Account Policy

An Account Policy controls user login and password security attributes such as:

• user password expiration
• warning period to alert a user that their password is about to expire
• history of already-used passwords that cannot be re-used until recycled
• number of login attempts (with wrong password) to allow as well as a lockout duration when a user exceeds the maximum number of login attempts
• number of days to allow a login to be dormant before expiring the user account
• login history to keep track of when a user logs in or attempts to log in to Oracle Transportation Management
• rules that define the content of a password (for example, the minimum number of characters, alpha/numeric/mixed characters, etc.)

OTM has provided a very basic default Account Policy with bare minimal password rules to ensure that a reasonable strong password is entered. This default Account Policy called BASIC PASSWORD RULES is populated by default in the Account Policy ID field on the User Manager for new users and existing users who do not already have an account policy.

Note: The Account Policy function can be turned on or off system-wide using the glog.login.suppressAccountPolicy property. It is recommended that you keep this feature off for Oracle Transportation Management instances using Single Sign-On by setting Suppress to true.

Defining Public Account Policies:

• NO RESTRICTIONS: no restrictions on passwords or rules definitions.
• STANDARD: includes 90 day Expiration Duration, 1 day warning period, 10 used password history, 3 attempts before lockout, 30 minute lockout duration, 120 day for account dormancy, active login history, and several common rules for password content.

Changing Account Policies

Changing a user's account policy in the User Manager resets account information including expiration date and password history. However, changing policy details via the Account Policy manager does not reset any user accounts. This is intentional since it is difficult to determine whether policy changes should affect existing users. You can use the Reset User Accounts action to search for all users of the selected account policies and reset their accounts.

Account Policy Definition

Follow these steps to create an Account Policy definition. This page is accessed via Configuration and Administration > User Management > Account Policy.

Note: You must complete all fields to successfully create the policy.

1. Enter a unique name for the Account Policy. You will use this name to search and make the assignment between the account policy and the user on the User Manager page.
2. Enter the Expiration Duration in days to define how long a password is valid. Zero (0) means the password never expires. The expiration duration is calculated based on when the password was initially created or changed.
3. Enter the Expiration Warning Period (Days) to determine when to alert users that their password is about to expire. The warning period is calculated based on when the password was initially created or changed; therefore, enter a value that is less than the expiration duration. The Change Password page automatically appears after a user logs in during the warning period. The user can either change the password immediately or skip the password change and login.

   Note: If you create a new account policy with a value of 1 for the Expiration Warning Period (Days) and/or Expiration Duration (Days), this means 24 hours from when the Account Policy is committed to the database and NOT the next calendar day. For example, if you create an Account Policy with an Expiration Warning Period of 1 at 3PM on 2/24/2007 EST then the user assigned to this Account Policy will not be warned that their password is expiring until after 3PM on 2/25/2007 EST.

4. Enter the Number of Passwords for History to have Oracle Transportation Management save a history of used passwords that cannot be re-used. If you enter zero, all passwords can be re-used. Once you go over the maximum number, passwords are recycled based on the sequence in which they were used.
5. Select the Change After Reset check box to identify whether a password, that was preset by the system or reset by an administrator via the User Manager, expires upon the first user login. For example, if you create a new user and assign a policy with this check box marked, the new user will be prompted to change their password during the first login.
6. Enter a value in the Max Attempts Until Account Lockout field to define the number of login attempts allowed before an account is locked out. If the number is zero, there is no lockout and a user can continue to try logging in for an unlimited number of times. If you specify a value greater than zero, use the next field to specify a lockout duration.

   Note: If a user is assigned to an account policy with the Keep Login History check box unmarked, then a user entering an invalid password will not get locked out, regardless of the value entered in this field.

7. Specify a Lockout Duration which is how long (in days, hours, or minutes) to lock out an account after exceeding the maximum allowed login attempts. Once the duration is exceeded, login attempts can resume.

   Note: If a user is locked out and the administrator resets that user's password, then the user's password history is removed.

8. Enter the Max Days of Account Dormancy which is the maximum number of days allowed between logins before an account is disabled. Oracle Transportation Management tracks a user's last login date to determine when to make an account dormant based on the value (in days) that you enter. Enter zero to make the account current at all times. If an account is dormant because of long duration of inactivity, any login attempt will result with an Invalid user name/password message. To reactivate a dormant account, an administrator must reset the password.
9. Select the Keep Login History check box to have Oracle Transportation Management maintain a login history for the user. The Oracle Transportation Management administrator can review the history using the Login History menu option.
10. Click Finished to save the Account Policy.
    OR
    Continue to create password rules described below.

Password Rules

Password rules allow you to define content definitions for passwords. For example, you can define rules that determine the number and type of characters (alpha, numeric, or alphanumeric). To define rules, you must understand how to construct regular expressions.

Sample rules:

• .{8,} password must have at least eight characters.
• \p{Alpha} password must contain at least one alphabetic character.
• \p{Digit} password must contain at least one numeric character.

1. Define a Password Rule by entering a regular expression defining the text pattern of the password, such as length, characters allowed, etc.
2. Use the Rule Explanation field to record a description of the rule in plain language.
3. Click Save for each password you enter.

   Note: A password must satisfy ALL the rules for a given Account Policy.

4. Click Finished.