skip to main content
Administering Hybrid Data Pipeline : Implementing an account lockout policy
  

Try Now

Implementing an account lockout policy

Hybrid Data Pipeline supports the implementation of an account lockout policy. An account lockout policy can be used to limit the number of consecutive failed authentication attempts permitted before a user account is locked. The user is unable to authenticate until a configurable period of time has passed or until the administrator unlocks the account.
The Hybrid Data Pipeline account lockout policy is by default enabled in accordance with Federal Risk and Authorization Management Program (FedRAMP) low- and medium-risk guidelines. The number of failed authentication attempts is limited to 3 in a 15 minute period. Once this limit is met, a lockout of the user account occurs for 30 minutes.
An account lockout policy can only be applied to user accounts managed through the default internal authentication service. A policy cannot be applied to end users managed through an external authentication service.
An account lockout policy can only be applied at the system level. It cannot be applied to individual tenants. To implement an account lockout policy, the administrator must reside in the default system tenant and have either the Administrator (12) or the Limits (27) permission. To unlock a user account, the administrator must have either the Administrator (12) permission or the ModifyUsers (15) permission with administrative access to the tenant.

Configuring lockout functionality

Account lockout functionality can be configured with the PasswordLockoutLimit, PasswordLockoutInterval, and PasswordLockoutPeriod limits in the Limits API.
PasswordLockoutLimit determines whether account lockout functionality has been enabled. Setting PasswordLockoutLimit to an integer greater than zero enables lockout functionality. By default, account lockout functionality is enabled with PasswordLockoutLimit set to 3. Account lockout functionality can be disabled by setting PasswordLockoutLimit to 0. A POST or PUT operation can be used to change the default behavior. As shown in the following example, the PUT operation specifies the PasswordLockoutLimit endpoint with the limit's ID, the number 3. Then, the request payload sets the number of consecutive failed authentication attempts allowed before locking the account to 5.
PUT https://myserver:port/api/admin/limits/system/3
{
"value": 5
}
An account lockout policy can be further configured with the PasswordLockoutInterval and the PasswordLockoutPeriod limits. See the Limits API for further details.

Unlocking a user account

An account can be unlocked by executing a PUT operation on the statusinfo endpoint in the Users API. As the following example shows, the URL must include the user ID, and the payload must include the accountLocked property with a value of false.
PUT https://<myserver>:<port>/api/admin/users/{id}/statusinfo
{
"accountLocked": false
}
AccountLockedAt and AccountLockedUntil are additional properties that can be set when unlocking a user account. See Update status info on a user account for further details.