Password Policy

Bram Borne

Modified on: Wed, 2 Mar, 2022 at 8:14 PM

TABLE OF CONTENTS

Configuration
‘Settings bar’
Creating a new plan
Assigning the plan
Locked out users

The password policies feature allows system admins and managers to set up configurable password plans that can be associated to user permission groups. This allows password policies to be restrictive for permission groups based on the sensitivity of the permissions associated with that group.

Users associated with multiple permission groups with different password policy plans assigned, will always use the more restrictive setting. For example, if a user is associated with three different password policies of differing Min-Numeric setting, the highest value is used.

Configuration

If the Password Policy option is available to the user, they can create and edit plans. If the option is not available to them, they must be in a permission group with a role of manager or sysadmin (other).

Clicking on the ‘Password Policy’ will display a list of current policies on the system (As policies can be set to Active/Inactive it’s important to note the drop-down filter here).

Multiple password policies can be set up within the Plan type.

‘Settings bar’

Create a new – Click here to make a new Password Policy

Duplicate – Copies the selected policy as a new one

Filter – Here, users can switch between Active/Inactive policies

Save – Clicking here will save any new plans/changes to existing plans

Search – Users can search the existing plans on the system

Creating a new plan

Once the user has clicked the ‘Create a new plan’ they will be presented with the list of ‘Password Policy Plan Settings’.

Users can enter a name for the plan here.

Users can select whether the plan is active or inactive here (Users can only set the plan to inactive once its been created).

Passwords must be at least this length (In the case of multiple plans, the highest value is used).

Passwords must not exceed this length (In the case of multiple plans, the highest value is used).

Passwords must contain at least this many alpha (a-z) characters (In the case of multiple plans, the highest value is used).

Passwords must contain at least this many numeric digits (In the case of multiple plans, the highest value is used).

Passwords must contain at least this many special characters (Accepted: ! @ # $ % ^ & * ( ) \ - _ [ ] ?) In the case of multiple plans, the highest value is used.

The number of days since the last change that a user password will expire. When a password expires, the next logon attempt by the user will prompt a password change. The user will not be able to logon until the password is changed. The password must be unique (within the last 10 changes). In the case of multiple plans, the lowest value is used.

The number of failed logon attempts before the account becomes locked. In the case of multiple plans, the lowest value is used.

The amount of time (in seconds) that an account becomes locked if the Maximum Retries setting has been reached with invalid logon attempts. Setting this value to 0, locks the account until a supervisor or manager unlocks it within the CTU page. Otherwise the account will automatically unlock after the specified time. In the case of multiple plans, the highest value is used.

When an account becomes locked, regardless of lockout time, supervisor intervention is required to unlock the account (In the case of multiple plans, if any plan has this setting checked, then supervisor unlock is required).

When this option is set, the user can change their password within the ManagerPortal application. Click on the username/icon widget in the top right corner and select Change Password (In the case of multiple plans, if any plan has this setting checked, then the user can change their password).

When this option is set, the user is required to change their password immediately before they can login. This setting is useful for policies requiring supervisor unlocks, as the supervisor can set a temporary password and require the user to change it (This option should be used when adding new users to the system as it forces the user to change the password on first login).

Once all these settings have been configured, the user needs to press the save button to save the plan to the system.

Assigning the plan

To assign a plan to a permission group, navigate to the permissions editor;

Select the permission group you wish to assign a password policy to, and on the editor column there is an option to select Password Policy.

The drop down will contain all the ‘Active’ password Policies on the system. Once the password policy is applied, users will follow that configuration upon their next login.

Locked out users

When a user fails the password criteria they may be unable to log in again for a period of time or at all, depending on settings.

A user with the required permissions can unlock the account by going to the CTU screen and selecting the user. They will then need to click on the green padlock button next to the users password to allow the user to login again/change their password.