Defining Your Security Policy

  1. To define your security policy, select Security Settings (SES), and the Security Policy tab.
  2. Specify this information:
    Authentication Methods
    • Enable Standard Authentication: Basic level of security. User credentials are validated when User Manager is used.
    • Enable Single Sign-on: Windows credentials entered during operating system log in are passed through to Security Console.
    • Force password change: This applies to Standard Authentication only. Click Apply to implement this setting. A message is displayed in order for you to confirm this action. Once this has been set, you can change it for individual users by using the Edit User function.
    If you wish to use an LDAP compliant Directory Service, these check boxes should be left blank and your settings should be entered using Directory Service Configuration.
    Uwaga: At least one of the authentication modes must be selected, otherwise no users will be able to use the system.
    Enable Automatic Enrolment
    See Configuring the Security Policy for IFS Authentication and Automatic Enrolment for information about this setting.
  3. The IFS settings enable you to configure the IFS Server details, so that users logging in to SunSystems Web can be authenticated via IFS. After you configure the details and click OK, a representation of the SunSystems application is registered in IFS.
    Uwaga: In order to complete the integration with IFS, an IFS system administrator must activate the SunSystems representation in IFS.

    After you configure the IFS server details you must restart the WWW publishing service on the SunSystems Security server.

  4. Specify this information:
    IFS Server Name
    Enter the fully qualified domain name for the IFS server, for example, ifs_server.domain.com.
    HTTP Port Number
    The secure port number for accessing the IFS server, for example, 9680.
    Clear Configuration
    This removes the IFS settings defined in the above fields.

    If required, Security Console can be associated to a Directory Service that holds master user and authentication information.

    Enable Directory Service Authentication
    Select this check box to enable Directory Service Authentication.
    LDAP Server
    Enter the ADsPath for the LDAP server in the form LDAP://HostName:PortNumber]/DistinguishedName.

    The HostName can be a computer name, an IP address, or a domain name. A server name can also be specified in the binding string. Most LDAP providers follow a model that requires a server name to be specified.

    The PortNumber specifies the port to be used for the connection. If no port number is specified, the LDAP provider uses the default port number. The default port number is 389 if not using an SSL connection or 636 if using an SSL connection.

    The DistinguishedName specifies the distinguished name of a specific object. A distinguished name for a given object is guaranteed to be unique.

    These settings may be required as part of configuring the workflow integration.

    Use surrogate for missing approval user
    Check this check box to substitute a SunSystems user Id for the Workflow approver in the circumstance where incoming responses from Workflow do not include the Id of the person who approved or rejected the authorization request. By doing so, you enable SunSystems to process the incoming responses despite the absence of the Person ID.
    Use surrogate for invalid approval user
    Check this check box to substitute a SunSystems user Id for the Workflow approver in the circumstance where incoming responses from Workflow include an unrecognized Id for the person who approved or rejected the authorization request. By doing so, you enable SunSystems to process the incoming responses despite the invalid Person ID.
    Surrogate Approval User
    If you set either of the above options to use a surrogate approver for an absent or invalid Person ID, select the Id of the SunSystems user to be substituted as the Workflow approver. The SunSystems user that you select here should be defined in Security Console as an Authorizer.
    Nominated integration user

    Select the ID of the SunSystems user with which the system will log in to process incoming BODs. The user Id you select must be a member of one of the SunSystems Connect groups in Security Console.

    User Rights
    Check this check box to give users the ability to update their own properties, such as, full name and description. Users can still change their own password without this check box being checked.
    Uwaga: This does not enable them to change their security authentication or group membership.
    Expiration
    This check box enables you to define a global setting for all users to lock them out if they have not logged on for the number of days specified.

    There are several settings for the user's password you can define using this tab. For example, how may unsuccessful attempts at logging in are permitted before the user is locked out of the system, and the length of the password.

    Maximum password age (days)
    Determine the maximum period of time, in days, that a password can be used before the user must change it.
    Minimum password age (days)
    Determine the minimum period of time, in days, that a password must be used before the user can be changed.
    Enforce password history
    Determine the number of unique new passwords that have to be associated with a user account before an old password can be reused.
    Deny access after number of login failed
    Disable a user account if the user fails to input the correct password after trying the number of times specified in this box.
    Lock user after failed log in
    Lock a user account if the user fails to input the password after trying a number of times specified in the unsuccessfully login attempts box.
    Minimum password length
    Determine the minimum number of characters that a password for a user account may contain.
    Number of consecutive numerical allowed
    The maximum number of numerical characters that are allowed in a user password.
    Password must not match username
    Disallow the use of username in password.
    Password must match complexity requirements
    Password must meet complexity requirements (mixed case/mixed alpha).
    No exact word match from the dictionary
    Disallow words from the dictionary.
    Uwaga: To maintain dictionary entries, click Dictionary which is displayed after checking this check box.
  5. Save your changes.