Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tutorial:adm:password_policy [2018/10/04 11:07]
kopro
tutorial:adm:password_policy [2019/11/08 08:58] (current)
doischert
Line 1: Line 1:
 ====== Passwords - policies and their configuration ====== ====== Passwords - policies and their configuration ======
  
-A password policy ​determines, which rules must be met by new passwords either changed by users or generated by CzechIdM itself.+A password policy ​determine, which rules must be met by new passwords either changed by users or generated by CzechIdM itself.
  
 ===== A new password policy ===== ===== A new password policy =====
Line 13: Line 13:
 The following basic attributes of a password policy can be filled in: The following basic attributes of a password policy can be filled in:
  
-  * **Type** – CzechIdM allows defining ​of 2 policy types for passwords used by users in CzechIdM and connected systems. +  * **Type** – CzechIdM allows defining 2 policy types for passwords used by users in CzechIdM and connected systems. 
-    * Validation – This policy is used when a password (in CzechIdM or a password to an administered system supporting setting of password) is set or changed e.g. when a user perform ​a password change in the GUI of CzechIdM.+    * Validation – This policy is used when a password (in CzechIdM or a password to an administered system supporting ​the setting of password) is set or changede.g.when a user performs ​a password change in the GUI of CzechIdM.
     * Generation – This policy is applied when the user sets or changes the password using the password generator in CzechIdM, i.e. the user lets CzechIdM to generate the password according to this policy.     * Generation – This policy is applied when the user sets or changes the password using the password generator in CzechIdM, i.e. the user lets CzechIdM to generate the password according to this policy.
   * **Name** – the desired name of the policy. This name is displayed in the settings of the systems where the policy is to be applied.   * **Name** – the desired name of the policy. This name is displayed in the settings of the systems where the policy is to be applied.
Line 20: Line 20:
   * **Standard policy** – The standard policy is used for password validation against the CzechIdM system and it also validates all passwords on systems where no other policy is defined.   * **Standard policy** – The standard policy is used for password validation against the CzechIdM system and it also validates all passwords on systems where no other policy is defined.
   * **Description** – optional description of the policy. It is convenient to summarize the basic policy rules in it.   * **Description** – optional description of the policy. It is convenient to summarize the basic policy rules in it.
-  * **Type of generating** - can be choosen ​from these types: random, passphrase and prefix/​suffix+  * **Type of generating** - can be chosen ​from these types: random, passphrase and prefix/​suffix
     * Random - random generated password,     * Random - random generated password,
-    * Passphrase - random generated words by internal ​dictonary.+    * Passphrase - random generated words by internal ​dictionary.
   * **Minimum length** – determines the minimum number of characters in a password   * **Minimum length** – determines the minimum number of characters in a password
   * **Maximum length** – determines the maximum number of characters in a password   * **Maximum length** – determines the maximum number of characters in a password
-  * **Prefix** - prefix is string that will be added at the begin of newly generated password. ​ Beware final length and another settings may be not passed with password policy settings. +  * **Prefix** - prefix is string that will be added at the beginning ​of newly generated password. ​ Beware ​that final length and another settings may be not passed with password policy settings. 
-  * **Suffix** - suffix is string that will be added at the end of newly generated password. Beware final length and another settings may be not passed with password policy settings.+  * **Suffix** - suffix is string that will be added at the end of newly generated password. Beware ​that final length and another settings may be not passed with password policy settings.
   * **Minimum number of uppercase letters** – determines the number of upper-case characters which the password must contain. The set of characters is defined in the tab Characters.   * **Minimum number of uppercase letters** – determines the number of upper-case characters which the password must contain. The set of characters is defined in the tab Characters.
   * **Minimum number of lowercase letters** – determines the number of lower-case characters which the password must contain. The set of characters is defined in the tab Characters.   * **Minimum number of lowercase letters** – determines the number of lower-case characters which the password must contain. The set of characters is defined in the tab Characters.
Line 32: Line 32:
   * **Minimum of special characters** - The set of characters is defined in the tab Characters.   * **Minimum of special characters** - The set of characters is defined in the tab Characters.
   * **Maximum time for password change** – The number of days of password validity. This attribute is important mainly in the Standard policy, which is applied for CzechIdM   * **Maximum time for password change** – The number of days of password validity. This attribute is important mainly in the Standard policy, which is applied for CzechIdM
-  * **Minimum number of days for password validity**. The number of days when the password cannot be changed. ​Sparely ​used option.+  * **Minimum number of days for password validity**. The number of days when the password cannot be changed. ​Sparsely ​used option.
  
 {{ :​tutorial:​adm:​enhanced_control.png |}} {{ :​tutorial:​adm:​enhanced_control.png |}}
Line 40: Line 40:
   * **Enabled** – enables the whole form for extended checking   * **Enabled** – enables the whole form for extended checking
   * **Requirement checkboxes** – contains a set of 5 checkboxes. Every checked checkbox must be always fulfilled. If an option is not checked, then the item is counted in the next point.   * **Requirement checkboxes** – contains a set of 5 checkboxes. Every checked checkbox must be always fulfilled. If an option is not checked, then the item is counted in the next point.
-  * **Minimum number of additional rules for policy** – If a number is defined, then the minimum number of rules fulfilled must be the same as the number of those which were not marked as required in the previous point. For example, if all the 5 checkboxed required are checked and the value of 4 is filled in this box, then the password must fulfil ​at least 4 out of the 5 rules.+  * **Minimum number of additional rules for policy** – If a number is defined, then the minimum number of rules fulfilled must be the same as the number of those which were not marked as required in the previous point. For example, if all the 5 checkboxed required are checked and the value of 4 is filled in this box, then the password must fulfill ​at least 4 out of the 5 rules.
   * **User attributes not allowed in password** – In this box, you can select user’s attributes which will be checked for similarity with the password. For example, if the attribute user name is set, then the user’s password must not contain his login.   * **User attributes not allowed in password** – In this box, you can select user’s attributes which will be checked for similarity with the password. For example, if the attribute user name is set, then the user’s password must not contain his login.
  
Line 47: Line 47:
 In the tab **Characters**,​ there are sets of characters for individual groups – lower-case characters, upper-case characters, numerals, special characters. In the tab **Characters**,​ there are sets of characters for individual groups – lower-case characters, upper-case characters, numerals, special characters.
  
-In addition, it can be set here which characters will be forbidden in the policy. This is important mainly for policies of password generation. Also, automatically generated passwords are usually sent by SMS or mails and the way some characters are displayed can confuse the user, e.g. similarities of ‘I’ and ‘l’ or ‘,’ and ‘.’. Sometimes it is convenient to prohibit also characters ‘y’ and ‘z’ for generating due to different layouts of users’ keyboards.+In addition, it can be set here which characters will be forbidden in the policy. This is important mainly for policies of password generation. Also, automatically generated passwords are usually sent by SMS or mails and the way some characters are displayed can confuse the user, e.g.similarities of ‘I’ and ‘l’ or ‘,’ and ‘.’. Sometimes it is convenient to prohibit also characters ‘y’ and ‘z’ for generating due to different layouts of users’ keyboards.
  
 In the last tab **Connected systems**, you can see a list of systems where the policy is currently set.  In the last tab **Connected systems**, you can see a list of systems where the policy is currently set.