Security Configuration

Field

Description

Perform Default Security Role Check

Determines when, if ever, during a security authorization check that the ANY Security Role should be checked for a user. The use of the ANY Security Role is optional and configurable. The ANY Security Role can behave in one of three possible ways:

• Before – The ANY Security Role is implicitly added to all users and is checked before any other Security Roles during security authorization. This is the recommended setting so that CGI Advantage recognizes common authority access before checking user authority based on additional security roles assigned to the user.

• After – The ANY Security Role is implicitly added to all users and is checked after all other Security Roles during security authorization.

• Never – The ANY Security Role is neither implicitly added to users nor checked during security authorization.

User Email Subject

The email subject text for the email sent to users when their password is set/reset and the Expire New Password flag is selected on the User Maintenance transaction, User Information page, and so forth.

User Email Text

The email message body text for the email sent to users when their password is set/reset and the Expire New Password check box is checked on the User Maintenance transaction, User Information page, and so forth. The system appends the new password to the end of the email message body text. For new Users, the system appends the User ID also.

Password Reset Email Subject

The email subject text for the email sent to users when they reset their password. This is required if the Enable User Password Reset check box is selected. See the “Password Policy Security Settings” section for more information.

Password Reset Email Message Body

The email message text for the email sent to users when they reset their password. This is required if the Enable User Password Reset check box is selected. See the “Password Policy” section for more information.

Enable User Password Reset

This setting enables the password reset feature. Enabling password reset allows users to access the password reset application to reset their own passwords after correctly replying to their password hint.  It is recommended that this feature be enabled for sites with self-service applications.

Password Expiration Day Count

The number of days for which a user’s password is valid. After this duration expires the user is forced to change the password before logging into the system.

Lockout Count Due to Bad Logins

The number of unsuccessful login attempts before a user’s account is locked.

Note: If the number of times a user has incorrectly entered an Activation Code on the VSS login page exceeds the value in this field, then the system will end the user's current session. The user has to raise a request for the new activation code again.

Lockout Count Due to Bad Password Resets

The number of failed password reset attempts that will be allowed before a User ID is locked and further attempts at password reset are prohibited. For example, if this field is set to 3, the users are only allowed three consecutive wrong attempts at answering their Password Hint questions before their User ID is locked.  When set to 0, users will not be allowed to attempt to answer the Password Hint questions whether the Password Reset functionality is enabled or not.

Password History Count

The Password History Count field is used to determine when a password can be reused. This value represents both the number of user entered and system (temporary) generated passwords that have been assigned to this account. When a user needs to reset their password, the system will first assign a temporary password and this password is considered one of the historical passwords and needs to be accounted for. If the intent is to prevent the last five user entered passwords from being reused, it is recommended to set this value to 10 to accommodate both the user entered and system generated passwords.

Password Warn Day Count

The number of days before a user’s password expires and a warning is issued to the user indicating that the password will expire.

User ID Minimum Length

The minimum length for a User ID. This must be greater than zero.

User ID Maximum Length

The maximum length for a User ID. This must be greater than or equal to the User ID Minimum Length and less than the system maximum User ID length of 16.

Idle Account Active Days

This field indicates the number of days that an idle user account remains active. If a user does not log into the system for a period exceeding the number of days entered in this field, then the User ID is locked by the Lock Idle User process (that is, the Locked Out check box on the User Information (SCUSER) page is checked). The value entered in the number of days field cannot be less than 0 or greater than or equal to 1000, and it must be a whole number. A value of 0 indicates that there is not a limit on idle user accounts.

Password Minimum Length

The minimum length for a password. This must be greater than or equal to 8. Additionally, if the options for required characters are enabled, then the Password Minimum Length must be greater than or equal to the total number of required characters. The number of required characters depends on the number of password rules enabled. The minimum number of required characters is 8 (whether any of the rules are enabled or disabled). If the Use Strong Password Criteria check box is checked, then this field is protected and its value is recalculated one of two ways: If Minimum Alphabetic Characters is not populated, then the value is calculated as the sum of the Minimum Lowercase Characters, Minimum Uppercase Characters, Minimum Numeric Characters, and Minimum Special Characters in the Strong Password Criteria section. If Minimum Alphabetic Characters is populated then the value is calculated as the sum of the Minimum Alphabetic Characters, Minimum Numeric Characters, and Minimum Special Characters.

Password Maximum Length

The maximum length for a user password. This must be greater than or equal to the Password Minimum Length and less than the system maximum password length of 16.

Password Require Numeric (0-9)

This indication ensures passwords must contain a number (0-9). When checked the number of required characters is increased by 1. If the Use Strong Password Criteria check box is checked, then this field is protected and is checked if the Minimum Numeric Characters is greater than 0. If the Minimum Numeric Characters is not greater than 0, then this check box is not checked. When the password violates this policy, an error message is issued. This error message can be configured on the Error Message (MESG) table for code Q0273.

Password Require Upper Case (A-Z)

This indication ensures passwords must contain an upper case character (A-Z). When checked the number of required characters is increased by 1. If the Use Strong Password Criteria check box is checked, then this field is protected and is checked if the Minimum Uppercase Characters is greater than 0. If the Minimum Uppercase Characters is not greater than 0, then this field is not checked. When the password violates this policy, an error message is issued. This error message can be configured on the Error Message (MESG) table for code Q0274.

