Setting logon requirements


You can specify that users meet certain requirements when logging on to the system.

To disable accounts for inactivity

User accounts can be disabled if the user does not log on during a specified period of time.
Use this procedure to enable a task that runs every 24 hours and disables inactive users. Use RBAC Manager to specify which users are subject to disabling because of inactivity. If a user is subject to disabling because of inactivity, the task you enable with this procedure disables that user.
The automatic disabling task cannot disable the administrative users BLAdmin and RBACAdmin.

  1. Start the Application Server Administration console (that is, the blasadmin utility), as described in Starting-the-Application-Server-Administration-console.
  2. Enable the task that disables accounts for inactivity by entering the following:
    set accountconfig UserAccountInactiveDisabling true
     By default this command is set to false.
  3. To specify the number of days after which a user account is disabled, enter the following:
    set accountconfig UserAccountInactiveTime #
     In the command shown above, # specifies a period of time in days. By default, this value is set to 30. The value can be a minimum of 7 and a maximum of 365.
  4. Restart the Application Server.

To set SRP logon requirements

Use this procedure to configure the Application Server so it forces users logging on using SRP to meet any of the following requirements:

  • Minimum password length---By setting a minimum password length, you can require users specifying passwords to provide a password of minimum length. By default, there is no minimum length for passwords.
  • Maximum password age---By setting a maximum password age, you can require users to change passwords at specified intervals.
  • Account lockout---By setting a threshold and duration for account lockouts, you can specify how many failed log ons cause a user to be locked out and how long that lockout lasts.
  • Password complexity---If you require password complexity, a password must meet the following requirements:
    • Passwords cannot contain a user's account name or part of the user's account name.
      The system applies the following rules when checking for user names:
      • Case sensitivity does not matter.
      • A domain name in the user's account name is not considered.
         For example, in the name user@domain, the word "domain" is not considered.
      • If a user name includes delimiters, substrings of the user name cannot be included in the passwords.
         To enforce this, the user account name is parsed for the following delimiters: commas, periods, dashes, hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the user account name is broken into tokens.
         Tokens of three characters or less are ignored. Tokens of more than three characters cannot be included in the password. For example, the name John B. Good is split into three tokens: John, B., and Good. The second token is less than three characters so it is ignored. In this example, the user's password cannot include "john" or "good."
    • Passwords must contain characters from three of the following categories
      • Uppercase letters
      • Lowercase letters
      • Digits 0 through 9
      • Non-alphanumeric characters: ~!@#$%^&*_--+=`|(){}[]:;"'<>,.?/
      • Any Unicode characters that are not characterized as upper or lowercase letters.
  1. Start the Application Server Administration console (that is, the blasadmin utility), as described in Starting-the-Application-Server-Administration-console.
  2. Do any of the following:

  3. Restart the Application Server.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*