Security Configuration

The Security Configuration (SCCNFG) page allows the definition of global security parameters for users. For example, the following can be set: frequency with which passwords expire, the number of failed login attempts before deactivation, the number of passwords kept in history, and the number of days before which users have to be warned that the password has to be changed. Various password rules to strengthen the security of passwords can also be implemented. When any of the password or User ID rules are changed, the changes will not take effect until the application server is restarted. If there is a change in password policy, then the changed policy is enforced for each subsequent password change only. Any existing passwords remain even though they may not conform to the password policy after the change. If an existing user changes his password due to password expiration, then the new password is validated against the newly implemented password policy. System generated passwords conform to a site's password policy.

Field	Description
Perform Default Security Role Check	Determines when, if ever, during a security authorization check that the ANY Security Role should be checked for a user. The use of the ANY Security Role is optional and configurable. The ANY Security Role can behave in one of three possible ways: Before – The ANY Security Role is implicitly added to all users and is checked before any other Security Roles during security authorization. This is the recommended setting so that CGI Advantage recognizes common authority access before checking user authority based on additional security roles assigned to the user. After – The ANY Security Role is implicitly added to all users and is checked after all other Security Roles during security authorization. Never – The ANY Security Role is neither implicitly added to users nor checked during security authorization.
User Email Subject	The email subject text for the email sent to users when their password is set/reset and the Expire New Password flag is selected on the User Maintenance transaction, User Information page, and so forth.
User Email Text	The email message body text for the email sent to users when their password is set/reset and the Expire New Password check box is checked on the User Maintenance transaction, User Information page, and so forth. The system appends the new password to the end of the email message body text. For new Users, the system appends the User ID also.
Password Reset Email Subject	The email subject text for the email sent to users when they reset their password. This is required if the Enable User Password Reset check box is selected. See the “Password Policy Security Settings” section for more information.
Password Reset Email Message Body	The email message text for the email sent to users when they reset their password. This is required if the Enable User Password Reset check box is selected. See the “Password Policy” section for more information.
Enable User Password Reset	This setting enables the password reset feature. Enabling password reset allows users to access the password reset application to reset their own passwords after correctly replying to their password hint. It is recommended that this feature be enabled for sites with self-service applications.
Password Expiration Day Count	The number of days for which a user’s password is valid. After this duration expires the user is forced to change the password before logging into the system.
Lockout Count Due to Bad Logins	The number of unsuccessful login attempts before a user’s account is locked. Note: If the number of times a user has incorrectly entered an Activation Code on the VSS login page exceeds the value in this field, then the system will end the user's current session. The user has to raise a request for the new activation code again.
Lockout Count Due to Bad Password Resets	The number of failed password reset attempts that will be allowed before a User ID is locked and further attempts at password reset are prohibited. For example, if this field is set to 3, the users are only allowed three consecutive wrong attempts at answering their Password Hint questions before their User ID is locked. When set to 0, users will not be allowed to attempt to answer the Password Hint questions whether the Password Reset functionality is enabled or not.
Password History Count	The Password History Count field is used to determine when a password can be reused. This value represents both the number of user entered and system (temporary) generated passwords that have been assigned to this account. When a user needs to reset their password, the system will first assign a temporary password and this password is considered one of the historical passwords and needs to be accounted for. If the intent is to prevent the last five user entered passwords from being reused, it is recommended to set this value to 10 to accommodate both the user entered and system generated passwords.
Password Warn Day Count	The number of days before a user’s password expires and a warning is issued to the user indicating that the password will expire.
User ID Minimum Length	The minimum length for a User ID. This must be greater than zero.
User ID Maximum Length	The maximum length for a User ID. This must be greater than or equal to the User ID Minimum Length and less than the system maximum User ID length of 16.
Idle Account Active Days	This field indicates the number of days that an idle user account remains active. If a user does not log into the system for a period exceeding the number of days entered in this field, then the User ID is locked by the Lock Idle User process (that is, the Locked Out check box on the User Information (SCUSER) page is checked). The value entered in the number of days field cannot be less than 0 or greater than or equal to 1000, and it must be a whole number. A value of 0 indicates that there is not a limit on idle user accounts.
Password Minimum Length	The minimum length for a password. This must be greater than 0. Additionally, if the options for required characters are enabled, then the Password Minimum Length must be greater than or equal to the total number of required characters. The number of required characters depends on the number of password rules enabled. The minimum number of required characters is 0 (when none of the rules are enabled) and the maximum number of required characters is four (when all the password rules are enabled). If the Use Strong Password Criteria check box is checked, then this field is protected and its value is recalculated one of two ways: If Minimum Alphabetic Characters is not populated, then the value is calculated as the sum of the Minimum Lowercase Characters, Minimum Uppercase Characters, Minimum Numeric Characters, and Minimum Special Characters in the Strong Password Criteria section. If Minimum Alphabetic Characters is populated then the value is calculated as the sum of the Minimum Alphabetic Characters, Minimum Numeric Characters, and Minimum Special Characters.
Password Maximum Length	The maximum length for a user password. This must be greater than or equal to the Password Minimum Length and less than the system maximum password length of 16.
Password Require Numeric (0-9)	This indication ensures passwords must contain a number (0-9). When checked the number of required characters is increased by 1. If the Use Strong Password Criteria check box is checked, then this field is protected and is checked if the Minimum Numeric Characters is greater than 0. If the Minimum Numeric Characters is not greater than 0, then this check box is not checked. When the password violates this policy, an error message is issued. This error message can be configured on the Error Message (MESG) table for code Q0273.