Password Require Lower Case (a-z)

This indication ensures passwords must contain a lower case character (a-z). When checked the number of required characters is increased by 1. If the Use Strong Password Criteria check box is checked, then this field is protected and is set to checked if the Minimum Lowercase Characters is greater than 0. If the Minimum Lowercase Characters is not greater than 0, then this check box is not checked. When the password violates this policy, an error message is issued. This error message can be configured on the Error Message (MESG) table for code Q0275.

Password Require Symbol (@.-$#%)

This indication ensures passwords must contain one of the following symbols (@.-$#%). When checked the number of required characters is increased by 1. If the Use Strong Password Criteria check box is checked, then this field is protected and is set to checked if the Minimum Special Characters is greater than 0. If the Minimum Special Characters is not greater than 0, then this field is not checked.

Password Cannot Contain User ID

This indication ensures passwords do not contain the user’s User ID (regardless of case). For example if a user’s user id is “freduser”, then selecting Password Cannot Contain User ID prevents the user from selecting passwords like “afreduser”, “FredUser”, “Freduser1”, and “someFredUser2”.

Password Cannot Contain 'password'

This indication ensures passwords do not contain the literal “password” (regardless of case).

Expire New Password

This indication will cause the automatic expiration of a new password, requiring the user to change the password after logging in for the first time. If checked, it overrides any value set in the Expire New Password field on other pages in the system.

Use Strong Password Criteria

This indication activates the Strong Password Criteria set of fields (listed next). When checked, the strong password criteria fields are populated from the CSF.properties file. Any field corresponding to a property not currently present in the CSF.properties file is left blank. When the record is saved, these fields may be blank or contain a positive integer. Any non-blank field is written to the CSF.properties file and any field containing no value is removed from the CSF.properties file if it was formerly present.

Minutes to Expire Temporary Password

This indication expires the temporary password after this many minutes have passed. Users must change the temporary password before it expires or request a new temporary password if the time has expired. It is recommended for the System Administrator to update the Password Reset Email Message Body to have the number of Minutes to Expire Temporary Password so that the E-mail sent to the user is aware of how much time they have to change the temporary password. The default value delivered for this field is blank.

Enable Temporary Password Expiry

This indication will enable/disable if the temporary password needs to be expired within the time limit defined under the Minutes to Expire Temporary Password field. The default value delivered for this flag is unchecked.

Minimum Unique Characters

Defines the number of unique characters required when creating a password.

Minimum Alphabetic Characters

Defines the minimum number of alphabetic characters required when creating a password.

Maximum Consecutive Alphabetic Characters

Defines the maximum number of consecutive alphabetic characters required when creating a password.

Maximum Repeated Consecutive Alphabetic Characters

Defines the maximum number of consecutive repeating alphabetic characters required when creating a password.

Minimum Lowercase Characters

Defines the minimum number of lowercase alphabetic characters required when creating a password.

Maximum Consecutive Lowercase Alphabetic Characters

Defines the maximum number of consecutive lowercase alphabetic characters required when creating a password.

Maximum Repeated Consecutive Lowercase Alphabetic Characters

Defines the maximum number of consecutive repeating lowercase alphabetic characters required when creating a password.

Minimum Uppercase Characters

Defines the minimum number of uppercase alphabetic characters required when creating a password.

Maximum Consecutive Uppercase Alphabetic Characters

Defines the maximum number of consecutive uppercase alphabetic characters required when creating a password.

Maximum Consecutive Uppercase Alphabetic Characters

Defines the maximum number of consecutive repeating uppercase alphabetic characters required when creating a password.

Minimum Numeric Characters

Defines the minimum number of numeric characters required when creating a password.

Maximum Consecutive Numeric Characters

Defines the maximum number of consecutive numeric characters required when creating a password.

Maximum Consecutive Numeric Characters

Defines the maximum number of consecutive repeating numeric characters required when creating a password.

Minimum Special Characters

Defines the minimum number of special characters, (such as @.-$#%), required when creating a password.

Maximum Consecutive Special Characters

Defines the maximum number of consecutive special characters (such as @.-$#%) required when creating a password.

Maximum Repeated Consecutive Special Characters

Defines the maximum number of consecutive repeating special characters (such as @.-$#%) required when creating a password.

Enable Challenge Questions

Enables the challenge questions functionality so challenge questions are presented to the user when they attempt to modify certain data sensitive fields/widgets in the system.

Enable Email Notifications

Indicates an email notification should be sent when the maximum number of incorrect responses to the challenge questions, as indicated in the Incorrect Response Attempts Allowed field, has been met. This email is sent to both the data security administrator and the user who attempted to make the changes to the data sensitive information.

Incorrect Response Attempts Allowed

This field limits the number of failed attempts allowed when answering the challenge questions when attempting to modify data sensitive information in the system. If the number of attempts to answer the challenge question exceeds what is defined in this field, the user is automatically logged out of the system.

Data Security Administrator Email Address

The email address of the person who should be notified when a user is attempting to modify data sensitive fields/widgets in the system and has exceeded the maximum number of incorrect responses to the challenge questions.