Administrators can configure security settings on the Security page in the Application menu. If you are an administrator, you can configure these settings:
Allow Autocomplete
Enables the feature to autocomplete the login and password credentials on the login page in a browser.
Allow Autologin
Enables users to automatically log in by using cookies.
Display Lost Your Password
Displays the Lost Your Password link on the login page.
Login Delay
Enables the delay option between every login attempt. For each failed login attempt, the delays become longer:
▪ After the first attempt, the delay is 5 seconds.
▪ After the second attempt, the delay is 15 seconds.
▪ After the third attempt, the delay is 60 seconds.
▪ After the fourth attempt, the delay is 5 minutes.
▪ After five or more attempts, the delay is 1 hour.
Account Lockout
Locks a user account when the user attempts to log in and fails in the consecutive failed login attempts. You can select 5 or 10 as the number of consecutive failed login attempts after which the account is locked.
Force Password Change
Forces users to change their passwords the first time that they log in.
Password Minimum Length
Specify the minimum length of passwords (3, 6, or 8 characters).
Login Name Minimum Length
Specify the minimum length of login names (2, 3, or 6 characters).
Password Maximum Age
Select this option to set passwords to expire after a set number of days (1, 2, 3, 4, 5, or 6 months). A user must enter a new password when the password expires.
Password Quality
Select this option to force users to set unique passwords.
Option
Description
Basic
Makes sure that the password is not connected to user information. For example, the password cannot be part of the user name, login name, or the user email address. The password cannot be a word in the dictionary. If the password does not meet the requirements, a warning message is displayed.
Intermediate
Makes sure that the password is not checked for the lower case characters. All other conditions for advanced mode are checked.
Advanced
Makes sure that the password meets both the basic password requirements and the following requirements. If the password does not meet the following requirements, a warning message is displayed:
▪ When the password is spelled backward, it cannot be a word in the dictionary.
▪ The password cannot be like an old password.
▪ If the password is eight characters or less, it must contain at least one special character.
▪ If the password is more than eight characters, it must contain at least two special characters.
Password Reuse
If you want the system to keep the passwords for all users in its memory, select this option (Remember 5 or Remember 10). Users cannot use a password that is in the memory of the system.
Networks with Access to the Ping Servlet
Specify the client network address that can access the ping servlet option. Provide a comma-separated list of network address ranges by using CIDR notation.
Restrictions:
▪ Both IPv4 and IPv6 network addresses are supported.
▪ By default, only localhost (127.0.0.1/32 or ::1/128) is allowed.
▪ If the configuration involves a load balancer or another proxy, the address of that proxy must be in one of the configured network address ranges.
Sensitive Personal Data
Select this option if you want Focal Point to prevent data identified as sensitive personal information from appearing in exports, logs, reports and mail-based notifications.
Enable HTTP security headers
Set this option to True if the HTTP response should include headers that provide additional protection against common web application security vulnerabilities. This option is on by default.
MIME Types Allowed Globally
Use this option to restrict the types of file that can be uploaded into file attributes. Only files with the specified MIME types can be uploaded. If the field is empty (default value), all MIME types are allowed.
Override Incoming Links Access
Incoming links are always displayed to the user, but the user cannot access them unless they have access to them through a view.
Session Timeout
Specify the duration for which a user can remain idle before a login session ends. You can specify 30 minutes, 1, 2, 4, 8, 12, or 24 hours.