users.
Procedure
To configure security settings for local users, complete the following steps.
- From the XClarity Orchestrator menu bar, click Administration () > Security, and then click Account Security Settings in the left navigation to display the Account Security Settings card.
- Configure the following security settings.
Security setting Description Allowed values Default values Password expiration period Amount of time, in days, that a user can use a password before it must be changed Lower values reduce the amount of time that attackers have to guess passwords.
If set to 0, passwords never expire.
0 – 365 0 Password expiration warning period Amount of time, in days, before the password-expiration date when users begin to receive warnings about an impending expiration of the user password If set to 0, users are not warned.
0 – 30 0 Minimum password reuse cycle Minimum number of times that a unique password must be specified when changing the password before the user can start to reuse passwords If set to 0, users can reuse passwords immediately.
0 – 10 5 Minimum password change interval Minimum amount of time, in hours, that must elapse before a user can change a password again after it was previously changed The value specified for this setting cannot exceed the value specified for the Password expiration period setting.
If set to 0, users can change passwords immediately.
0 – 240 1 Maximum number of login failures Maximum number of times that a user can attempt to log in with an incorrect password before the user account is locked NoteConsecutive login attempts using the same username and password count as a single failed login.If set to 0, accounts are never locked.
0 – 10 5 Failed login counter reset Amount of time since the last failed login attempt before the Maximum number of login failures counter is reset to 0. If set to 0, the counter never resets. For example, if the maximum number of login failures is 2, and you fail your login once, then fail it a second time 24 hours later, the system registers that you have failed your login twice, and your account is locked out.
NoteThis setting applies only when theMaximum number of login failures setting is set to 1 or greater. 0 – 60 15 Lockout period after maximum login failures Minimum amount of time, in minutes, after which a locked user can attempt to log back in again A user account that is locked cannot be used to gain access to XClarity Orchestrator even if a valid password is provided.
If set to 0, user accounts are never locked.
NoteThis setting applies only when theMaximum number of login failures setting is set to 1 or greater. 0 – 2880 60 Web inactivity session timeout Amount of time, in minutes, that a user session established with the orchestrator server can be inactive before the user session expires and the user is automatically logged out. This timeout applies to all actions (such as opening a page, refreshing the current page, or modifying data). This is the primary timeout for the user session.
When a session is active, this timer resets every time the user performs any action. After the timeout value is exceeded, the login page is displayed the next time the user attempts to perform an action.
If set to 0, this timeout is disabled.
NoteChanging this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired.0, 60 – 1440
1440 Web inactivity timeout for full operations Amount of time, in minutes, that a user session established with the orchestrator server can be inactive before the actions that modify data (such as creating, updating, or deleting a resource) are disabled This is an optional secondary timeout and is shorter than the primary Web inactivity session timeout value.
When a session is active, this timer resets every time the user performs any action. If this timeout value is exceeded but the primary Web inactivity session timeout value is not exceeded, the user is restricted to read-only actions (such as opening or refreshing a page) until the primary Web inactivity session timeout value is exceeded; however, if the user attempts to perform an action that modifies data, the user session expires and the login page is displayed.
If set to 0, this timeout is disabled.
NoteChanging this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired.0, 15 – 60
30 Mandatory expiration time of a web-based session Amount of time, in hours, that a user session established with the orchestrator server can be open before the user is automatically logged out, regardless of user activity NoteChanging this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new timeout value are expired.24 – 240
24 Minimum password length Minimum number of characters that can be used to specify a valid password 8 – 256 256 Maximum password length Maximum number of characters that can be used to specify a valid password 8 – 128 128 Maximum active sessions for a specific user Maximum number of active sessions for a specific user that are allowed at any given time. When the maximum number is reached, the oldest active session for a user (based on the creation timestamp) is removed before a new session is created for that user. If set to 0, an unlimited number of active sessions is allowed for a specific user.
NoteOnly user sessions that start after the setting is changed are affected.0 – 20 20 Number of complexity rules that must be followed when creating a new password Number of complexity rules that must be followed when creating a new password Rules are enforced starting with rule 1, and up to the number of rules specified. For example, if the password complexity is set to 4, then rules 1, 2, 3 and 4 must be followed. If the password complexity is set to 2, then rules 1 and 2 must be followed.
XClarity Orchestrator supports the following password complexity rules.
- Must contain at least one alphabetic character, and must not have more than two sequential characters, including sequences of alphabetic characters, digits, and QWERTY keyboard keys (for example, “abc”, “123”, and “asd” are not allowed)
- Must contain at least one number
- Must contain at least two of the following characters.
- Uppercase alphabetic characters (A – Z)
- Lowercase alphabetic characters (a – z)
- Special characters ; @ _ ! ' $ & +
White space characters are not allowed.
- Must not repeat or reverse the use name.
- Must not contain more than two of the same characters consecutively (for example, “aaa”, “111”, and “...” are not allowed).
If set to 0, passwords are not required to comply with any complexity rules.
0 – 5 4 Force user to change password on first access Indicates whether a user is required to change the password when logging in to XClarity Orchestrator for the first time Yes or No Yes - Click Apply.
After the changes are applied, the new settings take effect immediately. If you change password policies, those policies are enforced the next time a user logs in or changes the password.
After you finish
You can perform the following action from the Account Security Settings card.
- To reset these settings to the default values, click Restore defaults.