Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
tutorial:adm:password_policy [2019/11/08 08:58] doischerttutorial:adm:password_policy [2024/08/06 10:05] (current) cem
Line 6: Line 6:
  
 A new password policy can be created in the tab **Settings -> Password policies**.  A new password policy can be created in the tab **Settings -> Password policies**. 
-{{ :tutorial:adm:policy_settings.png |}} +In the table, you’ll find a list of existing policies, and you can create a new policy by clicking the green **Add** button. 
-{{ :tutorial:adm:policy_settings2.png |}}+ 
 +{{ :tutorial:adm:passwd_policy_settings.png?700 |}}
  
-There, in the table on the right, there is a list of created policies. A new policy is created by clicking on the green button **Add**. 
  
 The following basic attributes of a password policy can be filled in: The following basic attributes of a password policy can be filled in:
Line 18: Line 18:
   * **Name** – the desired name of the policy. This name is displayed in the settings of the systems where the policy is to be applied.   * **Name** – the desired name of the policy. This name is displayed in the settings of the systems where the policy is to be applied.
   * **Inactive** – An inactive policy is not offered in the system configuration.   * **Inactive** – An inactive policy is not offered in the system configuration.
-  * **Standard policy** – The standard policy is used for password validation against the CzechIdM system and it also validates all passwords on systems where no other policy is defined.+  * **Default policy** – The standard policy is used for password validation against the CzechIdM system and it also validates all passwords on systems where no other policy is defined.
   * **Description** – optional description of the policy. It is convenient to summarize the basic policy rules in it.   * **Description** – optional description of the policy. It is convenient to summarize the basic policy rules in it.
-  * **Type of generating** - can be chosen from these types: random, passphrase and prefix/suffix+  * **Generation type** - can be chosen from these types: random, passphrase and prefix/suffix - it is visible if you set **Type** -> **Generation** 
     * Random - random generated password,     * Random - random generated password,
     * Passphrase - random generated words by internal dictionary.     * Passphrase - random generated words by internal dictionary.
 +  * **Password policy criticality** - this filed defines what criticality have this policy
 +    * Admin - For administrative accounts and users.
 +    * Technical account - For technical accounts.
 +    * User - For regular User accounts or users.
   * **Minimum length** – determines the minimum number of characters in a password   * **Minimum length** – determines the minimum number of characters in a password
   * **Maximum length** – determines the maximum number of characters in a password   * **Maximum length** – determines the maximum number of characters in a password
-  * **Prefix** - prefix is a string that will be added at the beginning of a newly generated password.  Beware that final length and another settings may be not passed with password policy settings. +  * **Prefix** - prefix is a string that will be added at the beginning of a newly generated password.  Beware that final length and another settings may be not passed with password policy settings.  - it is visible if you set **Type** -> **Generation**  
-  * **Suffix** - suffix is a string that will be added at the end of a newly generated password. Beware that final length and another settings may be not passed with password policy settings.+  * **Suffix** - suffix is a string that will be added at the end of a newly generated password. Beware that final length and another settings may be not passed with password policy settings. - it is visible if you set **Type** -> **Generation** 
   * **Minimum number of uppercase letters** – determines the number of upper-case characters which the password must contain. The set of characters is defined in the tab Characters.   * **Minimum number of uppercase letters** – determines the number of upper-case characters which the password must contain. The set of characters is defined in the tab Characters.
   * **Minimum number of lowercase letters** – determines the number of lower-case characters which the password must contain. The set of characters is defined in the tab Characters.   * **Minimum number of lowercase letters** – determines the number of lower-case characters which the password must contain. The set of characters is defined in the tab Characters.
   * **Minimum number of digits** - determines the number of numerals which the password must contain. The set of characters is defined in the tab Characters.   * **Minimum number of digits** - determines the number of numerals which the password must contain. The set of characters is defined in the tab Characters.
   * **Minimum of special characters** - The set of characters is defined in the tab Characters.   * **Minimum of special characters** - The set of characters is defined in the tab Characters.
-  * **Maximum time for password change** – The number of days of password validity. This attribute is important mainly in the Standard policy, which is applied for CzechIdM+  * **Number of old passwords for match** – The number of days of password validity. This attribute is important mainly in the Standard policy, which is applied for CzechIdM 
 +  * **Maximum time for password change** – This setting specifies how many of the user's previous passwords must be checked to ensure that the new password is not the same as any of those old passwords. For example, if the setting is set to 5, the new password must be different from the last 5 passwords used by the user.
   * **Minimum number of days for password validity**. The number of days when the password cannot be changed. Sparsely used option.   * **Minimum number of days for password validity**. The number of days when the password cannot be changed. Sparsely used option.
  
-{{ :tutorial:adm:enhanced_control.png |}} +{{ :tutorial:adm:passwd_policy_enhanced_control.png?700 |}}
 The policy can be saved by clicking //Save and continue//, or advanced options can be set in the form menu Enhanced control, where the following options can be set: The policy can be saved by clicking //Save and continue//, or advanced options can be set in the form menu Enhanced control, where the following options can be set:
  
Line 43: Line 47:
   * **User attributes not allowed in password** – In this box, you can select user’s attributes which will be checked for similarity with the password. For example, if the attribute user name is set, then the user’s password must not contain his login.   * **User attributes not allowed in password** – In this box, you can select user’s attributes which will be checked for similarity with the password. For example, if the attribute user name is set, then the user’s password must not contain his login.
  
-{{ :tutorial:adm:characters.png |}} 
  
-In the tab **Characters**, there are sets of characters for individual groups – lower-case characters, upper-case characters, numerals, special characters.+{{ :tutorial:adm:pasword_characters_generate.png?700 |}} 
 +In the tab **Characters for password generate**, there are sets of characters for individual groups – lower-case characters, upper-case characters, numerals, special characters. 
 + 
 +{{ :tutorial:adm:passwd_characters.png?700 |}} 
 +In the **Characters for password validate** tab, you can find rules regarding forbidden characters, restrictions on characters at the beginning or end of the password, and guidelines for using specific special characters.
  
 In addition, it can be set here which characters will be forbidden in the policy. This is important mainly for policies of password generation. Also, automatically generated passwords are usually sent by SMS or mails and the way some characters are displayed can confuse the user, e.g., similarities of ‘I’ and ‘l’ or ‘,’ and ‘.’. Sometimes it is convenient to prohibit also characters ‘y’ and ‘z’ for generating due to different layouts of users’ keyboards. In addition, it can be set here which characters will be forbidden in the policy. This is important mainly for policies of password generation. Also, automatically generated passwords are usually sent by SMS or mails and the way some characters are displayed can confuse the user, e.g., similarities of ‘I’ and ‘l’ or ‘,’ and ‘.’. Sometimes it is convenient to prohibit also characters ‘y’ and ‘z’ for generating due to different layouts of users’ keyboards.
Line 51: Line 58:
 In the last tab **Connected systems**, you can see a list of systems where the policy is currently set.  In the last tab **Connected systems**, you can see a list of systems where the policy is currently set. 
  
 +{{ :tutorial:adm:passwd_systems.png?700 |}}
 {{ :tutorial:adm:systems_with_policy.png |}} {{ :tutorial:adm:systems_with_policy.png |}}
  
  • by doischert