Adding Security Parameters

Security parameters determine the password and authorization rules for user sessions.

The instance security settings determine whether users are allowed to change their password while working in Archer. Verify with your IT administrator that your instance is configured to allow users to change their passwords. Instance parameters are managed in the Archer Control Panel.

  1. From the menu, click Admin menu > Access Control > Security Parameters.
  2. Click Add New.
  3. Do 1 of the following:
    • To create a new security parameter, select Create a new Security Parameter from scratch, and click OK.
    • To create a new security parameter from an existing security parameter, select Copy an existing Security Parameter, select the existing security parameter from the Security Parameter list, and click OK.
  4. In the General Information section, enter the name and description of the security parameter.
  5. (Optional) In the Alias field, enter a different name if you want to use an alias to identify the security parameter.

  6. In the Password Properties section, enter password rules that you want to enforce.

    The following table describes each option.

    Property

    Action

    Password format
    1. In the Minimum Password Length field, select the minimum number of characters or select Other and enter a different value.
    2. In the Numeric Characters Required field, select the minimum number of numbers or select Other and enter a different value.
    3. In the Uppercase Characters Required field, select the minimum number of uppercase characters or select Other and enter a different value.
    4. In the Alpha Characters Required field, select the minimum number of alphabetic letters or select Other and enter a different value.
    5. In the Special Characters Required field, select the minimum number of special characters or select Other and enter a different value.
    6. In the Lowercase Characters Required field, select the minimum number of lowercase characters or select Other and enter a different value.

    Password limitations
    1. In the Previous Passwords Disallowed field, select the number of previous passwords a user may not use as the new password or select Other to enter a different value.
    2. In the Grace Logins field , select the number of times a user is allowed to bypass the password change alert or select Other to enter a different value.

    Password expiration notice

    In the Password Expiration Notice field, select the number of days for prompting the user to change the password or select Other to enter a different value.

    Password change interval

    In the Password Change Interval field, the number of days after which a user is required to change the password or select Other to enter a different value.

    Restrict frequency of password change
    1. In the Password Change Limit field, click Enable password change limit.
    2. Enter or select the period (in Hours) in which users can change their passwords for this security parameter.

  7. In the Authorization Properties section, enter the authorization rules that you want to enforce.

    The following table describes each rule.

    Rule

    Action

    Number of allowed login failures

    In the Maximum Failed Login Attempts field, select the number of unsuccessful login attempts a user is allowed, or select Other to enter a different value.

    Account lockout period after login failures

    In the Account Lockout Period field, select the period that an account remains locked before the user can log in again, or select Other to enter another value.

    Timeout for an inactive session

    In the Session Timeout field, select the maximum length of time an active user session without activity can remain active before the session is automatically timed out. You can enter any number in the range of 1 to 99 and select the value for minutes, hours, or days from the drop-down list.

    Time limit for account inactivity

    In the Automatic Account Deactivation field, select the number of days a user account can remain active before the account becomes deactivated, or select Other to enter a different value.

    Note: To prevent the account from being deactivated at the end of the time limit, the user must log in before the nightly system job AutomaticUserAccountDeactivationJobHandler runs.

    Time period allowed for user sessions
    1. In the Limit Session Time field, click Allow active user sessions only for a specific time period.
    2. In the From field, enter the start time of the period.
    3. In the To field, enter the end time of the period.
    4. In the Time Zone field, select the time zone that applies to the active session limitation.

    Active user session period before requiring re-authentication
    1. In the Static Session Timeout field, click Enable static session timeout.
    2. Select the time interval that is allowed for active user sessions before the user must re-authenticate.

    Days disallowed for user sessions

    In the Days Disallowed field, click and select the days (Sunday through Saturday) that user sessions are not allowed and click OK.

    To remove a day from the Selected list, click adjacent to the day that you want to remove from the list.

    Dates disallowed for user sessions

    In the Dates Disallowed field, click and select the dates that user sessions are not allowed and click OK.

    To remove a date from the Selected list, click adjacent to the date that you want to remove from the list.

    Warning period before the session times out
    1. In Session Timeout Warning, select Enable session timeout warning.
    2. In Seconds, enter the length of the warning period in the range 30 to 300.

      3. Important: This option specifies the maximum number of seconds in a warning period before a user is automatically logged out of a session. This warning period applies to both a simple Session Timeout and an enabled Static Session Timeout. When the warning period begins, a message box appears, displaying a countdown until the active session terminates. This box always appears at the beginning of the warning period, regardless of user activity or inactivity.

      Things to remember:

      • When the warning box for a simple Session Timeout appears, you can stop the countdown and reset the warning period. To reset, you must either click Continue Working in the countdown box or complete an action, such as loading an application or performing a save, that communicates with the server.

        • Note: Note: Certain user actions, such as typing text or clicking a tab with the mouse, do not reset the warning period because they do not communicate with the server.

      • In the last few seconds before the countdown reaches zero, factors such as the speed of the network may mean that there is not enough time to prevent the session terminating. In this case it is best to save changes and stop the countdown early.
      • If the simple Session Timeout setting is a short amount of time, for example 5 minutes, then the countdown box will appear frequently. To reduce the frequency, increase the setting (for example to 30 or 60 minutes).
      • When the warning box appears because a Static Session Timeout interval is about to expire, the user cannot stop the countdown and must log in again after the session terminates. This is true regardless of session activity. The user should not wait until just before the session terminates to save changes.
      • The Session Timeout warning period should be less than the Session Timeout.

    PIN Expiration

    Select the maximum length of time a PIN remains active before expiring.

    Maximum PIN Resends

    Select the number of times a user can request a PIN before the system prevents them from requesting an additional PIN.

    Reset Maximum PIN Resends

    Select the lockout period before the user can request a PIN after the user exceeds their maximum PIN resend limit.

  8. Click Save or Save and Close.

    • To apply the changes and continue working, click Save.
    • To save and exit, click Save and Close.