policy get
Displays the policy for user passwords, account rules, and conditions. Requires authentication (administrator ID and password) to use this command.
Syntax
policy get account-expiry-date [–user user_name]
policy get disable-time-interval [–user user_name]
policy get max-concurrent-web-sessions [–user user_name]
policy get max-login-failures [–user user_name]
policy get max-password-age [–user user_name]
policy get max-password-repeated-chars [–user user_name]
policy get min-password-alphas [–user user_name]
policy get min-password-length [–user user_name]
policy get min-password-non-alphas [–user user_name]
policy get password-spaces [–user user_name]
policy get tod-access [–user user_name]
Options
- –user user_name
- Specifies the user whose policy information is to be displayed. If this option is not specified, the general policy is displayed. For any specified policy, if a user has a specific policy that is applied, this specific policy takes precedence over any general policy that might also be defined. The precedence applies regardless of whether the specific policy is more or less restrictive than the general policy. Examples of user names are dlucas, sec_master, and "Mary Jones". (Optional)
- account-expiry-date
- Displays the account expiration date.
- disable-time-interval
- Displays the time, in seconds, to disable user accounts when the maximum number of login failures is exceeded.
- max-concurrent-web-sessions
- Displays the maximum number of concurrent web sessions. The value
is a number equal to or greater than 1 or one of
the following values:
- displace
- All existing web sessions end when the user starts a new web session.
- unlimited
- The user can start an unlimited number of web sessions.
- unset
- The web session policy is not set.
This policy applies only to certain components. A web session is a user session that is maintained by a web security solution, such as WebSEAL or the plug-in for web servers. See the IBM Knowledge Center to determine whether this setting is applicable and whether specific configuration options are required to enforce this policy.
- max-login-failures
- Displays the maximum number of login failures. To enforce maximum login failures, the disable-time-interval parameter must be set. For more information, see the disable time interval section.
- max-password-age
- Displays the maximum time that a password is valid. The time is indicated in days, expressed as 000–00:00:00. For example, 31-08:30:00 for 31 days, 8 hours, 30 minutes, 0 seconds. This time is relative to the last time the password was changed.
- max-password-repeated-chars
- Displays the maximum number of repeated characters that are allowed in a password.
- min-password-alphas
- Displays the minimum number of alphabetic characters that are required in a password.
- min-password-length
- Displays the minimum password length.
- min-password-non-alphas
- Displays the minimum number of non-alphabetic characters that are required in a password.
- password-spaces
- Displays whether spaces are allowed in passwords.
- tod-access
- Displays the time of day access policy.
Return codes
- 0
- The command completed successfully.
- 1
- The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.
Examples
- The following example returns the account expiration date of unlimited for
the specified user dlucas:
pdadmin sec_master> policy get account-expiry-date -user dlucas Account expiry date: unlimited
- The following example returns the maximum time of 0 days,
where zero indicates unlimited, that the password is valid for the
specified user dlucas:
pdadmin sec_master> policy get max-password-age -user dlucas
For unlimited password age, returns information like:Maximum password age: 0-0:0:0