Modify User Policy

Overview

This function specifies a user policy (Password Policy and Lockout Policy) for user accounts to be registered in the storage system.

"Password Policy" indicates the creation guidelines for a password such as the complexity and lifetime. This setting is applied when the password for the new user account is registered or when the password for an existing user account is changed. "Lockout Policy" indicates the guidelines for a lockout when the authentication fails. This setting is used when users log in to the storage system.

Use this function to improve the Internal Authentication (*1) security. Set whether to enable or disable a user policy for each user account.

*1

:

This is the standard authentication type. Internal Authentication uses user account information stored in the storage system to verify the input user account.

Caution

A user policy cannot be applied for the following user accounts.
- User accounts with the "Software" role that is used for external software
- User accounts used for RADIUS authentications
The specified contents of this function are applied to the storage system immediately after the settings are complete. Note that the "Lockout Policy" is applied the next time the relevant user logs in.
If a user account with the "Password Policy" setting enabled is used to log in and the "Maximum Password Age" of the relevant user account has expired, the [Change Password] screen appears. Users cannot log in until the password is changed.
If a user account with the "Lockout Policy" setting enabled is used to log in and the number of failed authentications exceeds the "Lockout Threshold", the relevant user account is locked out. The lockout is not released until the specified "Lockout Duration" passes.

Note

One user policy can be specified in the storage system. Select whether to enable or disable the user policy for each user account when creating new user accounts or when editing existing user accounts. A user policy can also be set for the default user IDs ("root" and "f.ce"). Refer to the [Setup User Account] function for details.
When a user account is initialized, the user policy for the default account is changed to "Disable". Refer to the [Initialize User Account] function for details.

User Privileges

Availability of Executions in the Default Role

Default role	Availability of executions
Monitor
Admin
StorageAdmin
AccountAdmin
SecurityAdmin
Maintainer

Refer to "User Roles and Policies" for details on the policies and roles.

Settings

Password Policy

Item	Description	Setting values
Minimum Password Length	Specify the minimum length of the password. Note If "Password Policy" is enabled, "Minimum Password Length" is displayed in the [Setup User Account] screen and the [Change User Password] screen. Refer to the [Setup User Account] function or the [Change User Password] function for details.	4 - 64 4 (Default)
Password Complexity	Select whether to "Enable" or "Disable" the complexity setting for the password. If "Enable" is selected, at least three of the following character types must be used for the password. Uppercase letters (A - Z) Lowercase letters (a - z) Numeric characters (0 - 9) Symbols ('!', '"', '#', '$', '%', '&', ''', '(', ')', '*', '+', ',', '-', '.', '/', '@', '[', '\', ']', '^', '_', '`', '{', '\|', '}', '~', ':', ';', '<', '=', '>', '?')	Enable Disable (Default)
Password History	Specify the number of password generations to save in the storage system. If the number of generations is specified, the previously set password is stored to prevent reuse. If "0" is specified, a history of the passwords used is not managed. This means that the same password that was used in the previous generation can be reused.	1 - 16 0: Unrestricted (Default)
Minimum Password Age	Specify the minimum number of days before the password can be changed from the last time the password was specified. The password cannot be changed during the specified days. If "0" is specified, the password can be changed at anytime. Caution The value of this item must be smaller than the value of the "Maximum Password Age". Note If "Password Policy" is enabled, "Days To Password Change" is displayed in the [Setup User Account] screen and the [Change User Password] screen. Refer to the [Setup User Account] function or the [Change User Password] function for details.	1 - 999 0: Unrestricted (Default)
Maximum Password Age	Specify the maximum number of days the password can be used. The relevant password becomes unavailable when the specified number of days has been exceeded. If "0" is specified, the password can be used indefinitely. Note If "Password Policy" is enabled, "Days To Expiration" is displayed in the [Setup User Account] screen and the [Change User Password] screen. Refer to the [Setup User Account] function or the [Change User Password] function for details. If "Password Policy" is enabled, a system message appears in the [Overview] screen when the password will expire in 14 days. Refer to the [Overview] function for details.	1 - 999 0: Unrestricted (Default)

Lockout Policy

Item	Description	Setting values
Lockout Threshold	Specify the number of consecutive failed logins before the user account is locked out. If "0" is specified, the lockout function for the user account is disabled. Note If "0" is specified for this item, "30" minutes is set for the "Lockout Duration" setting.	1 - 999 0: Unrestricted (Default)
Lockout Duration	Specify the time (minutes) before the user account that was locked out due to failed logins is automatically released. After the specified time has passed, the lockout is released automatically. If "0" is specified, lockouts are not automatically released. Caution If the lockout state of the user account cannot be released automatically, release the lockout state using one of the following operations. Ask the administrator who manages the user account to disable the "Lockout Policy" for the locked out user account. Refer to the [Setup User Account] function for details. Reboot the storage system to initialize the lockout state.	1 - 99999 30 (Default) 0: Unrestricted

Item

Description

Setting values

Lockout Threshold

Specify the number of consecutive failed logins before the user account is locked out.

If "0" is specified, the lockout function for the user account is disabled.

Note

If "0" is specified for this item, "30" minutes is set for the "Lockout Duration" setting.

1 - 999

0: Unrestricted (Default)

Lockout Duration

Specify the time (minutes) before the user account that was locked out due to failed logins is automatically released.

After the specified time has passed, the lockout is released automatically.

If "0" is specified, lockouts are not automatically released.

Caution

If the lockout state of the user account cannot be released automatically, release the lockout state using one of the following operations.
- Ask the administrator who manages the user account to disable the "Lockout Policy" for the locked out user account. Refer to the [Setup User Account] function for details.
- Reboot the storage system to initialize the lockout state.

1 - 99999

30 (Default)

0: Unrestricted

Operating Procedures

Click [Modify User Policy] in [Action].
Specify the parameters, and click the [Modify] button.

→ A confirmation screen appears.
Click the [OK] button.

→ The user policy setting starts.
Click the [Done] button to return to the [Define Role] screen.