Skip to main content

Configuring user security settings

The user-account security settings configure the password, login, and user-session settings for local users.

Procedure

To configure security settings for local users, complete the following steps.

  1. From the XClarity Orchestrator menu bar, click Administration (Administration icon) > Security, and then click Account Security Settings in the left navigation to display the Account Security Settings card.
  2. Configure the following security settings.
    Security settingDescriptionAllowed valuesDefault values
    Password expiration periodAmount of time, in days, that a user can use a password before it must be changed

    Lower values reduce the amount of time that attackers have to guess passwords.

    If set to 0, passwords never expire.

    03650
    Password expiration warning periodAmount of time, in days, before the password-expiration date when users begin to receive warnings about an impending expiration of the user password

    If set to 0, users are not warned.

    0300
    Minimum password reuse cycleMinimum number of times that a unique password must be specified when changing the password before the user can start to reuse passwords

    If set to 0, users can reuse passwords immediately.

    0105
    Minimum password change intervalMinimum amount of time, in hours, that must elapse before a user can change a password again after it was previously changed

    The value specified for this setting cannot exceed the value specified for the Password expiration period setting.

    If set to 0, users can change passwords immediately.

    02401
    Maximum number of login failuresMaximum number of times that a user can attempt to log in with an incorrect password before the user account is locked
    Note
    Consecutive login attempts using the same username and password count as a single failed login.

    If set to 0, accounts are never locked.

    0105
    Failed login counter resetAmount of time since the last failed login attempt before the Maximum number of login failures counter is reset to 0.

    If set to 0, the counter never resets. For example, if the maximum number of login failures is 2, and you fail your login once, then fail it a second time 24 hours later, the system registers that you have failed your login twice, and your account is locked out.

    Note
    This setting applies only when the Maximum number of login failures setting is set to 1 or greater.
    06015
    Lockout period after maximum login failuresMinimum amount of time, in minutes, after which a locked user can attempt to log back in again

    A user account that is locked cannot be used to gain access to XClarity Orchestrator even if a valid password is provided.

    If set to 0, user accounts are never locked.

    Note
    This setting applies only when the Maximum number of login failures setting is set to 1 or greater.
    0288060
    Web inactivity session timeoutAmount of time, in minutes, that a user session established with the orchestrator server can be inactive before the user session expires and the user is automatically logged out. This timeout applies to all actions (such as opening a page, refreshing the current page, or modifying data).

    This is the primary timeout for the user session.

    When a session is active, this timer resets every time the user performs any action. After the timeout value is exceeded, the login page is displayed the next time the user attempts to perform an action.

    If set to 0, this timeout is disabled.

    Note
    Changing this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired.

    0, 60 – 1440

    1440
    Web inactivity timeout for full operationsAmount of time, in minutes, that a user session established with the orchestrator server can be inactive before the actions that modify data (such as creating, updating, or deleting a resource) are disabled

    This is an optional secondary timeout and is shorter than the primary Web inactivity session timeout value.

    When a session is active, this timer resets every time the user performs any action. If this timeout value is exceeded but the primary Web inactivity session timeout value is not exceeded, the user is restricted to read-only actions (such as opening or refreshing a page) until the primary Web inactivity session timeout value is exceeded; however, if the user attempts to perform an action that modifies data, the user session expires and the login page is displayed.

    If set to 0, this timeout is disabled.

    Note
    Changing this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired.

    0, 15 – 60

    30
    Mandatory expiration time of a web-based sessionAmount of time, in hours, that a user session established with the orchestrator server can be open before the user is automatically logged out, regardless of user activity
    Note
    Changing this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new timeout value are expired.

    24240

    24
    Minimum password lengthMinimum number of characters that can be used to specify a valid password8256256
    Maximum password lengthMaximum number of characters that can be used to specify a valid password8128128
    Maximum active sessions for a specific userMaximum number of active sessions for a specific user that are allowed at any given time. When the maximum number is reached, the oldest active session for a user (based on the creation timestamp) is removed before a new session is created for that user.

    If set to 0, an unlimited number of active sessions is allowed for a specific user.

    Note
    Only user sessions that start after the setting is changed are affected.
    02020
    Number of complexity rules that must be followed when creating a new passwordNumber of complexity rules that must be followed when creating a new password

    Rules are enforced starting with rule 1, and up to the number of rules specified. For example, if the password complexity is set to 4, then rules 1, 2, 3 and 4 must be followed. If the password complexity is set to 2, then rules 1 and 2 must be followed.

    XClarity Orchestrator supports the following password complexity rules.

    • Must contain at least one alphabetic character, and must not have more than two sequential characters, including sequences of alphabetic characters, digits, and QWERTY keyboard keys (for example, “abc”, “123”, and “asd” are not allowed)
    • Must contain at least one number
    • Must contain at least two of the following characters.
      • Uppercase alphabetic characters (A – Z)
      • Lowercase alphabetic characters (a – z)
      • Special characters ; @ _ ! ' $ & +

      White space characters are not allowed.

    • Must not repeat or reverse the use name.
    • Must not contain more than two of the same characters consecutively (for example, “aaa”, “111”, and “...” are not allowed).

    If set to 0, passwords are not required to comply with any complexity rules.

    054
    Force user to change password on first accessIndicates whether a user is required to change the password when logging in to XClarity Orchestrator for the first timeYes or NoYes
  3. Click Apply.

    After the changes are applied, the new settings take effect immediately. If you change password policies, those policies are enforced the next time a user logs in or changes the password.

After you finish

You can perform the following action from the Account Security Settings card.

  • To reset these settings to the default values, click Restore defaults.