policy get

Displays the policy for user passwords, account rules, and conditions. Requires authentication (administrator ID and password) to use this command.

Syntax

policy get account-expiry-date [–user user_name]

policy get disable-time-interval [–user user_name]

policy get max-concurrent-web-sessions [–user user_name]

policy get max-login-failures [–user user_name]

policy get max-password-age [–user user_name]

policy get max-password-repeated-chars [–user user_name]

policy get min-password-alphas [–user user_name]

policy get min-password-length [–user user_name]

policy get min-password-non-alphas [–user user_name]

policy get password-spaces [–user user_name]

policy get tod-access [–user user_name]

Options

–user user_name

Specifies the user whose policy information is to be displayed. If this option is not specified, the general policy is displayed. For any specified policy, if a user has a specific policy that is applied, this specific policy takes precedence over any general policy that might also be defined. The precedence applies regardless of whether the specific policy is more or less restrictive than the general policy. Examples of user names are dlucas, sec_master, and "Mary Jones". (Optional)

account-expiry-date

Displays the account expiration date.

disable-time-interval

Displays the time, in seconds, to disable user accounts when the maximum number of login failures is exceeded.

max-concurrent-web-sessions

Displays the maximum number of concurrent web sessions. The value is a number equal to or greater than 1 or one of the following values:

displace: All existing web sessions end when the user starts a new web session.
unlimited: The user can start an unlimited number of web sessions.
unset: The web session policy is not set.

This policy applies only to certain components. A web session is a user session that is maintained by a web security solution, such as WebSEAL or the plug-in for web servers. See the IBM Knowledge Center to determine whether this setting is applicable and whether specific configuration options are required to enforce this policy.

max-login-failures

Displays the maximum number of login failures. To enforce maximum login failures, the disable-time-interval parameter must be set. For more information, see the disable time interval section.

max-password-age

Displays the maximum time that a password is valid. The time is indicated in days, expressed as 000–00:00:00. For example, 31-08:30:00 for 31 days, 8 hours, 30 minutes, 0 seconds. This time is relative to the last time the password was changed.

max-password-repeated-chars

Displays the maximum number of repeated characters that are allowed in a password.

min-password-alphas

Displays the minimum number of alphabetic characters that are required in a password.

min-password-length

Displays the minimum password length.

min-password-non-alphas

Displays the minimum number of non-alphabetic characters that are required in a password.

password-spaces

Displays whether spaces are allowed in passwords.

tod-access

Displays the time of day access policy.

Return codes

0: The command completed successfully.
1: The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the Security Access Manager error messages by decimal or hexadecimal codes.

Examples

The following example returns the account expiration date of unlimited for the specified user dlucas:
```
pdadmin sec_master> policy get account-expiry-date -user dlucas
Account expiry date: unlimited
```
The following example returns the maximum time of 0 days, where zero indicates unlimited, that the password is valid for the specified user dlucas:
```
pdadmin sec_master> policy get max-password-age -user dlucas
```
For unlimited password age, returns information like:
```
Maximum password age: 0-0:0:0
```