Understanding user account policies

Create account policies for local users who log in to the system.

User account policies provide rules for user passwords, failed login attempts, and account lock-out recovery procedures.

Most of the policies that are described here apply to local users, not users who are configured on Lightweight Directory Access Protocol (LDAP) servers that are integrated with the system.

Administrators with the Security administration role with permission to Manage security (Full permission) can configure user account policies on the System > System Security page in the console.

Security administrators with write access can configure user account policies on the System > Security page in the console. In 2.3.5, navigate to Security and access > System Security.

To receive monitoring events for user account policies, expand the Security Monitoring section on the System > Auditing page in the console and enable the following policies:
Note: If you are on 2.3.5, Security and access > Auditing.
  • Raise an event when user account policies are updated.
  • Raise an event when a user account gets locked or unlocked.
  • Raise an event when user account policies that are related to authentication are violated.
For more information, see the Enabling security monitoring topic in the Related tasks section at the end of this topic.

Policy descriptions

Table 1. User account policies
Policy Description
Minimum number of characters for passwords in pattern instance deployment The minimum number of characters that are required for passwords in pattern instance deployment. Applies when creating new users or updating existing users. The default value is 8. The minimum required value for this policy is 1. By default, this policy is always enabled.
Minimum number of alphabetic characters for passwords in pattern instance deployment The minimum number of alphabetic characters that are required for passwords in pattern instance deployment. Applies when creating new users or updating existing users. By default, this policy is disabled, which means that no alphabetic characters are required for the password.
Minimum number of non-alphabetic characters in pattern instance deployment The minimum number of non-alphabetic characters that are required for passwords in pattern instance deployment. Applies when creating new user passwords or updating existing user passwords. By default, this policy is disabled, which means that no non-alphabetic characters are required for the password.
Number of days to keep password valid The number of days that a user password is valid. By default, this policy is disabled, which means that the password never expires.

You can enable the option to display a message that warns users about expiring passwords in the Number of days before password expires to warn policy.

If you enable the Enable automatic lock-out feature for user accounts when policies are violated policy, users with expired passwords are locked out of their accounts until you unlock them on the System > Users page in the console.

Number of days before password expires to warn The number of days before passwords expire to display a warning message to users. By default, this policy is disabled, which means that users are not warned at all. Warning messages display at the top of the page immediately after users log in to the system.

This user account policy works with the Number of days to keep password valid.

Number of allowed consecutive failed attempts to authenticate The maximum number of consecutive failed attempts that local users can make to authenticate and log in to the system. By default, this policy is disabled, which means that users can attempt to authenticate as many times as they want.

If you enable the Enable automatic lock-out feature for user accounts when policies are violated policy, local users who reach more than the maximum number of allowed failed attempts are locked out of their accounts until security administrators with write access unlock them on the System > Users page in the console. For example, if you set this value to 3, a user can attempt to log in unsuccessfully three times. However, if the fourth attempt is also unsuccessful, the user account is locked.

Note: External (LDAP) users who violate this policy do not get locked out, however authentication errors are reported as a security event in the console, if security monitoring is enabled. For more information, see the Enabling security monitoring topic in the Related tasks section at the end of this topic.
Minutes to elapse before resetting login counter of failed attempts to authenticate When this policy is enabled, the counter of failed logon attempts resets automatically after this number of minutes since the last log in attempt. By default, this policy is disabled, which means that the failed login counter does not automatically reset until the user logs in successfully.
Enable automatic lock-out feature for user accounts when policies are violated When enabled, this policy locks local users out of their accounts if they violate the following policies:
  • Number of days to keep password valid
  • Number of allowed consecutive failed attempts to authenticate

Security administrators with write access can unlock local users on the System > Users page in the console.

By default, this policy is disabled, which means that users are not automatically locked out after violating user account policies.

Warning: Before you set this policy, make sure that more than one Security administrators with write access exist. If you enable this policy without enabling the Minutes to elapse before automatically unlocking user accounts after they are locked policy and if only one Security administrator with write access exists and if your user account is locked out, contact IBM support team to unlock it.
Minutes to elapse before automatically unlocking user accounts after they are locked Minutes to automatically unlock user accounts after they are locked. The default value is 720, which means that user accounts are unlocked automatically on the next login attempt after 720 minutes (12 hours) have elapsed. If you do not want user accounts to unlock automatically, disable this policy. This policy is enabled by default.