Skip to main content

Configuring user security settings

The user-account security settings configure the password, login, and user-session settings for local users.

Procedure

To configure security settings for local users, complete the following steps.

  1. From the Lenovo SDI Management Platform menu bar, click Administration () > Security, and then click Account Security Settings in the left navigation bar to display the Account Security Settings card.
  2. Configure the following security settings.
Security settingDescriptionAllowed valuesDefault values
Password expiration periodAmount of time, in days, that a user can use a password before it must be changed

Lower values reduce the amount of time that attackers have to guess passwords.

If set to 0, passwords never expire.

036590
Password expiration warning periodAmount of time, in days, before the password-expiration date when users begin to receive warnings about an impending expiration of the user password

If set to 0, users are not warned.

03014
Minimum password reuse cycleMinimum number of times that a unique password must be specified when changing the password before the user can start to reuse passwords

If set to 0, users can reuse passwords immediately.

0105
Minimum password change intervalMinimum amount of time, in hours, that must elapse before a user can change a password again after it was previously changed

The value specified for this setting cannot exceed the value specified for the Password expiration period setting.

If set to 0, users can change passwords immediately.

02401
Maximum number of login failuresMaximum number of times that a user can attempt to log in with an incorrect password before the user account is locked
Note: Consecutive login attempts using the same user name and password count as a single failed login.

If set to 0, accounts are never locked.

0105
Failed login counter resetAmount of time since the last failed login attempt before the Maximum number of login failures counter is reset to 0.

If set to 0, the counter never resets. For example, if the maximum number of login failures is 2, and you fail your login once, then fail it a second time 24 hours later, the system registers that you have failed your login twice, and your account is locked out.

Note: This setting applies only when the Maximum number of login failures setting is set to 1 or greater.
06015
Lockout period after maximum login failuresMinimum amount of time, in minutes, after which a locked user can attempt to log back in again

A user account that is locked cannot be used to gain access to Lenovo SDI Management Platform even if a valid password is provided.

If set to 0, user accounts are never locked.

Note: This setting applies only when the Maximum number of login failures setting is set to 1 or greater.
0288060
Web inactivity session timeoutAmount of time, in minutes, that a user session established with the orchestrator server can be inactive before the user session expires and the user is automatically logged out. This timeout applies to all actions (such as opening a page, refreshing the current page, or modifying data).

This is the primary timeout for the user session.

When a session is active, this timer resets every time the user performs any action. After the timeout value is exceeded, the login page is displayed the next time the user attempts to perform an action.

If set to 0, this timeout is disabled.

Note: Changing this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired.

0, 60–1440

1440
Web inactivity timeout for full operationsAmount of time, in minutes, that a user session established with the orchestrator server can be inactive before the actions that modify data (such as creating, updating, or deleting a resource) are disabled.

This is an optional secondary timeout and is shorter than the primary Web inactivity session timeout value.

When a session is active, this timer resets every time the user performs any action. If this timeout value is exceeded but the primary Web inactivity session timeout value is not exceeded, the user is restricted to read-only actions (such as opening or refreshing a page) until the primary Web inactivity session timeout value is exceeded; however, if the user attempts to perform an action that modifies data, the user session expires and the login page is displayed.

If set to 0, this timeout is disabled.

Note: Changing this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired.

0, 15–60

30
Mandatory expiration time of a web-based sessionAmount of time, in hours, that a user session established with the orchestrator server can be open before the user is automatically logged out, regardless of user activity.
Note: Changing this setting immediately affects all user sessions, regardless of authentication type. Existing sessions that have been inactive for longer than the new time-out value are expired.

24240

24
Minimum password lengthMinimum number of characters that can be used to specify a valid password81288
Maximum password lengthMaximum number of characters that can be used to specify a valid password8128128
Maximum active sessions for a specific userMaximum number of active sessions for a specific user that are allowed at any given time. When the maximum number is reached, the oldest active session for a user (based on the creation timestamp) is removed before a new session is created for that user.

If set to 0, an unlimited number of active sessions is allowed for a specific user.

Note: Only user sessions that start after the setting is changed are affected.
02020
Number of complexity rules that must be followed when creating a new passwordNumber of complexity rules that must be followed when creating a new password

Rules are enforced starting with rule 1, and up to the number of rules specified. For example, if the password complexity is set to 4, then rules 1, 2, 3, and 4 must be followed. If the password complexity is set to 2, then rules 1 and 2 must be followed.

Lenovo SDI Management Platform supports the following password complexity rules.

  1. Must contain at least one alphabetic character, and must not have more than two sequential characters, including sequences of alphabetic characters, digits, and QWERTY keyboard keys (for example,“abc”,123and“asd”are not allowed)

  2. Must contain at least one number

  3. Must contain at least two of the following characters.

    • Uppercase alphabetic characters (A – Z)

    • Lowercase alphabetic characters (a – z)

    • Special characters ; @ _ !' $ & +

  4. Must not repeat or reverse the user name

  5. Must not contain more than two of the same characters consecutively (for example,“aaa”” are not allowed),111and“...”are not allowed)

If set to 0, passwords are not required to comply with any complexity rules.

054
Force user to change password on first accessIndicates whether a user is required to change the password when logging in to Lenovo SDI Management Platform for the first timeYes or NoYes
1. Click **Apply**. After the changes are applied, the new settings take effect immediately. If you change password policies, those policies are enforced the next time a user logs in or changes the password.

After you finish

You can perform the following action from the Account Security Settings card.

  • To reset these settings to the default values, click Restore defaults.