Security Policy Settings
| Security Policy - Sign In Setting | Description | Location |
|---|---|---|
| Show the legal agreement to users at login. | Yes, No (default). | Configuration > [Security] Security Policies |
| Security Policy - User Account Setting | Description | Location |
|---|---|---|
| Number of incorrect sign-in attempts allowed per user before his/her account is locked | Unlimited, 3 (default), 5, 10, 15, 20, 100. Determines the maximum number of times a user can enter incorrect information during sign-in before the user's account is locked. | Configuration > [Security] Security Policies |
| Period during which the system prevents access to an account that has been locked | Permanent (default); 2, 5, 10, 15 minutes; 1, 4 hours; 1 day; 1 week; 30 days. | Configuration > [Security] Security Policies |
| When creating a user account, send an email to user to confirm registration and password. | Yes, No (default). | Configuration > [Security] Security Policies |
| Maximum age of Access Codes which are accepted for authentication (in hours) | 1 to 1440 (default is 720) | Configuration > [Security] Security Policies |
| When creating a user account, generate automatically a user name. | Yes, No (default). | Configuration > [Security] Security Policies |
| When creating a user account, generate automatically a password. | Yes, No (default). | Configuration > [Security] Security Policies |
| User account validation on creation | Yes, No (default). For details, see Details on the "User account validation on creation" setting. |
Configuration > [Security] Security Policies |
| Security Policy - Password Setting | Description | Location |
|---|---|---|
| Allow a password to be valid for X days (leave the field empty if you want passwords to be always valid) | Number of days before a user must change his/her password. Putting no values means that the password is always valid. | Configuration > [Security] Security Policies |
| When a password change is required, prevent the reuse of the previous X passwords | Number of password changes required before a user can use a password that he/she has used previously. Putting 0 means that the feature is disabled. 0 (default value). | Configuration > [Security] Security Policies |
| Require passwords that contain at least X characters | 6 to 20. | Configuration > [Security] Security Policies |
| Require passwords that contain no more than X characters | 6 to 50. The system will start counting the number of characters from the maximum number of characters selected in the setting "Require passwords that contain at least x characters". For example, if you selected 10 characters, the system will indicate a possible value between 10 and 50. | Configuration > [Security] Security Policies |
| Require passwords that contain at least X letters of the Roman alphabet | 0 to 20. The number of characters cannot exceed the number indicated in the setting "Require passwords that contain at least x characters". | Configuration > [Security] Security Policies |
| Require passwords that contain at least X lowercase letters of the Roman alphabet | 0 to 20. The number of characters cannot exceed the number indicated in the setting "Require passwords that contain at least x characters". | Configuration > [Security] Security Policies |
| Require passwords that contain at least X uppercase letters of the Roman alphabet | 0 to 20. The number of characters cannot exceed the number indicated in the setting "Require passwords that contain at least x characters". | Configuration > [Security] Security Policies |
| Require passwords that contain at least X numeric characters | 0 to 20. The number of characters cannot exceed the number indicated in the setting "Require passwords that contain at least x characters". | Configuration > [Security] Security Policies |
| Require passwords that contain at least X characters other than letters and numbers (! # $ % & ( ) * + , - . / : ; < = > ? @ [ ] _ ` { | } ~) | 0 to 20. The number of characters cannot exceed the number indicated in the setting "Require passwords that contain at least x characters". | Configuration > [Security] Security Policies |
| Require passwords that contain no more than X identical consecutive characters | 2, 3, 4, 5. The number of characters cannot exceed the number indicated in the setting "Require passwords that contain at least x characters". | Configuration > [Security] Security Policies |
| Require passwords that do not contain the user's first name | Yes, No (default). | Configuration > [Security] Security Policies |
| Require passwords that do not contain the user's last name | Yes, No (default). | Configuration > [Security] Security Policies |
| Require passwords that do not contain the corresponding user name | Yes (default), No. | Configuration > [Security] Security Policies |
| Require passwords that do not contain the user's email address | Yes, No (default). | Configuration > [Security] Security Policies |
| Security Policy - Forgot Password Setting | Description | Location |
|---|---|---|
| Use this method to change passwords | There are several options for users to recover their password. It can be via an access code, security questions, or by contacting the system administrator. For details on each of the option, see Details regarding the "Use this method to change passwords" setting. | Configuration > [Security] Security Policies |
| Require X security questions | Possible values are 1, 2, 3. | Configuration > [Security] Security Policies |
| Require answers that contain at least X characters (X must be greater than 0) | Configuration > [Security] Security Policies | |
| Number of attempts allowed per user to answer the security question | Possible values are 3, 5. | Configuration > [Security] Security Policies |
| Lock a user's account when the number of attempts allowed to answer the security question is exceeded | Yes, No. | Configuration > [Security] Security Policies |
| Mask the security answer values | Yes, No. | Configuration > [Security] Security Policies |
Details on the "Use this method to change passwords" setting
The change password procedure contains six options of authentication:
| Options of the "Use this method to change passwords" Setting | Description |
|---|---|
| Access Code | An email containing an access code is sent to the user once the user has confirmed his/her email address. |
| Security Questions | The user is asked to answer the security questions (from 1 to 3) previously entered in his/her profile. If the answer is correct, the user is invited to enter a new password. |
| Security Questions and Access Code | The user is asked to answer the security questions (from 1 to 3) previously entered in his/her profile. If the answer is correct, an email containing an access code is sent to the user once the user has confirmed his/her email address. |
| Security Questions or Access Code | The user is asked to answer the security questions (from 1 to 3) previously entered in his/her profile. If the answer is correct and the user has an email address, an access code is sent to the user once the user has confirmed his/her email address. If the user does not have an email address and the answer to the security question is correct, the access is granted to the application and the user is invited to change his/her password. |
| Security Questions and/or Access Code | When this option is activated, one of the following situation will happen. See the Security Questions and/Or Access Code Option section. |
| Contact System Administrator | The user is asked to contact the system administrator. Only the system administrator can then generate a new password and communicate it to the user. |
Details on the "Security Question and/or Access Code" option
The change password procedure contains six options of authentication:
| The user has an email address | Security questions were activated | |
|---|---|---|
| Yes | Yes | The user will have to answer the security questions correctly and an access code will be emailed. |
| Yes | No | The user will receive an access code by email. |
| No | Yes | The user will have to answer the security questions correctly to be able to access the application. |
| No | No | The user will be asked to contact the technical support. |
Details on the “User account validation on creation” setting
A two-step validation process is available when creating user accounts.
Step 1: When you create a user account, the system checks if the email address is unique among the user account created in SmartOrg.
If the email address exists, an error message is displayed.
If the email address doesn’t exist, the user account is created and is set as Inactive.
Step 2: The user receives an email requesting to activate their account. The email contains a link that the user must use to activate the account. Once the account is activated, the user can to log in in the system.
This process supersedes the option to send a user’s password by email.
Temporary user accounts created through a candidate onboarding process bypasses the email uniqueness criterion but must be activated before the user can log in.
This process also works for user accounts created with TCC. The administrator must enable the setting Allow Integration Sending Email.