Defining Account Policies

Account policies are security rules that an administrator applies to users and groups. The Default policy is the first account policy defined in GENESIS Security. You can define multiple account policies, but only one policy can be enforced for any one user at a time.

To add a new account policy:

  1. Open Workbench and in the Project Explorer, expand the Security node.
  2. Right-click Policies and select Add Policy to display the five sections on the Account Policy tab.

  3. In Name, identify the policy.

    Example: Operators.

  4. In the Password Life section, select the checkboxes to apply the desired properties.

    The following table defines the Password Life properties and descriptions.

    Password Life Properties

    Description

    User cannot change password

    If selected, the password can only be changed by the administrator.

    User must set password at first login

    If selected, the user is forced to change the default password before logging in the first time. The user receives a message indicating the password expiration.

    Password expires in (days)

    If selected, users must create a new password after a password has been used for the specified number of days.

    Allow changing password after (days)

    If selected, users can change the password after it has been in use for the specified number of days.

    Password History Count

    This specifies how many old passwords to store. When the user changes their password, it must be different than the previously used passwords. Password history is checked whenever the user changes the current password.

    • If the count number is zero, then the new password can be the same as the current password.
    • If count number is 1 or above, then the new password must be different from the current password. Security tracks the history of password changes by the count number.

    The system does not check password history when setting a new password from Workbench. This is considered an administrative operation—the password is only checked against the password complexity rules (see the table in step 5.).

  5. Define the Password Complexity.

    The following table describes the Password Complexity properties.

    Password Complexity Properties

    Description

    Minimum password length

    Enter the required number of characters in a password.

    Minimum number of non-alphanumeric chars

    Enter the number of required non-alphanumeric characters or symbols for creating a password (the default is 0).

    Password strength regular expression

    (Optional) Enter a regular expression to enforce password strength. A regular expression is a pattern describing the required format of a password. The following are regular expression examples:

    • ^\d{3}-\d{2}-\d{4}$— Use for a social security number. An example would be 111-11-1111.
    • (?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-zA-Z0-9]{8,10})$—Validates a strong password. It must be between 8 and 10 characters, contain at least one digit and one alphabetic character, and must not contain special characters.
    • (?=^.{4,}$)((?=.*\w)(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*[|!"#$%&\/\(\)\?\^\'\\\+\-\*]))^.*—An example of a regular expression that enforces at least 8 characters long, one lower case letter, one uppercase letter, one number/digit and one special character, such as 1Passw0rd#. (See Microsoft: Using Regex class)

  6. Define the Account Log on Login Failure settings.

    The following table describes the Account Lock on / Login Failure properties.

    Account Lock on / Login Failure Properties

    Description

    Lock account after failed login (N attempts)

    If selected, the user account is locked when the security system detects the specified number of failed attempts. A locked account prevents users from logging in for a period of time determined by the Lock account for (mins) option.

    Reset login attempt after (minutes)

    Indicates the number of minutes between any two log-in attempts to ensure that a lockout does not occur. The range is from 1 to 999.

    Lock account forever (until admin unlocks)

    After the number of failed logins is reached, the account is locked. To unlock the account, the administrator must enter the user account and clear the Account Locked checkbox.

    Lock account for (mins)

    The account is locked when the number of failed logins is reached. The user cannot log in until this number of minutes goes by.
  7. Select the Login > Concurrent Login Limit option if needed. This limits the number of simultaneous logins of a user from different computers. The default setting is off (not selected).

  8. Define the Logout settings.

    The following table describes the Logout properties and settings.

    Logout Properties

    Description

    Auto Logout after (mins)

    The number of minutes before the system automatically logs the user off. The range is from 1 to 50,000 minutes. Thirty minutes of user inactivity is the default. The other option is a fixed number of minutes.

    Auto logout for disconnected clients (sec)

    When a user disconnects from a client application, the system automatically logs the user off after the specified time.

    Password required to logout

    When users finish using a client application, they must log out using their account password.

  9. Click Apply.

    The Time Sheet tab is a scheduler that restricts users daily and hourly. Highlighted hours indicate the user can log into the system anytime.