Configuring user security settings
The user-account security settings configure the password, login, and user-session settings for local users.
Procedure
To configure security settings for local users, complete the following steps.
- From the Lenovo SDI Management Platform menu bar, click Administration () > Security, and then click Account Security Settings in the left navigation bar to display the Account Security Settings card.
- Configure the following security settings.
Security setting | Description | Allowed values | Default values |
---|---|---|---|
Password expiration period | Amount of time, in days, that a user can use a password before it must be changed Lower values reduce the amount of time that attackers have to guess passwords. If set to 0, passwords never expire. | 0 – 365 | 90 |
Password expiration warning period | Amount of time, in days, before the password-expiration date when users begin to receive warnings about an impending expiration of the user password If set to 0, users are not warned. | 0 – 30 | 14 |
Minimum password reuse cycle | Minimum number of times that a unique password must be specified when changing the password before the user can start to reuse passwords If set to 0, users can reuse passwords immediately. | 0 – 10 | 5 |
Minimum password change interval | Minimum amount of time, in hours, that must elapse before a user can change a password again after it was previously changed The value specified for this setting cannot exceed the value specified for the Password expiration period setting. If set to 0, users can change passwords immediately. | 0 – 240 | 1 |
Maximum number of login failures | Maximum number of times that a user can attempt to log in with an incorrect password before the user account is locked Note: Consecutive login attempts using the same user name and password count as a single failed login. If set to 0, accounts are never locked. | 0 – 10 | 5 |
Failed login counter reset | Amount of time since the last failed login attempt before the Maximum number of login failures counter is reset to 0. If set to 0, the counter never resets. For example, if the maximum number of login failures is 2, and you fail your login once, then fail it a second time 24 hours later, the system registers that you have failed your login twice, and your account is locked out. Note: This setting applies only when the Maximum number of login failures setting is set to 1 or greater. | 0 – 60 | 15 |
Lockout period after maximum login failures | Minimum amount of time, in minutes, after which a locked user can attempt to log back in again A user account that is locked cannot be used to gain access to Lenovo SDI Management Platform even if a valid password is provided. If set to 0, user accounts are never locked. Note: This setting applies only when the Maximum number of login failures setting is set to 1 or greater. | 0–2880 | 60 |
Web inactivity session timeout | Amount of time, in minutes, that a user session established with the orchestrator server can be inactive before the user session expires and the user is automatically logged out. This timeout applies to all actions (such as opening a page, refreshing the current page, or modifying data). This is the primary timeout for the user session. When a session is active, this timer resets every time the user performs any action. After the timeout value is exceeded, the login page is displayed the next time the user attempts to perform an action. If set to 0, this timeout is disabled. Note: Changing this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired. | 0, 60–1440 | 1440 |
Web inactivity timeout for full operations | Amount of time, in minutes, that a user session established with the orchestrator server can be inactive before the actions that modify data (such as creating, updating, or deleting a resource) are disabled. This is an optional secondary timeout and is shorter than the primary Web inactivity session timeout value. When a session is active, this timer resets every time the user performs any action. If this timeout value is exceeded but the primary Web inactivity session timeout value is not exceeded, the user is restricted to read-only actions (such as opening or refreshing a page) until the primary Web inactivity session timeout value is exceeded; however, if the user attempts to perform an action that modifies data, the user session expires and the login page is displayed. If set to 0, this timeout is disabled. Note: Changing this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired. | 0, 15–60 | 30 |
Mandatory expiration time of a web-based session | Amount of time, in hours, that a user session established with the orchestrator server can be open before the user is automatically logged out, regardless of user activity. Note: Changing this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired. | 24–240 | 24 |
Minimum password length | Minimum number of characters that can be used to specify a valid password | 8–128 | 8 |
Maximum password length | Maximum number of characters that can be used to specify a valid password | 8 – 128 | 128 |
Maximum active sessions for a specific user | Maximum number of active sessions for a specific user that are allowed at any given time. When the maximum number is reached, the oldest active session for a user (based on the creation timestamp) is removed before a new session is created for that user. If set to 0, an unlimited number of active sessions is allowed for a specific user. Note: Only user sessions that start after the setting is changed are affected. | 0–20 | 20 |
Number of complexity rules that must be followed when creating a new password | Number of complexity rules that must be followed when creating a new password Rules are enforced starting with rule 1, and up to the number of rules specified. For example, if the password complexity is set to 4, then rules 1, 2, 3, and 4 must be followed. If the password complexity is set to 2, then rules 1 and 2 must be followed. Lenovo SDI Management Platform supports the following password complexity rules.
If set to 0, passwords are not required to comply with any complexity rules. | 0 – 5 | 4 |
Force user to change password on first access | Indicates whether a user is required to change the password when logging in to Lenovo SDI Management Platform for the first time | Yes or No | Yes |
After you finish
You can perform the following action from the Account Security Settings card.
- To reset these settings to the default values, click Restore defaults.