[security-authentication-rules] Section
This section contains configuration options for defining custom properties of user passwords and setting up and using passwords. The options in this section are configured at either the tenant level or the user level. Refer to the User Passwords chapter in the Genesys Security Deployment Guide for complete information about these options.
This section must be called security-authentication-rules.
Tenant-level Options
The following options are configured in the [security-authentication-rules] section in the annex of the Tenant object, as follows:
- Tenant object > Options tab > Advanced View (Annex)
account-expiration
Default Value: 0
Valid Values: 0 to 365
Changes Take Effect: Rule validation occurs the next time an account belonging to this Tenant tries to log in or authenticate, or when a User object belonging to this Tenant is retrieved or changed
Specifies the maximum number of days for which an account can remain idle. After this time interval, the account will be considered expired and the user will not be able to log in until the account has been reactivated by the system administrator. Configuration Server checks for expired accounts when an account belonging to this Tenant tries to log in or authenticate, or when a User object belonging to this Tenant is retrieved or changed.
If set to 0 (the default), there is no expiration of idle accounts for any user.
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
- This option does not apply to the Default account, which does not expire.
- This option does not apply to accounts that are externally authenticated if an external authentication Domain was configured.
- This option can be overridden for individual users using the override-account-expiration option.
account-lockout-attempts-period
Default Value: 0
Valid Values: 0–20
Takes Effect: At the next occurrence of an unsuccessful login attempt
Specifies the length of time (in minutes) since the last unsuccessful login attempt in which another unsuccessful attempt will be counted toward the lockout threshold specified by account-lockout-threshold. If another unsuccessful attempt is recorded before this time interval expires, the time of this latest attempt becomes the basis from which this time period is calculated. In effect, this period is a sliding window.
If no additional unsuccessful attempts occur within this time period, the number of unsuccessful attempts is cleared, and previous attempts are not counted towards the lockout threshold.
This time period applies to all user accounts belonging to this Tenant unless overridden at the User level by the account-override-lockout option.
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
account-lockout-duration
Default Value: 30
Valid Values: 0–1440
Takes Effect: Next time an account is locked out
Specifies the length of time (in minutes) that the lockout lasts after the lockout condition has been met.
Accounts already locked when this option is changed are released after the time specified by this option elapses, regardless of how long they were locked out originally.
This lockout duration applies to all user accounts belonging to this Tenant unless overridden at the User level by the account-override-lockout option.
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
account-lockout-mode
Default Value: 0
Valid Values: 0, 1
Takes Effect: Next time an account is locked out
Specifies whether an account will remain locked (after a user repeatedly enters incorrect authentication credentials) until the administrator unlocks it manually.
- If set to 1, the account-lockout-duration option is ignored and the account remains locked until an administrator unlocks it.
- If set to 0 (the default), the account remains locked out for the time period configured using the account-lockout-duration option.
The administrator can unlock an account using any of the following methods:
- Changing the password for the user.
- Enabling force password reset for the user.
- Setting the account-override-lockout option to true at User-level, which overrides the account lockout for that user.
account-lockout-threshold
Default Value: 0
Valid Values: 0 to 8
Takes Effect: At next attempt to log in
Specifies the number of consecutive unsuccessful login attempts that a user account can make before being locked out. When set to the 0 (the default), no lockout will occur. This threshold applies to all user accounts belonging to this Tenant unless overridden at the User level by the account-override-lockout option.
force-password-reset
Default Value: false
Valid Values: false, true
Takes Effect: Immediately
Specifies whether all applications must prompt all of their users to change their passwords at first login. If set to true, all users for whom password reset is enabled (Reset password is checked on the user Configuration tab) will be unable to login unless they reset their password the next time that they log in. Any exceptions to the policy of changing passwords at first login (down-level applications or applications for which the no-change-password-at-first-login option is set to true) will not be permitted.The user will not be able to log in until he or she uses the correct application or the administrator clears the Reset password checkbox on the corresponding User object’s Configuration tab.
For example, you might want to use this option to ensure that there are no exceptions to the policy of changing passwords at first login.
max-account-sessions
Default Value: 0
Valid Values: 0 to 128
Takes Effect: At next attempt to connect to Configuration Server.
Specifies the number of simultaneous connections that each account can have with a single instance of Configuration Server. If an account tries to exceed the number of connections, login is denied.
In configurations with multiple Tenants, if this option is missing from the Tenant in which the account is logging in, the value set in the Parent up to the inheritance node for this Tenant applies. See Passwords in Configurations with Multiple Tenants for more information.
If this option is set to 0 (the default), there are no limits.
This option can be overridden for individual users by setting this option, with the same valid values, in the annex of the particular User object.
object-deletion-rate
Default Value: 0
Valid Values: Any positive integer
Takes Effect: Immediately
Specifies the maximum number of objects that a user can delete within the interval configured in the object-deletion-rate-interval option.
When a user tries to delete beyond the configured limit, then Configuration Server rejects the request and generates a corresponding error message.