Password Require Upper Case (A-Z)	This indication ensures passwords must contain an upper case character (A-Z). When checked the number of required characters is increased by 1. If the Use Strong Password Criteria check box is checked, then this field is protected and is checked if the Minimum Uppercase Characters is greater than 0. If the Minimum Uppercase Characters is not greater than 0, then this field is not checked. When the password violates this policy, an error message is issued. This error message can be configured on the Error Message (MESG) table for code Q0274.
Password Require Lower Case (a-z)	This indication ensures passwords must contain a lower case character (a-z). When checked the number of required characters is increased by 1. If the Use Strong Password Criteria check box is checked, then this field is protected and is set to checked if the Minimum Lowercase Characters is greater than 0. If the Minimum Lowercase Characters is not greater than 0, then this check box is not checked. When the password violates this policy, an error message is issued. This error message can be configured on the Error Message (MESG) table for code Q0275.
Password Require Symbol (@.-$#%)	This indication ensures passwords must contain one of the following symbols (@.-$#%). When checked the number of required characters is increased by 1. If the Use Strong Password Criteria check box is checked, then this field is protected and is set to checked if the Minimum Special Characters is greater than 0. If the Minimum Special Characters is not greater than 0, then this field is not checked.
Password Cannot Contain User ID	This indication ensures passwords do not contain the user’s User ID (regardless of case). For example if a user’s user id is “freduser”, then selecting Password Cannot Contain User ID prevents the user from selecting passwords like “afreduser”, “FredUser”, “Freduser1”, and “someFredUser2”.
Password Cannot Contain 'password'	This indication ensures passwords do not contain the literal “password” (regardless of case).
Expire New Password	This indication will cause the automatic expiration of a new password, requiring the user to change the password after logging in for the first time. If checked, it overrides any value set in the Expire New Password field on other pages in the system.
Use Strong Password Criteria	This indication activates the Strong Password Criteria set of fields (listed next). When checked, the strong password criteria fields are populated from the CSF.properties file. Any field corresponding to a property not currently present in the CSF.properties file is left blank. When the record is saved, these fields may be blank or contain a positive integer. Any non-blank field is written to the CSF.properties file and any field containing no value is removed from the CSF.properties file if it was formerly present.
Minutes to Expire Temporary Password	This indication expires the temporary password after this many minutes have passed. Users must change the temporary password before it expires or request a new temporary password if the time has expired. It is recommended for the System Administrator to update the Password Reset Email Message Body to have the number of Minutes to Expire Temporary Password so that the E-mail sent to the user is aware of how much time they have to change the temporary password. The default value delivered for this field is blank.
Enable Temporary Password Expiry	This indication will enable/disable if the temporary password needs to be expired within the time limit defined under the Minutes to Expire Temporary Password field. The default value delivered for this flag is unchecked.
Minimum Unique Characters	Defines the number of unique characters required when creating a password.
Minimum Alphabetic Characters	Defines the minimum number of alphabetic characters required when creating a password.
Maximum Consecutive Alphabetic Characters	Defines the maximum number of consecutive alphabetic characters required when creating a password.
Maximum Repeated Consecutive Alphabetic Characters	Defines the maximum number of consecutive repeating alphabetic characters required when creating a password.
Minimum Lowercase Characters	Defines the minimum number of lowercase alphabetic characters required when creating a password.
Maximum Consecutive Lowercase Alphabetic Characters	Defines the maximum number of consecutive lowercase alphabetic characters required when creating a password.
Maximum Repeated Consecutive Lowercase Alphabetic Characters	Defines the maximum number of consecutive repeating lowercase alphabetic characters required when creating a password.
Minimum Uppercase Characters	Defines the minimum number of uppercase alphabetic characters required when creating a password.
Maximum Consecutive Uppercase Alphabetic Characters	Defines the maximum number of consecutive uppercase alphabetic characters required when creating a password.
Maximum Consecutive Uppercase Alphabetic Characters	Defines the maximum number of consecutive repeating uppercase alphabetic characters required when creating a password.
Minimum Numeric Characters	Defines the minimum number of numeric characters required when creating a password.
Maximum Consecutive Numeric Characters	Defines the maximum number of consecutive numeric characters required when creating a password.
Maximum Consecutive Numeric Characters	Defines the maximum number of consecutive repeating numeric characters required when creating a password.
Minimum Special Characters	Defines the minimum number of special characters, (such as @.-$#%), required when creating a password.
Maximum Consecutive Special Characters	Defines the maximum number of consecutive special characters (such as @.-$#%) required when creating a password.
Maximum Repeated Consecutive Special Characters	Defines the maximum number of consecutive repeating special characters (such as @.-$#%) required when creating a password.
Enable Challenge Questions	Enables the challenge questions functionality so challenge questions are presented to the user when they attempt to modify certain data sensitive fields/widgets in the system.
Enable Email Notifications	Indicates an email notification should be sent when the maximum number of incorrect responses to the challenge questions, as indicated in the Incorrect Response Attempts Allowed field, has been met. This email is sent to both the data security administrator and the user who attempted to make the changes to the data sensitive information.
Incorrect Response Attempts Allowed	This field limits the number of failed attempts allowed when answering the challenge questions when attempting to modify data sensitive information in the system. If the number of attempts to answer the challenge question exceeds what is defined in this field, the user is automatically logged out of the system.
Data Security Administrator Email Address	The email address of the person who should be notified when a user is attempting to modify data sensitive fields/widgets in the system and has exceeded the maximum number of incorrect responses to the challenge questions.