webCOMAND

webCOMAND Login Policy

The Login Policy used by webCOMAND leverages all of the default Login Controllers and Login Models that come with the Login Framework.

It also defines settings for password requirements, reset password email templates and more, which can be customized to your specific requirements and preferences.

For more information about how Login Policies work, see the Users Framework.

Controllers

The following functionality is provided through the standard Login Controllers, which can be customized as noted below.

  • Login - Basic username and password login with automated blocking functionality based on a security policy with:
    • IP Attempt Threshold - Number of failed login attempts allowed from a specific IP address, before additional requests from that IP are blocked.
    • Account Attempt Threshold - Number of failed login attempts allowed from a account (username), before additional attempts for that username are blocked.
    • IP/User Agent Threshold - Number of failed login attempts allowed from a specific IP address and User Agent, before additional requests from that IP and User Agent are blocked.  This is similar to the IP Attempt Threshold but will be able to differentiate between different users sharing the same IP address, assuming they are using different User Agents (ie. web browsers, web browser versions or web browser configurations).
  • Change - Ability for users to change their password.  Change password has similar security policy options as Login above.
  • Reset - Ability for users to start the reset password process for themselves (aka "forgot password"), and administrators to start the process for any user.  Change password has similar security policy options as Login above.
    • Welcome Email - An email template to use when a Welcome Email is sent to a new or existing user.  This is triggered from the Manage tab within a User View.
    • Reset Code Email - An email template to use when a Reset Code is sent to an existing user.  It may be sent by the user in the "forgot password" process, or an administrator from the Users App (Manage tab in the User View).
    • Reset Success Email - An email template to use to send an email notification once the uses password has been successfully reset.
    • Reset Check - Whether to check just the user's email, username, or both when starting the Forgot Password workflow.
  • Unlock - Ability for the system to automatically unlock after certain conditions are met after a user has been locked out.
  • Logger - Logs user login, lock, unlock and other activity, which is used to track users and the security policies and also serves as an audit trail.

Models

The following Login Models are used and can be customized as noted below.

  • Credentials - Specifies how to store credentials and the following security policy options.
    • Strength (RegEx) - A regular expression describing the required credential strength. If blank, credentials are not validated when they are set in the system.
    • Strength Description - A human readable description of the RegEx, which will be shared with users to provide guidance to create a valid password.
    • Valid Days - The number of days that the password should be valid for, once set.  0 means no expiration.
  • User - The content type used to store and manage webCOMAND users.  The standard User Content Type is used by default.
  • Log - The content type where login activity will be recorded and how long to retain logs before they can be removed.  The webCOMAND Activity Log is used by default.
  • Session - Where and how to store cookies and session files, and when they should expire.
  • Security Question - Security policy for user security questions.
    • Required Questions - The number of security questions required for a user's account (in the event that password recovery/reset is needed).
    • Allow Freeform Questions - Whether the user can provide their own security question text.
    • Questions - Available question choices to present as options to the user.
    • Strength (RegEx) - A regular expression describing the required answer strength. If blank, answers are not validated when they are set in the system.
    • Strength Description - Human-readable description of the requirements for the answer strength.
  • Reset Code - Defines the length of reset codes and how many hours they are valid before they expire.
  • Impersonation - These options are for future use and do not have any affect yet.  For information about how it currently works, see User Impersonation.

Notifications

System Lock Email - An email template to use to notify an administrator that a user has been locked out of the system.