User Security Profiles
A security profile is a collection of attributes relating to the secure behaviour of the user interface and associated endpoints. There are currently two main security categories implemented within a profile:
- Interface Auto Sign out
- Password Policy
The Platform 6 Authentication and Authorization server, p6auth, defines a default security profile which is applied to each Platform 6 user.
In addition to the default security profile, one or more named security profiles are also defined by p6auth.
Profile Attributes Explained¶
Each secure behaviour is defined as a dot separated attribute and detailed below:
| Attribute Name | Purpose |
|---|---|
| ui.auto.signout.mins | Number of minutes of inactivity detected by the Portal UI before a user is automatically signed out |
| password.policy.expiry.days | Number of days before a password expires. Upon expiry the user will be sent an email to select a new password |
| password.policy.max.length | The maximum number of characters a password should contain |
| password.policy.min.length | The minimum number of characters a password must contain |
| password.policy.dictionary | If true will cause a ‘bad password’ dictionary search to be performed. This ensures passwords in the dictionary are disallowed |
| password.policy.chars.categories.must.match | Values 0 to 4 represent the number of the following character categories a new password must adhere to |
| password.policy.chars.categories.digits | Value 0 to n represents the least number of digits a password must contain |
| password.policy.chars.categories.uppercase | Value 0 to n represents the least number of uppercase letters a password must contain |
| password.policy.chars.categories.lowercase | Value 0 to n represents the least number of lowercase letters a password must contain |
| password.policy.chars.categories.special | Value 0 to n represents the least number of special characters a password must contain |
| password.policy.chars.invalid.sequences.alpha | Value 0 to n represents the number of alpha characters in a sequence within a password that will be disallowed (e.g “abcdef”) |
| password.policy.chars.invalid.sequences.numeric | Value 0 to n represents the number of numeric characters in a sequence within a password that will be disallowed (e.g. “12345”) |
| password.policy.chars.invalid.sequences.qwerty | Value 0 to n represents the number of US-qwerty characters in a sequence within a password that will be disallowed |
| password.policy.chars.repeats | Value 0 to n represents the maximum number of repeating characters allowed in a password |
| password.policy.history | Value 0 to 8 represents the number of previous passwords that are disallowed when creating a new password |
| password.policy.whitespace | If false will disallow white space within a password |
| password.policy.username | if false will disallow the use of a username as a password |
Named Security Profile Values: default¶
This is the default profile and as the name suggests, is the set of secure behaviour attributed to each and every Platform 6 user by “default”:
| Attribute Name | Value |
|---|---|
| ui.auto.signout.mins | 20 |
| password.policy.expiry.days | 90 |
| password.policy.max.length | 32 |
| password.policy.min.length | 8 |
| password.policy.dictionary | false |
| password.policy.chars.categories.must.match | 3 |
| password.policy.chars.categories.digits | 1 |
| password.policy.chars.categories.uppercase | 1 |
| password.policy.chars.categories.lowercase | 1 |
| password.policy.chars.categories.special | 1 |
| password.policy.chars.invalid.sequences.alpha | 5 |
| password.policy.chars.invalid.sequences.numeric | 5 |
| password.policy.chars.invalid.sequences.qwerty | 5 |
| password.policy.chars.repeats | 4 |
| password.policy.history | 1 |
| password.policy.whitespace | false |
| password.policy.username | false |
Named Security Profile Values: admin_1.0¶
This is a suggested profile suitable for instance administrators. It enforces a number of stronger security constrains above the default profile:
| Attribute Name | Value |
|---|---|
| ui.auto.signout.mins | 10 |
| password.policy.expiry.days | 60 |
| password.policy.max.length | 32 |
| password.policy.min.length | 12 |
| password.policy.dictionary | true |
| password.policy.chars.categories.must.match | 4 |
| password.policy.chars.categories.digits | 1 |
| password.policy.chars.categories.uppercase | 1 |
| password.policy.chars.categories.lowercase | 1 |
| password.policy.chars.categories.special | 1 |
| password.policy.chars.invalid.sequences.alpha | 5 |
| password.policy.chars.invalid.sequences.numeric | 5 |
| password.policy.chars.invalid.sequences.qwerty | 5 |
| password.policy.chars.repeats | 4 |
| password.policy.history | 8 |
| password.policy.whitespace | false |
| password.policy.username | false |
Profile Customisation via Permissions¶
Each of the profile attributes can be customised by use of the standard Platform 6 permissions:
- security=allow()
The allow action comprises one or more quoted name/value pairs. For example:
- “profile=admin_1.0” - select profile using its name
- “password.policy.history=2” - override any individual profile attribute
Note
The default profile is always assumed and so does not have to be specified via a permission.
Currently, only one named profile exists: admin_1.0. More may be available in future releases.
Locale Considerations¶
Some secure attributes will depend upon the language or locale of the user. These attributes are:
- password.policy.chars.categories.uppercase
- password.policy.chars.categories.lowercase
- password.policy.chars.invalid.sequences.alpha
English is the default language/alphabet used however special provision has been made for the following languages/alphabets:
- Cyrillic
- German
- Polish
- Czech