Feedback

  • Contents
 

Creating Policies

In this Topic:  Hide

 

Use this page to create new password policies. Complete the following steps to create new policies or configure the default policy:

  1. From Interaction Administrator, select Policies.

  2. Double-click the Default Policy or right-click on the right-hand side of the screen or choose New to create a new password policy.

  3. Configure the options for the password policy on the following tabs:

Password Policy

  1. Enter a description for the password policy in the Description field.

  2. Click the check box next to User must change password next login if you want the system to prompt the user to change his or her password during the next login. 

  3. Click Apply.

Password

The password tab includes the following options:

  • Minimum Number of Unique Passwords Before One Can Be Reused:

    Determines the minimum number of unique passwords a user must reach before reusing a password. The default setting is 24.

  • Minimum Age of Password Before User Can Change It (days):

    Determines the period of time (in days) that a password must be used before the user can change it.  You can set a value between 1 and 999 days, or you can allow changes immediately by setting the number of days to 0. The default setting is 2.

    If the Maximum Password Age (days) is more than 0, the Minimum Password Age must be less than or equal to the Maximum Password Age.

    Configure the minimum password age to be more than 0 if you want the Password History policy to be effective.  Without a Minimum Password Age, users can cycle through passwords repeatedly until they get to an old favorite.  Note that if the Password History is set to 0, the user does not have to choose a new password.  For this reason, Password History is set to 1 by default.

  • Maximum Password Age (days):

    Determines the period of time that a password can be used before the system requires the user to change it.  You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. The default is 180.

  • Password Age Warning Period (days before password expires):

    Determines the period of time that reminders will be generated about soon-to-expire passwords.  These reminders will be provided in both the CIC clients and through the TUI.  This value is ignored if the Maximum Password Age is zero.  If this value is greater than or equal to the Maximum Password Age, nagging will occur frequently.  You can set this value to zero to suppress warnings.  The default is set to 14.

  • Minimum Password Length:

    Determines the least number of characters that a password may contain. You can set a value of between 1 and 24 characters, or you can set the number of characters to 0 to specify that no password is set for the user, effectively disabling the user account. The default value is 8.

    Note
    : The Minimum number of unique DTMF digits must be less than the Minimum password length. If the value of the Minimum number of unique DTMF digits is greater than the value of the Minimum password length, you will receive a warning message.

  • Minimum Number of Unique DTMF Digits:

    Determines the minimum number of unique DTMF digits required to be in the password.  You can set a value between 1 and 12 digits.  The default is 4.  While CIC passwords can be composed of digits, punctuation and upper and lower case letters, they are mapped to the 12 standard DTMF digits (0-9, * and #) when entered through the telephone keypad.

    Note
    : The Minimum number of unique DTMF digits must be less than the Minimum password length. If the value of the Minimum number of unique DTMF digits is greater than the value of the Minimum password length, you will receive a warning message.

  • Allow All Sequential Digits

    This check box allows you to allow or disallow sequential digits in users’ passwords.  If unchecked, passwords which consist of a sequence (ascending or descending) of consecutive DTMF digits, will not be allowed.  This prohibits passwords like “1234” or “9876”, but will allow passwords like “1245”.  While CIC passwords can be composed of digits, punctuation and upper and lower case letters, they are also mapped to the twelve standard DTMF digits (0-9, * and #) when entered through a telephone keypad.  This mapped string is used when enforcing the All Sequential Digits Allowed policy.  The default is set to No, or unchecked.

  • Minimum Number of Uppercase Characters

    Determines the minimum number of uppercase characters required to be in the password.  

  • Minimum Number of Lowercase Characters

    Determines the minimum number of lowercase characters required to be in the password.  

  • Minimum Number of Numeric Characters

    Determines the minimum number of numeric characters required to be in the password.  

  • Minimum Number of Special Characters

    Determines the minimum number of special characters that are required to be in a user's password. If you complete this box, you must also complete the Required Special Character Options box with the special characters that will be counted towards your required minimum number.  

  • Required Special Character Options

    Determines which special characters count towards the required minimum number of special characters. Special characters include: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
    If you complete this box, you must also complete the Minimum Number of Special Characters box.

