User Policies allow administrators to manage the security configurations of their "User Accounts".

To edit a User Policy, navigate to the Web browser menu:

  • Users and Roles -> Manage Policies -> Actions -> Edit

Policy Setup - Best Practices

Use the following steps to setup a series of User Policies for your company:

  1. Start by setting the Default Policy to be the minimum requirements for Password and Lockout
  2. Create additional Policies for more Levels of Access
    • Stricter password requirements
    • Fewer attempts before lockout
    • Longer lockout time or disable user to force manual re-enable
    • Require Two-Factor Authentication
      • Usually when requiring Two-Factor Authentication the user's configurations will usually be managed by an administrator directly
      • Self-managed YubiKeys, for example
  3. Apply stricter Policies to the appropriate Roles or Users
    • Policies may be reused for multiple roles and/or users
  4. Consider enabling Two Factor Providers for additional security, that the user can easily self configure and use if they wish:
    • Authenticator
    • YubiKey

Password Policy

  • Applies only to the user when they are setting their own password for accessing the password server.
    • Users with the Administer Users permission can set other user's passwords directly without having to obey the policy
  • Minimum Length: (required)
  • Maximum Length: (not required, can be blank)
  • Minimum Characters of each type: (uppercase, lowercase, digit, special)
  • Minimum Varieties: specify minimum number of types, (1 - 4)
    • Can be used instead of setting a minimum per type

Lockout Policy

(Not applicable to Reset users)

  • A user with the Administer Users permission can re-enable users or reset the lockouts early
  • Status: Lockout can be enabled or disabled
  • Maximum Consecutive Failures: an account can be locked or disabled, after a number of consecutive failed attempts
  • Duration Until Reset:
    • Setting it to blank will disable the user instead of locking them out
    • The admin user will not be disabled, but will instead lockout for a short time
  • Alerts: can be enabled for administrators or users

Timeout Policy

(Not applicable to Reset users)

  • Web Client Timeout
    • The duration of browser inactivity before the User is signed out or the remembered login expires.
    • This setting only affects the Web Client login, and will only take effect once the user logs in after the setting is applied.
  • Application Authentication Timeout
    • (for KeePass, Mobile, and REST API clients)
    • The amount of time a authentication token (OAuth) remains valid. This determines how long access is permitted before having to re-verify.

KeePass Inactivity Timeouts

The KeePass for Pleasant desktop client has additional timeout duration options:

  • Adjust the settings in: Tools -> Options -> Security tab
    • "Lock workspace after KeePass inactivity (seconds)",
    • "Lock workspace after global user inactivity (seconds)"
    • (as well as additional Lock workspace options below)...
  • Apply the setting to multiple users/roles by:
    • Make the changes in KeePass
    • Uploading the KeePass config file, in: Advanced -> Client Configuration.

Open Entries Will Remain Visible

Entries kept open when a Timeout occurs will remain visible:

  • In KeePass, when a vault entry remains open, the timeout is disabled. This is by design and explained here: KeePass.info - NoAutoLock
  • In Web client, a vault entry remains open and visible, but will lock and disable further changes. Users can still see & copy out their changes, but will be unable to save, or open other entries, etc.

Two-Factor Policy and Configuration

  • See Two-Factor Authentication (2FA) for more information

  • Two-Factor Authentication (2FA) 
    • Status may be disabled, enabled, or required.
      • Note: marking 'Required' will lock-out unenrolled users

    • Requiring Two-Factor: Only set this after a Provider and Policy users have been configured.
      • This can be set on the Policy or on a Provider. This restricts users from disabling their 2FA.

  • Bulk Enabling Users:
    • Enabling Self-Enrollment allows bulk configuration for all policy users, rather than configuring per-user.

  • Two-Factor Providers:
    • Status:  Enabled/Disabled
    • Allow/Disallow the user from changing the Provider's enabled/disabled state
      • Can be used to force users to use a form of Two-Factor
    • Allow/Disallow the user from resetting/modifying their Two-Factor Secret information
    • Can be used to prevent users from changing their Two-Factor Configurations (full admin control)
      • Other, provider specific, information and configuration

  • Browser Bypass: The user may be allowed to set a cookie to bypass Two-Factor for future logins from the same browser (for a 2-week period)

IP Filter Policy

Manage Account Policy

  • Modify Display Name
    • When enabled, allows a user to change their own Display Name
  • Modify Email Address
    • When enabled, allows a user to change their own Email
  • Modify Phone Number
    • When enabled, allows a user to change their own Phone Number
  • Users with the 'Administer Users' permission can always edit these values for any user.

Policy Membership

Here is how Policies affect user memberships:

  1. Default Policy
    • One Default Policy may be set
    • The Default Policy is applied if no direct or Role Policies are found
  2. Users may be Assigned a Policy directly
    • To assign a Policy to a user go to:
      • Users & Roles > Manage Users and click the [Edit] link beside the name of the user you wish to assign the Policy to. 
      • There will be Policy dropdown box where you can select whether the user inherits Policies or assign a specific one.
        • A Policy assigned directly to a user will override Policies inherited from roles
  3. A Policy may be Inherited from a Role
    • To assign a Policy to a role go to:
      • Users & Roles > Manage Policies and scroll down to the "Role Policies" grid. 
      • Click the "Set Role Policy" button and a dialog will appear to select the Role and the Policy you would like to assign, as well as the priority for that Policy.
        • Each Role may only have one policy and one Policy priority
        • All of the User's Roles are checked for Policies
        • The Role Policies are ordered by the Policy Priority value (lowest value first).  If a user has multiple Roles, the one with the lowest priority value is applied.
        • Role policies can be used to more dynamically apply Security, based on the Role(s) a User has
Tag page
You must login to post a comment.