Hybrid Data Pipeline supports the implementation of an account lockout policy. An account lockout policy can be used to limit the number of consecutive failed authentication attempts permitted before a user account is locked. The user is unable to authenticate until a configurable period of time has passed or until the administrator unlocks the account.
The Hybrid Data Pipeline account lockout policy is by default enabled in accordance with Federal Risk and Authorization Management Program (FedRAMP) low- and medium-risk guidelines. The number of failed authentication attempts is limited to 3 in a 15 minute period. Once this limit is met, a lockout of the user account occurs for 30 minutes.
An account lockout policy can only be applied to user accounts managed through the default internal authentication service. A policy cannot be applied to end users managed through an external authentication service.
An account lockout policy can only be applied at the system level. It cannot be applied to individual tenants. To implement an account lockout policy, the administrator must reside in the default system tenant and have either the Administrator (12) or the Limits (27) permission. To unlock a user account, the administrator must have either the Administrator (12) permission or the ModifyUsers (15) permission with administrative access to the tenant. In addition, to use the Web UI for these tasks, the administrator must have either the Administrator (12) or the WebUI (8) permission.
Configuring an account lockout policy
An account lockout policy can be configured either through the Web UI or the Limits API. The following limits are used to define the account lockout policy.
PasswordLockoutLimit is the number of consecutive failed authentication attempts that are allowed before locking the user account. By default, account lockout functionality is enabled with PasswordLockoutLimit set to 3. Setting PasswordLockoutLimit to zero disables lockout functionality.
PasswordLockoutInterval is the duration, in seconds, for counting the number of consecutive failed authentication attempts.
PasswordLockoutPeriod is the duration, in seconds, for which a user account will not be allowed to authenticate to the system when the PasswordLockoutLimit is reached.
Using the Web UI
Take the following steps to configure these limits via the Web UI.
1. Navigate to the Manage Limits view by clicking the manage limits icon
.
2. Select the system tenant from the Tenant dropdown.
3. Expand the Security and Password sections to view account policy limits.
4. Specify values for each limit.
5. Click Save.
Using the Limits API
The following PUT operation updates the PasswordLockoutLimit to 5 login attempts. The endpoint is specified with the number 3, the ID of the PasswordLockoutLimit. (See the Limits API for details on setting other account policy lockout limits.)
PUT https://myserver:port/api/admin/limits/system/3
{
"value": 5
}
Unlocking a user account
An account can be unlocked by executing a PUT operation on the statusinfo endpoint in the Users API. As the following example shows, the URL must include the user ID, and the payload must include the accountLocked property with a value of false.
PUT https://<myserver>:<port>/api/admin/users/{id}/statusinfo
{
"accountLocked": false
}
AccountLockedAt and AccountLockedUntil are additional properties that can be set when unlocking a user account. See Update status info on a user account for further details.
PasswordLockoutLimit is the number of consecutive failed authentication attempts that are allowed before locking the user account. By default, account lockout functionality is enabled with PasswordLockoutLimit set to 3. Setting PasswordLockoutLimit to zero disables lockout functionality.
.