Note: Users can include other special characters in their passwords. However, only the special characters that you specify in this box count toward the required minimum number of special characters. For example, suppose you require a minimum number of 3 special characters, and you specify the required special characters as !@#*&^. Then a password of JOe@#%1234 is not acceptable because while it contains 3 special characters, it does not contain 3 of the special characters that you require.

Account Lockout

The Account Lockout tab includes the following options:

  • Maximum Number of Failed Login Attempts Before Account is Locked Out:

    Determines the maximum number of failed login attempts that will be permitted.  If this limit is exceeded, an “Account Locked Out” error will be reported until the failed login attempt counter gets reset by an administrator or until the Account Lockout Duration has expired. The default setting is 5.

  • Lockout Duration (minutes):

    Determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is 1 to 99,999 minutes. You can specify that the account will be locked out until an administrator explicitly unlocks it by setting the value to 0.  If a Maximum Number of Failed Login Attempts is defined, the Account Lockout Duration must be greater than or equal to the Account Lockout Reset Time. The default setting is 30.

  • Failed Login Count Reset Time (minutes):

    Failed Login Count Reset Time defines the minutes since the last failed attempt, that the count gets reset to the Lockout Duration.  If the Lockout Duration is not 0, then after whatever time the duration is set to has elapsed since the account was locked out, the account gets "unlocked" and the valid password will work. The default setting is 30.

    There are a certain number of failed attempts before the account is locked out as defined by Maximum number of failed login attempts before account is locked out.  Once you have made that many attempts with incorrect passwords, the account is locked out, and no password will work.

    Assuming the account has not been locked out, i.e., the user has not made more than the Maximum Number of Failed Login Attempts, once the Failed Login Count Reset Time has elapsed since the last attempt with an incorrect password, the count gets reset to 0.  

    Example
    : If Failed Login Count Reset Time is 1440 minutes (24 hours) and the Maximum Number of Failed Login Attempts is 3, the user can try to login with a incorrect password three times before the account is locked out.  If he tries three times, then waits 24 hours (the Failed Login Count Reset Time), the count goes down to 0 and he gets three more attempts with incorrect passwords before the account gets locked out.  The Failed Login Count Reset Time is counted from the last login attempt with a incorrect password.  If the Failed Login Count Reset Time is 0, the count never gets reset automatically.  In this example, even if the user waits a day or a week, the fourth time the he tries to login with a incorrect password, the account gets locked out.

    Using this same example, if the Account Lockout Duration is 1440 minutes (24 hours),  once the user tries to login with a incorrect password more than three times, the account gets locked out and he cannot login even with the correct password.  After 24 hours from the last login with an incorrect password that triggered the lockout, the account gets unlocked and the user can login with the correct password. He now has 3 chances with incorrect passwords until the account gets locked again.  If Account Lockout Duration is 0, the account remains locked until an administrator unlocks it  from the User container in Interaction Administrator, by right-clicking on the user and choosing Reset Failed Login Count.  In this case the count is set to 0 as if the time had elapsed. The administrator may reset this count anytime.

Users/Roles

From the Users/Roles tab you can apply policies to users and/or roles.  From this page, you can add and delete users, as well as add and delete roles.

History

This page provides a way to manually document configuration changes and when they occurred. Changes made in Interaction Administrator are also automatically logged in the Interaction Administrator Change Notification Log (Log ID 7). Later, authorized users can run reports against this log to summarize all configuration changes.

Last Modified

This date is automatically updated each time the user clicks the OK button, presumably after making changes to the configuration property sheet. To avoid updating this date, exit the page by clicking the Cancel button.

Note: If you click Cancel, none of the changes made to this configuration will be preserved.

Date Created

This date is automatically set when the user creates the initial configuration for this policy. If the policy was initially created by IC Setup Assistant, the date could be blank.

Notes: Type notes about configuration settings and changes. If you change the configuration settimgs and click OK, the Last Modified date is updated.

You must manually enter the date beside each entry in the Notes field to identify the date of each note.

To create a new line in the Notes field, press Ctrl+Enter.