policy set

Sets the policy for user passwords, account rules, and conditions. Requires authentication (administrator ID and password) to use this command.

Syntax

policy set account-expiry-date {unlimited|absolute_time|unset} [–user user_name]

policy set disable-time-interval {number|unset|disable} [–user user_name]

policy set max-concurrent-web-sessions {number|displace|unlimited|unset} [–user user_name]

policy set max-login-failures {number|unset} [–user user_name]

policy set max-password-age {unset|relative_time} [–user user_name]

policy set max-password-repeated-chars {number|unset} [–user user_name]

policy set min-password-alphas {unset|number} [–user user_name]

policy set min-password-length {unset|number} [–user user_name]

policy set min-password-non-alphas {unset|number} [–user user_name]

policy set password-spaces {v|no|unset} [–user user_name]

policy set tod-access {{anyday|weekday|day_list}:{anytime|time_spec} [:{utc|local}]|unset} [–user user_name]

Description

The valid range for numbers can be any number. However, use a reasonable number for the task that you want to complete. For example, a minimum password length must be long enough to protect your system. In addition, the password must not be so short as to make it easy for someone to determine your password by trying different combinations.

When you define the password policy, ensure that this definition complies with the password policy of the underlying operating systems and user registries.

Options

account-expiry-date {unlimited|absolute_time|unset}
Sets the account expiration date. The absolute_time format is specified in the following format: 
YYYY-MM-DD-hh:mm:ss
The hours must be entered by using a 24-hour clock (for example, 09 for 9 a.m. or 14 for 2 p.m.). The default value is unset.
If you set the account expiration date, it is set for all accounts that do not use the –user user_name option. By default, the sec_master user account has a per-user account expiration date of unlimited. If you set the account expiration date to unlimited, do the following actions:
  • Set max-password-age to 0 for unlimited.
  • Set tod-access to anyday:anytime:local.
  • Use the –user user_name option.
disable-time-interval {number|unset|disable}
Sets the time, in seconds, to disable each user account when the maximum number of login failures is exceeded. Security Access Manager does not impose an upper limit for the maximum number allowed. Use a range from 0 (unlimited) to a number that represents the value that is most logical for the parameter you are trying to set. The default value is 180 seconds.
max-concurrent-web-sessions {number|displace|unlimited|unset}
Sets the maximum number of concurrent web sessions. This policy applies only to certain components. A web session is a user session that is maintained by a web security solution, such as WebSEAL or the plug-in for web Servers. See the IBM Knowledge Center to determine whether this setting is applicable and whether specific configuration options are required to enforce this policy.
This option supports the following values:
number
Specifies the maximum number of concurrent web sessions that can be established. This value is a number that is equal to or greater than one.
displace
Specifies that if a user starts a new web session, any existing web session ends.
unlimited
Allows unlimited concurrent web sessions.
unset
Specifies to unset concurrent web session policy.
max-login-failures {number|unset}
Sets the maximum number of login failures allowed. Security Access Manager does not impose an upper limit for the maximum number allowed. Instead, use a range from zero to a number that represents the value that is most logical for the parameter you are trying to set. If the number is too large, it might render the login policy ineffective. The default value is 10.

To enforce maximum login failures, the disable-time-interval parameter must be set. See disable-time-interval for more information about disable-time-interval.

max-password-age {unset|relative_time}
Sets the maximum time, in days, that a password is valid. This policy is a global password policy as opposed to the individual user policy. The individual user policy:
  • Is set by using the user modify command with the user_name password-valid option.
  • Enables or disables the validity of a password for the specified user account.
The relative_time option is relative to the number of days since the last password change occurred. The relative_time format is specified in the following format: 
DDD-hh:mm:ss

The valid range is from 000–00:00:00 to 999–23:59:59. A value of zero (000–00:00:00) indicates that the password never expires. The default value is 91 days. This value is expressed as 91–00:00:00.

max-password-repeated-chars {number|unset}
Sets the maximum number of consecutively, repeated characters that are allowed in a password. Security Access Manager does not impose an upper limit on the maximum number allowed. Instead, use a range from 0 to a number that represents the most logical value for the parameter you are trying to set. If the number is too large, it might render the password policy ineffective. The default value is 2.

Example: If max-password-repeated-chars is set to 2, then password and pspassword are both valid values. However, passsword is not valid because the character s occurs three times consecutively.

min-password-alphas {unset|number}
Sets the minimum number of alphabetic characters that are required in a password. Security Access Manager does not impose an upper limit for the minimum number allowed. Instead, use a number that represents the value that is most logical for the parameter you are trying to set. If the number is too small, it might render the password policy ineffective. The default value is 4.
min-password-length {unset|number}
Sets the minimum password length. Security Access Manager does not impose an upper limit for the minimum number allowed. Instead, use a number that represents the value that is most logical for the parameter you are trying to set. If the number is too large, the password policy might be difficult to adhere to. The default value is 8.
min-password-non-alphas {unset|number}
Sets the minimum number of non-alphabetic characters that are required in a password. Security Access Manager does not impose an upper limit for the minimum number allowed. Instead, use a number that represents the value that is most logical for the parameter you are trying to set. If the number is too large, the password policy might be difficult to adhere to. The default value is 1.
password-spaces {v|no|unset}
Sets the policy of whether spaces are allowed in passwords. The default value is unset.
tod-access {{anyday|weekday|day_list}:{anytime|time_spec} [:{utc|local}]|unset}
Sets the time of day access policy.

The day_list is a comma-separated list of days of the week, each of which is represented by a three-character value (for example, mon,wed,fri). The day_list specifies which days of the week you can log in to the account. If you want to list every day of the week, specify anyday; if you do not want to include the weekend days, specify weekday.

The time_spec format is specified in the following format: 
hhmm
The format is expressed by using a 24-hour clock. For example, 0900 for 9 a.m. or 1430 for 2:30 p.m. The default value is unset, and the optional time zone is local by default. The time_spec value and time zone specify the time of day when you can log in to the account.
Note:
  • utc=GMT
  • When you modify a password policy, you provide a list of days, start time, and end time. The start time and end time apply to each day on the list. If the specified start time is greater than the specified end time, then the access is allowed until the specified end time of the next day.
–user user_name
Specifies the user whose policy information is to be set. If this option is not specified, the general policy is set. For any specified policy, if a user has a specific policy that is applied, this specific policy takes precedence over any general policy that might also be defined. The precedence applies regardless of whether the specific policy is more or less restrictive than the general policy.

A valid user name is an alphanumeric string that is not case-sensitive. String values are expected to be characters that are part of the local code set.

Examples of user names are dlucas, sec_master, and "Mary Jones". (Optional)

Return codes

0
The command completed successfully.
1
The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.

Examples

  • The following example sets the account expiration date of December 30, 1999, at 11:30 p.m. for the specified user dlucas: 
    pdadmin sec_master> policy set account-expiry-date 1999-12-30-23:30:00
-user dlucas
  • The following example sets the maximum password age of 31 days, 8 hours, 30 minutes, and 0 seconds for the specified user dlucas: 
    pdadmin sec_master> policy set max-password-age 031-08:30:00 -user dlucas
  • The following example sets the maximum of 12 concurrent web sessions: 
    pdadmin sec_master> policy set max-c 12

See also

policy get

Parent topic: pdadmin commands