Table of Contents |
---|
EN | ES
Info |
---|
Since Platform Version 1.6.2 |
Capabilities
To provide greater security to users, new functionalities, restrictions and validations have been added to the platform:
These can be modified and configured by environment (a new Central Configuration managed by administrator will appear from the Control Panel
/wiki/spaces/PT/pages/214401056, the input is called EXPIRATIONUSERS, this is the default setting (Since version 1.6.2-Empire).
ExpirationUsersPass:
cron: "0 0 0? * * *"
In this parameter we are indicating that it check at 00:00:00 am every day if the passwords are expired, that is, we are indicating how often the password verification task should be executed.
timeLifePass: 180
Here it is indicated how many days the password is valid in this case by default they are marked 180 days
noticesDaysBefore: 10
With this parameter we indicate the number of days before the password expires that a message will be sent daily as a reminder, to inform that this is going to happen. (From 1.6.2-Empire)
maxInactiveDays: 30
This parameter sets to 30, the number of days that if a user has not accessed the platform, the user will remain inactive and will have to contact the administrator to be reactivated.
password.pattern:
The supported passwords are based on this pattern:
password.pattern: (?=^.{10,255}$)((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$
This requires a password between 10 and 255 characters containing uppercase, lowercase, numbers and special characters such as ! for example.
Authentication:
limitFailedAttemp: 3
Here the number of attempts to access the platform with a user is set to 3.
It can be configured from the Centralized Configuration:
If the access failure occurs due to incorrectly entering the password, the user remains inactive, an email is sent to inform the user that it has been this fact has occurred and to indicate that you have to contact the administrator to activate the account (From 1.6.2-Empire).
numberLastEntriesToCheck: 5
This parameter is used when changing the password, the new password cannot coincide with any of the (N) last passwords used by the user, in this case with the last 5, a history of the passwords used is controlled from the platform.
ResetUserPass:
hours: 7
When a password is reset, here we indicate the number of hours that the password sent by mail will be valid.
cron: "0 0 *? * * *"
We are indicating how often the task that validates for the users the validity time of the password that has been sent by mail must be launched, to exit this state the user must change the password.
Summary
These functionalities are parameterized in the EXPIRATIONUSERS section accessible from configuration management.
For the changes in EXPIRATIONUSERS to take effect, the controlpanel and rtdb-maintainer services must be restarted from the rancher, so that the tasks that validate the user accounts are restarted.
The password will expire after (N) days of being established. Also, when the expiration is close (M days before), an email will be sent every day as a reminder to the user: M and N are configurable by environment (From 1.6.2-Empire).
When a user has not accessed the platform in N days, it will be deactivated, and only an administrator can activate it again (From 1.6.2-Empire).
When a password reset event occurs, either by an administrator or a user, an email will be sent to the user with the temporary random password, or when it is used for the first time to access the console, the user will be forced a change of password. o If you try to access any REST service with that random temporary password, you will be denied access. o You can reset the password from the ControlPanel or from the REST API (From 2.1.0-gradius)
A random temporary password (product of the reset event) will expire at N hours, being N configurable (From 2.1.0-gradius)
For the administrator, an option for resetting passwords has been added in the user management list to have a more agile management of users (From 2.1.0-gradius).
As of version 2.2.0-hyperblast it is allowed to set certain parameters with the value -1 so that they do not take effect
Password format with basic identity manager
The passwords that are allowed by default in the basic identity manager must meet a pattern which validates that it must contain uppercase letters, lowercase letters, numbers and special characters such as ! for example, the minimum length is 10 and the maximum is 255 characters.