Authentication policy options
This section describes the general authentication options on the Manage the system > Policies > Options menu.
Option | Description |
|---|---|
ACL DENY ENABLE | Enable this to allow product administrators to deny users access to certain objects. |
ADMIN PASSWORD EXPIRE | Set the number of days until product administrator s’ passwords expire. If this is not set, then the product administrator ’s password is checked against the default password policy’s expiry interval. |
CHECK LOCKED ACCOUNTS | Tests the intruder lockout status of user accounts before giving the user the option to sign into Bravura Security Fabric. If enabled, each account a user has on systems in the authentication priority list is tested before giving the user the option of signing in with the password for that account. |
DISABLED ACCOUNT DENY | Enable this to not list a user’s disabled accounts in account searches. Disabled accounts will not be shown in modules and they will also not be included in transparent synchronization requests |
EXPIRY FOR EXCEPTIONS TO SOD RULES | The default expiry of exceptions to segregation of duties (SoD) rules. After 60 days, a user who is granted an exception will be in violation again. This value can be overridden in the configuration of individual rules. Requesters can change the value when submitting a request for exception. |
GENERIC LOGIN FAILURE | Enable this to provide a generic message upon login failure, to make it more difficult for an attacker to deduce valid login IDs. |
GLF ALLOWED PROXIES | Specify a comma-delimited list of CIDR bitmasks of allowed upstream HTTP proxies. This controls which remote IP addresses are allowed to set the X-Forwarded-For HTTP request header. |
IP LOCKOUT DURATION | Set the duration (in seconds) that an IP address will be locked-out of the Front-end (PSF). If left blank, the default value is 60 seconds. You can also use the ipunlock program to immediately unlock an IP address. |
IP LOCKOUT INTERVAL | Set the number of seconds that must pass between failed login attempts in order to reset the lockout counter for an IP address. The lockout counter increases if another failed login attempt occurs within this interval period. The lockout counter is reset once the specified number of seconds has elapsed. If left blank, the default value for this option is 5 seconds. |
LOCKOUT DURATION | Set this to re-enable accounts, after they have been disabled because of authentication failure, automatically after the defined number of minutes. |
LOCKOUT INTERVAL | This option is only applicable when authentication chains are enabled. Set the number of minutes between failed login attempts that would affect the lockout counter. If the number of minutes between failed login attempts is greater than this interval, then the lockout counter is reset. |
MAX IP FAILURE | Set the maximum number of failed login attempts that are allowed before the IP address is locked-out of the Front-end (PSF). A value must be set for this option in order to enable the ability to lock out IP addresses. This option is disabled if left blank. |
MAX REJECTIONS | Set the default maximum number of denials by an authorizer required to deny a access change request. When this number is reached, the request is canceled even if approval from the minimum number of authorizers is reached. You can set a maximum number of denials for requests based on templates, roles, segregation of duties rules, managed groups and target systems. |
MAX USERAUTH FAILURE | To prevent security violations, you can disable a user after a pre-defined number of authentication failures. Enable this option and type your required maximum number of failures in the adjacent field. If undefined, the user is locked out as soon as authentication fails. |
MIN AUTHORIZERS | Set the default number of authorizers required to approve a access change request before it is implemented. If you do not assign enough authorizers to a resource to meet the minimum requirement, requests based on the resource will be automatically denied unless authorizers are assigned by a workflow plugin. You can set a minimum number of authorizers for requests based on templates, roles, segregation of duties rules, managed groups and target systems. |
MIN DICTWORD LENGTH | Sets the minimum length of dictionary words loaded for password strength rule checks. Changing this value can speed up password checks by eliminating small words from the dictionary. It can be used in conjunction with the Minimum length of dictionary word to check against strength rule. |
NUM HOSTS VERIFY | Set the number of systems from the authentication priority list that Bravura Security Fabric should contact and ask for authentication before concluding that the user simply entered an incorrect password value. |
PASSWORD HISTORY IGNORE | Skip the checking of password history when creating a new account. The initial password for a new account will not enforce the password history when enabled. The default setting for this value is Enabled. |
SOD VIOLATIONS LIST LIMIT | Set the maximum number of segregation of duties rules violations to show when issuing a request. 0 means infinite. Default is 10. |
USERCLASS CACHE EXPIRY | This sets the number of hours before the user class cache expires. Default is 72 hours. |