Configure Secure Authentication, User Accounts, and Passwords

Configure a password policy, lock or unlock users, and reset passwords. Managing authentication is an important part of your security policy. As an administrator, you want to prevent unauthorized users from accessing system resources or sensitive information. 
ccppmod156
HID_admin_configure_security
Configure a password policy, lock or unlock users, and reset passwords. Managing authentication is an important part of your security policy. As an administrator, you want to prevent unauthorized users from accessing system resources or sensitive information. 
Use the following global user account options to configure session and password behavior for all users: 
Session Options
You can limit the number of invalid login attempts and specify how long user sessions can remain inactive before logging users out. For example, set a value of 3 for the number of times a user can enter an invalid login and set the minutes of inactivity to 30.
User Account Status Options
Specifies the status of one or more users as
Active
,
Inactive
, or
Lock
. For example, a user takes a leave of absence. You can set their status to
Inactive
. Inactive users cannot log in and managers cannot assign them to projects. When the user returns, set their status to
active
again.
Password Options
You can adjust the following
 
default password policy rules:
  • The password and user name cannot be the same.
  • Minimum password length is eight characters including a minimum of one uppercase, one lowercase, one numeric, and one special character.
  • You can reuse a password, but only after it meets certain conditions. For example, you can reuse a password after allowing 60 days and after assigning four other consecutive unique passwords.
You can also overwrite the default password policy rules by selecting the
Custom Expression
option and specifying your own regular expression for a password.
The following diagram describes how an administrator configures and manages user authentication:
Manage Authentication
Manage Authentication
Review the Prerequisites for Managing Authentication
The term 
user 
and 
resource 
describe similar concepts for handling the data of one person in the application. (Traditionally, project work has been performed by humans. However, the year 2020 is approaching and we are living in an age of driverless cars, complex robotics, and other new technologies. Technically, a robot could be a resource in the application and have its own user account.) A
user
refers to a user account for a person to use to log in to the application and manipulate the user interface. As an administrator, you manage authentication for users. A
resource
represents a user who performs work in the application for one or more investments. Resources are added to project teams by their resource or project manager.
  • To view users, accounts, passwords, and access rights, click 
    Administration
    Organization and Access
    Resources
    .
  • To view resources, skills, allocations, calendars, click
    Home
    ,
    Resource Management
    ,
    Resources
    .
For example, a resource is assigned to several tasks in two projects. This person logs in weekly (as a user) to complete their timesheet (as a resource). The user forgets their password and requests a reset. You reset their password by updating the
Resource
page under the
Administration
menu.
As an administrator, to complete the procedures in this article, complete the following prerequisites:
  • Assign yourself the following access rights:
Administration - Access
Administration - Application Setup
Administration - Authorization
Administration - Resources
Resource - Edit - All
  • Click 
    Administration
    Organization and Access
    Resources
    and create one or more users.
  • Ensure that users set their Web browsers on their client PCs to accept cookies for session tracking.
Configure General Session Limits
Specify the limits for all user sessions to prevent access by unauthorized users. For example, define how many times a user can enter an invalid password before being locked out.
Follow these steps:
  1. Click Administration, and from General Settings, click System Options.
  2. In the Session Options section, complete the following fields and save your changes:
    • Invalid Login Limit
      Defines the maximum number of consecutive login attempts before locking the user account. Enter a number higher than 0 to enable this option. 
      Limits:
      0-99
      Default:
      0 (Disabled)
    • Minutes Of Inactivity Until Logout
      Defines the idle minutes before changing the status of a user to Lock. Enter 0 to disable the option.
      Limits:
      0 - 999
      Default:
      60 (Enabled)
      We recommend that you synchronize the following timeout settings. If you do not synchronize the timeout settings for all the applications, then the setting with the lowest timeout overrides the other settings.
  • Jaspersoft User Session Timeout:
     Impacts Advanced Reporting users. To change the Jaspersoft user session timeout, see the Jaspersoft Server documentation on the Jaspersoft Community. By default, the Jaspersoft User Session Timeout is set to 70 minutes.
  • Single Sign-On (SSO) User Session Timeout:
     Impacts users who are using SSO with the product. The SSO system can use a session timeout that expires the product user session. 
Configure General Password Options
Configure password options to help ensure that unauthorized users cannot easily identify passwords. For example, you can set a rule that passwords have at least eight characters with at least one capital letter and one numeric value.
Follow these steps:
  1. Click
    Administration
    ,
    General Settings
    ,
    System Options
    .
  2. In the
    Change Password Options
    section, select a value for the 
    Password Rules field. 
    You can manage password rules by
    Policy
    or by
    Custom Expression
  3. To set password rules by policy, click 
    Policy
    and enter values for the minimum password length, uppercase, lowercase, numeric and special character requirements. For 
    Minimum Password Length
    , enter the minimum number of characters between 5 and 40 for a password. The application prompts users to change their passwords if they violate a rule.