When set to 0 (zero), this feature is disabled.
object-deletion-rate-interval
Default Value: 1440 minutes
Valid Values: Any positive integer
Takes Effect: Immediately
Specifies the maximum amount of time (in minutes) in which a user can delete the number of objects configured in the object-deletion-rate option. Once the specified time expires, this option is reset to 0 and the user can continue to delete the objects until the next timeout.
When set to 0 (zero), this feature is disabled.
password-expiration
Default Value: 0
Valid Values: 0 to 365
Takes Effect: Immediately
Specifies the number of days from when the user password was created and after which the password is considered expired and cannot be used. If set to 0 (the default), the password will not expire.
This option does not apply to empty passwords, nor to the password for the default account that never expires.
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
password-expiration-notify
Default Value: 0
Valid Values: 0 to 364
Takes Effect: Immediately
Specifies the number of days before a user password expires that a notice will be displayed to the user warning that his or her password will expire. To take effect, the specified value must be less than the number of days left before the password expires. If set to 0 (the default), no notification is sent.
This option applies only if the password-expiration option is configured at the Tenant level.
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
password-min-length
Default Value: No default value
Valid Values: 0 to 64
Takes Effect: Immediately
Optional. Specifies the minimum length (in characters) of a password used by all users in the Tenant in which the option is defined. If this option is present, it overrides the allow-empty-password option in Configuration Server or Configuration Server Proxy.
If this option is set to 0, an empty password is permitted (regardless of the value of allow-empty-password). If this option is set to a value greater than the maximum allowed value (64), the maximum value is used.
- This option applies only to passwords used with internal authentication, however during person object creation, the password criteria must match with configuration irrespective of whether external or internal authentication is used. This is because if external authentication is disabled, then it must fall back to internal authentication.
- This option applies only to passwords set after this option has been configured. Existing valid passwords that do not meet the minimum length requirement are not rejected during login; however, when the user tries to change one of these passwords, the new password will be subject to this option.
- Genesys recommends you use this option instead of the allow-empty-password option, which is provided only for purposes of backward compatibility.
password-no-repeats
Default: 0
Valid Values: 0 to 30
Changes Take Effect: At the next password creation or change
Specifies the number of password changes that must occur (that is, the number of old passwords) before a prior password can be reused. If set to 0 (the default), no history of used passwords is kept, and a password can be reused as desired.
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
password-req-alpha
Default: false
Valid Values: false, true
Changes Take Effect: At the next password creation or change
Specifies whether a password must contain at least one US-ASCII alphabetic character (a-z, A-Z). If set to true, and a password being created or changed does not contain one or more alphabetic characters, Configuration Server will not save the changes.
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
- This option applies only to passwords used with internal authentication. It does not apply if you are using external authentication.
- This option applies only to passwords set after this option has been configured. Existing valid passwords that do not meet the alphabetic requirement are not rejected during login; however, when the user tries to change one of these passwords, the new password will be subject to this option.
password-req-mixed-case
Default: false
Valid Values: false, true
Changes Take Effect: At the next password creation or change
Specifies whether a password must contain at least one uppercase character (A-Z) and one lowercase character (a-z) from the US-ASCII character set. If set to true, and a password is created or changed does not contain one or more uppercase characters and one or more lowercase characters, Configuration Server will not save the changes.
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
- The password must contain at least one upper-case (A-Z) and one lower-case (a-z) ASCII character.
- This option applies only to passwords used with internal authentication. It does not apply if you are using external authentication.
- This option applies only to passwords set after this option has been configured. Existing valid passwords that do not meet the mixed-case requirement are not rejected during login; however, when the user tries to change one of these passwords, the new password will be subject to this option.
password-req-number
Default: false
Valid Values: false, true
Changes Take Effect: At the next password creation or change
Specifies whether a password must contain at least one numeric character (0-9). If set to true, and a password being created or changed does not contain one or more numeric characters, Configuration Server will not save the changes.
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
- This option applies only to passwords used with internal authentication. It does not apply if you are using external authentication.
- This option applies only to passwords set after this option has been configured. Existing valid passwords that do not meet the numeric the requirement is not rejected during login; however, when the user tries to change one of these passwords, the new password will be subject to this option.
password-req-punctuation
Default: false
Valid Values: false, true
Changes Take Effect: At the next password creation or change
Specifies whether a password must contain at least one punctuation character from the US-ASCII character set. If set to true, and a password being created or changed does not contain one or more punctuation characters, Configuration Server will not save the changes. The following punctuation characters are permitted:
- ! “ # $ % &’ ( ) * + , - . /
- : ; < = > ?
- [ \ ] ^ _ `
- { | } ~
In configurations with multiple Tenants, this value applies to all child Tenants unless it is overridden in a child Tenant. See Passwords in Configurations with Multiple Tenants for more information.
- This option applies only to passwords used with internal authentication. It does not apply if you are using external authentication.
