Print      Open PDF Version of Online Help

Administering Oracle CRM On Demand > Company Administration > Company Profile > About Sign-In and Password Policies

About Sign-In and Password Policies

Oracle CRM On Demand provides the highest levels of security for your company. Security constraints have been built in to ensure that only authorized users have access to your data.

Additionally you can enforce certain sign-in, password, and authentication policies to raise the level of security within your company. For example, you can set the sign-in timeout to 15 minutes to better adhere to your corporate security policies. And if any of your users forget their password, they can receive a new one by simply answering a set of validation questions. As an added security measure, you can specify the number of hours for which an active session can last. For example, you can set up a user’s active login session to last an hour. When the user reaches the active session limit and tries to perform an action within Oracle CRM On Demand, the user is forced to enter her login credentials before continuing the session.

Security Considerations

Before you set up your sign-in and password controls, you need to carefully consider your security needs. Some of the questions you should answer are:

• What type of user ID do you want to use?
• How long do you want a user's system-generated temporary password to be valid for?
• What will be the maximum number of sign-in attempts that is allowed before a user is locked out of the application?
• How long will the sign-in lockout be for? How often do you want users to change their passwords?
• Do new passwords have to be different from old passwords?
• What is the minimum password length?
• How many security questions must be answered successfully by users to enable them to reset their password if they forget it?
• How many security questions must be answered correctly before the application automatically resets a user's password?
• Do you want to allow users to change their user IDs or email addresses?
• How long do you want a user’s active session to last for?

When you have defined your sign-in and password policies, you can implement them in the Company Administration pages in the application.

Password Setting Changes

If you make changes to the password settings, the system does not enforce the changes until the current passwords expire. For example, if you change the minimum password length from seven characters to 10 and a user already has a seven character password, the user can use the seven character password until it expires. At that time, the user will have to create a new password of at least 10 characters.

It is best to set the internal policy and select the settings before adding new users to the system. If, however, you must make a change to your security policy immediately, you have the ability to reset all user passwords. This action generates an email to all the users in your company providing them with a new temporary password. You must have the Manage Company - Reset All Passwords privilege to do this.

What Happens When Users Forget Their Password?

Users who have the Reset Personal Password privilege in their role can submit a request to reset their password if they forget it. They can use the Can't Access Your Account? link on the Oracle CRM On Demand sign-in page. You must define the minimum number of security questions and answers that users must provide to have their password reset. When this feature is set up, users can reset their own Oracle CRM On Demand password without the company administrator intervening.