  4. To set password rules by expression, click 
    Custom Expression 
    and define an expression string for all passwords in the Regular Expression field. The password that a user creates must comply with one or more of the following character values:
      ^ -- Indicates the beginning of the expression.
      (?=.*[a-z]) -- Any lowercase alphanumeric characters are allowed.
      (?=.*[A-Z]) -- Any uppercase alphanumeric characters are allowed.
      (?=.*[~'[email protected]#$%^&*)(-+=]) -- Any special characters are allowed.
      .{min,max}$ -- The required password length, where min indicates the minimum number of characters that are required and max the maximum. To indicate only the minimum length, omit the maximum number. To indicate only the maximum length, omit the minimum number. For example, enter .{8,}$ to specify a minimum eight-character password.
      $ -- Indicates the end of the expression.
  5. For custom expressions, you can also set up a message in the 
    Error Message
    field. Users who do not enter properly formatted passwords see the custom error message. For example:
    Invalid password. Enter a valid password with at least 8 characters, 1 uppercase letter, and 1 number.
  6. To immediately enforce the new password policy, click
    Force Password Change
    .
    The application forces all users to change their password during the next login.
  7. Save your changes.
Expression Example
: Set a rule that specifies a password can include any lowercase or uppercase alphanumeric or special characters, and must be 8-16 characters in length.
^ (?=.*[a-z]) (?=.*[A-Z]) (?=.*[~'[email protected]#$%^&*)(-+=]) .{8,16}$
Set the Status of a User Account
Use the resource Status property to specify whether a user can log in and can access the application.
  • When you
    activate
    a user (resource), project managers and resource managers can add them to projects.
  • When you
    deactivate
    a user, they can no longer log in and managers cannot add them as resources to projects. The application retains all information about inactive users, and you can reactivate them later.
  • When too many failed attempts to authenticate a user session occur, to prevent continued attempts, the system
    locks
    the user account. As an administrator, you can change the user account back to
    active
    .
You can change access for one or more users at a time.
If LDAP is running, you can change the status of only one user at a time. For more information about authentication and LDAP, see the Installation content or contact your LDAP administrator.
Follow these steps:
  1. Click
    Administration
    ,
    Organization and Access
    ,
    Resources
    .
  2. Select one or more resources and click one of the following buttons:
    • Activate
      : Activates one or more users so that they can be added to projects.
    • Deactivate
      : Deactivates one or more users, prevents them from logging in, and prevents project or managers from adding them as resources to projects.
    • Lock
      : Locks one or more users and prevents them from logging in.
  3. Save your changes.
: Before Release 15.3, a user received confirmation on the Login page when they locked themselves out of their account by entering the wrong password too many times. The following message appeared:
CMN-10003: Invalid login information. Your account has been locked.
In 15.3 and higher, as a security best-practice, the following message appears:
CMN-01002: User name and password invalid. Note that the password is case-sensitive.
As is often the case with security issues, the change represents a trade-off. Unauthorized attempts or forced lockouts no longer result in the unintended confirmation of the user account identity. However, users no longer know for certain when they have exceeded an
Invalid Login Limit
, locking their account.
Reset a User Password
Reset a user password when the user has lost or compromised their password. For example, if a user forgets the password, you can provide a temporary password. The user can then change it during the next login. Due to failed authentication attempts, a user can find themselves locked out of the application. As an administrator, you can reactivate them, assign a new temporary password, and then force the user to define a new password during their next login.
If you use LDAP for authentication, use LDAP to manage password resets. For more information about authentication and LDAP, see the Installation content or contact your LDAP administrator.
Follow these steps:
  1. Click 
    Administration
    Organization and Access
    Resources
    .
  2. Open a resource.
  3. Enter a temporary password in the
    Password
    and
    Confirm Password
    fields.
  4. Send the user an email message with the temporary password.
  5. To ensure that the user resets the temporary password during their next login, select the
    Force Password Change
    check box.
  6. Save your changes.
Force a User to Reset Their Password
Force a user to reset their old password with a new password when their credentials have become compromised. 
If you use LDAP for authentication, use LDAP to manage password resets. For more information about authentication and LDAP, see the
Installing and Upgrading
content or contact your LDAP administrator.
Follow these steps:
  1. Click 
    Administration
    Organization and Access
    Resources
    .
  2. Open a resource.
  3. Select
    Force Password Change
    .
  4. Save your changes.
    During their next login, the user must authenticate with their current credentials before choosing a new password.
Force All Users to Reset Their Passwords
You can prompt all users to reset their passwords the next time they log in. For example, as part of a security policy change, you increase the password character length from six to eight characters. After the change, you can force all users to change their passwords to meet the new requirement.
Follow these steps:
  1. Click
    Administration
    ,
    General Settings
    ,
    System Options
    .
  2. In the
    Change Password Options
    section, click
    Force Password Change
    .
  3. Save your changes.