- This option applies only to passwords that are set after this option has been configured. Existing valid passwords that do not meet the punctuation requirement are not rejected during login; however, when the user tries to change one of these passwords, the new password will be subject to this option.
shortcut-add-restriction-count
Default: 0
Valid Values:Any positive integer
Changes Take Effect: Immediately
The maximum number of objects that can be moved by a User per change object request. Also the maximum number of shortcuts that can be added into an object group by a user per change request.
When a user tries to move objects or add shortcuts beyond the configured limit, then Configuration Server rejects the request and generates a corresponding error message.
shortcut-remove-restriction-count
Default: 0
Valid Values:Any positive integer
Changes Take Effect: Immediately
Specifies the maximum number of shortcut objects that a user can delete per change object request. When a user tries to delete beyond the configured limit, then Configuration Server rejects the request and generates a corresponding error message. When set to 0 (zero), this feature is disabled.
tenant-override-section
Default: false
Valid Values: false, true
Changes Take Effect: Immediately
Applies only in a configuration with multiple Tenants; specifies how Configuration Server interprets or applies values for options in the configuration option section security-authentication-rules, as follows:
- If this Tenant has values configured for one or more of these options, those values are applied. Values for the other options are assigned as described in the following two bullets, depending on the value of this option (tenant-override-section).
- If this Tenant has no values configured for any of these options, and this option (tenant-override-section) is either absent or set to false, values defined at the nearest ancestor Tenant are applied.
- If this Tenant has no values configured for any of these options, and this option (tenant-override-section) is set to true, default values are applied to all options. Values assigned in ancestor Tenants are ignored for this Tenant.
In effect, this option allows customization of these options for this Tenant and its child Tenants, if required, and applies to all options in the [security-authentication-rules] section in the same object.
User-level Options
These options are configured at the User-level. They either override settings made at the Tenant level or contain information about actions taken as a result of settings at the Tenant level or their overrides at the User level. Options in this section are configured in the security-authentication-rules section in the annex of the User object, as follows:
- User object > Options tab > Advanced View (Annex)
account-override-lockout
Default Value: false
Valid Values: false, true
Takes Effect: At the next attempt to log in to any instance of Configuration Server
Specifies whether this user account can be locked out. If set to true, this user can override the lockout rules set at its Tenant level. A true value can also be used to unlock, or clear, a locked account if set before the account-lockout-duration option is set at the Tenant level. If set to false (the default), the lockout will expire as configured at the Tenant level.
last-expired-at
Specifies when the user account expired, for example:
Sat Oct 13 12:42:52 2012
This option is set automatically by Configuration Server or Configuration Server Proxy and appears in the annex of the User object. The value is read-only and is for reference purposes only.
last-locked-at
Specifies when the user account was locked by the instance of Configuration Server to which the client application, used to review Person object options, is currently connected. For example:
09/12/09 10:445 PM @confserv
This option is set automatically by Configuration Server or Configuration Server Proxy and appears in the annex of the User object. The value is read-only and is for reference purposes only.
override-account-expiration
Default Value: 0
Valid Values:
0 | Default. No override; the expiration value set at the Tenant level applies. Each time that this account tries to log in or authenticate or an attempt is made to read or change the User object, the idle time calculation restarts. |
1 | No check for account expiration is made when the user tries to log in or authenticate, or when the User object is retrieved; the value of the Tenant-level option account-expiration is ignored. If this account is marked as expired (last-expired-at is set to a valid date/time stamp), it is reactivated. |
2 | Check for idle time does not occur at the next login attempt. After the user has logged in successfully, idle time calculation restarts and the value of this option is reset to 0 (the default). |
Takes Effect: At the next time the user tries to log in or authenticate, or an attempt is made to read or change the User object.
Specifies if account expiration, as defined by the Tenant-level option account-expiration, applies to a particular user account.
- This option does not apply to the Default account, which does not expire.
- This option does not apply to accounts that are externally authenticated.
override-shortcut-add-restriction
Default Value: false
Valid Values: true, false
Takes Effect: Immediately
Configuration object move restriction disabled if set as true on person Object.
override-object-deletion-rate
Default Value: false
Valid Values: false, true
Takes Effect: Immediately
Specifies whether to restrict a user account from deleting the configuration objects. By default, this feature is enabled. If set to true, restriction to delete the configuration options is disabled.
If the password of the Person object is changed, this option is reset to the default value (false).
override-password-expiration
Default Value: false
Valid Values: false, true
Takes Effect: At the next attempt to log in or authenticate the user
Specifies whether a password of the user for which this option is configured can override the expiration policy specified at the Tenant level by the password-expiration option. If set to true, the user password for this user will not expire. If set to false (default), the user password will expire as configured at the Tenant level.
This option applies only if password-expiration is configured at the Tenant level.
override-shortcut-remove-restriction
Default Value: false
Valid Values: false, true
Takes Effect: Immediately
Specifies whether to restrict a user account from deleting the shortcuts from the object group. By default, this feature is enabled. If set to true, restriction to delete the group object shortcuts is disabled.