Defining Your Security Policy

Authentication Methods

• Enable Standard Authentication: Basic level of security. User credentials are validated when User Manager is used.
• Enable Single Sign-on: Windows credentials entered during operating system log in are passed through to Security Console.
• Force password change: This applies to Standard Authentication only. Click Apply to implement this setting. A message is displayed in order for you to confirm this action. Once this has been set, you can change it for individual users by using the Edit User function.

If you wish to use an LDAP compliant Directory Service, these check boxes should be left blank and your settings should be entered using Directory Service Configuration.

Uwaga: At least one of the authentication modes must be selected, otherwise no users will be able to use the system.

Enable Automatic Enrolment

See Configuring the Security Policy for IFS Authentication and Automatic Enrolment for information about this setting.

IFS Server Name

Enter the fully qualified domain name for the IFS server, for example, ifs_server.domain.com.

HTTP Port Number

The secure port number for accessing the IFS server, for example, 9680.

Clear Configuration

This removes the IFS settings defined in the above fields.

If required, Security Console can be associated to a Directory Service that holds master user and authentication information.

Enable Directory Service Authentication

Select this check box to enable Directory Service Authentication.

LDAP Server

Enter the ADsPath for the LDAP server in the form LDAP://HostName:PortNumber]/DistinguishedName.

The HostName can be a computer name, an IP address, or a domain name. A server name can also be specified in the binding string. Most LDAP providers follow a model that requires a server name to be specified.

The PortNumber specifies the port to be used for the connection. If no port number is specified, the LDAP provider uses the default port number. The default port number is 389 if not using an SSL connection or 636 if using an SSL connection.

The DistinguishedName specifies the distinguished name of a specific object. A distinguished name for a given object is guaranteed to be unique.

These settings may be required as part of configuring the workflow integration.

Use surrogate for missing approval user

Check this check box to substitute a SunSystems user Id for the Workflow approver in the circumstance where incoming responses from Workflow do not include the Id of the person who approved or rejected the authorization request. By doing so, you enable SunSystems to process the incoming responses despite the absence of the Person ID.

Use surrogate for invalid approval user

Check this check box to substitute a SunSystems user Id for the Workflow approver in the circumstance where incoming responses from Workflow include an unrecognized Id for the person who approved or rejected the authorization request. By doing so, you enable SunSystems to process the incoming responses despite the invalid Person ID.

Surrogate Approval User

If you set either of the above options to use a surrogate approver for an absent or invalid Person ID, select the Id of the SunSystems user to be substituted as the Workflow approver. The SunSystems user that you select here should be defined in Security Console as an Authorizer.

Nominated integration user

Select the ID of the SunSystems user with which the system will log in to process incoming BODs. The user Id you select must be a member of one of the SunSystems Connect groups in Security Console.

User Rights

Check this check box to give users the ability to update their own properties, such as, full name and description. Users can still change their own password without this check box being checked.

Uwaga: This does not enable them to change their security authentication or group membership.

Expiration

This check box enables you to define a global setting for all users to lock them out if they have not logged on for the number of days specified.

There are several settings for the user's password you can define using this tab. For example, how may unsuccessful attempts at logging in are permitted before the user is locked out of the system, and the length of the password.

Maximum password age (days)

Determine the maximum period of time, in days, that a password can be used before the user must change it.

Minimum password age (days)

Determine the minimum period of time, in days, that a password must be used before the user can be changed.

Enforce password history

Determine the number of unique new passwords that have to be associated with a user account before an old password can be reused.

Deny access after number of login failed

Disable a user account if the user fails to input the correct password after trying the number of times specified in this box.

Lock user after failed log in

Lock a user account if the user fails to input the password after trying a number of times specified in the unsuccessfully login attempts box.

Minimum password length

Determine the minimum number of characters that a password for a user account may contain.

Number of consecutive numerical allowed

The maximum number of numerical characters that are allowed in a user password.

Password must not match username

Disallow the use of username in password.

Password must match complexity requirements

Password must meet complexity requirements (mixed case/mixed alpha).

No exact word match from the dictionary

Disallow words from the dictionary.

Uwaga: To maintain dictionary entries, click Dictionary which is displayed after checking this check box.