Security properties

You can customize the security settings as required.

You can change properties that are highlighted as cross-tenant properties only by using the ARIS Cloud Controller command-line tool. To change the settings, enter the following:

reconfigure umcadmin_<size of your installation, s, m, or l> JAVA-D<property name>="<value>"

Example

reconfigure umcadmin_m JAVA-Dcom.aris.umc.loadbalancer.url="https://myserver.com"

Account lockout

Key

Description

Valid input

Example

com.aris.umc.authentication.lock.enabled

Lock users after failed login attempts

Specifies whether a user login is temporarily locked when a user causes too many failed logins. The default value is false.

true, false

 

com.aris.umc.authentication.lock.counter.limit

Attempt limit

Specifies the number of failed login attempts that are allowed before user login is locked.

Integer > 0

 

com.aris.umc.authentication.lock.ttl

Lockout duration (in seconds)

Specifies how long a user login is temporarily locked when a user causes too many failed logins. This is defined in seconds.

Integer > 0

 

com.aris.umc.authentication.lock.counter.ttl

Lock counter duration (in seconds)

Time that must elapse before the number of failed login attempts is reset. This is defined in seconds.

Integer > 0

 

User sessions

Key

Description

Valid input

Example

com.aris.umc.session.renewal.cache.size

Session cache size

Specifies how many session IDs are saved in the session renewal cache. When the cache is full, the least recently used sessions are removed. This is defined in seconds. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual.

Integer > 0

 

com.aris.umc.session.renewal.cache.ttl

Session cache lifetime (in seconds)

Specifies the maximum duration in seconds that a renewed session remains in the session renewal cache. A session can be renewed at the earliest after this period of time. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual.

Integer > 0

 

com.aris.umc.session.identifier.generator

Session ID generator

Specifies the random number generator used for generating session IDs.

String

 

com.aris.umc.session.identifier.length.min

Minimum length of session ID (in bytes)

Specifies the minimum length of a session ID in bytes. For security reasons this value should not be less than 32.

Integer > 0

 

com.aris.umc.session.identifier.length.max

Maximum length of session ID (in bytes)

Specifies the maximum length of a session ID in bytes.

Integer > 0

 

com.aris.umc.session.concurrent.max

Maximum concurrent sessions

Specifies the maximum number of concurrent sessions that can be active for a single user. This does not apply to the arisservice and superuser users.

Integer > 0

 

Multi-factor authentication

Key

Description

Valid input

Example

com.aris.umc.authentication.multiFactor.active

Use multi-factor authentication

You can use multi-factor authentication only in API Portal.

Specifies whether multi-factor authentication is required. The default value is false.

true, false

 

com.aris.umc.authentication.multiFactor.clockSkew

Clock skew intervals

Specifies the clock skew in number of intervals. One-time passwords (OTPs) that are within the valid range [currentTimeStep - clock_skew, currentTimeStep + clock_skew] are permitted. This is defined in milliseconds. You can use multi-factor authentication only in API Portal.

Integer > 0

 

com.aris.umc.authentication.multiFactor.excludedUsers

Excluded users

Specifies a comma-separated list of users for whom the multi-factor authentication is not required. You can use multi-factor authentication only in API Portal.

String

 

Advanced settings

Key

Description

Valid input

Example

com.aris.umc.audit.enabled

Generate user statistics

Enables the generation of user statistics. The default value is false. If you specify this as true, the following properties for distinct user statistics are enabled as default:

  • Log authentication
  • Log changes to configuration
  • Log changes to licenses/privileges
  • Log changes to users/user groups
  • You can disable/enable the properties mentioned above.

true, false

false

com.aris.umc.audit.log.auth.enabled

Log authentication

Enables authentication logging. The default value is true but this property is only enabled when Generate user statistics is specified as true. The following user statistics are logged and can be exported:

  • Login failed
  • Login successful
  • Logged out
  • Logged out by administrator

true, false

true

com.aris.umc.audit.log.conf.enabled

Log changes to configuration

Enables logging of changes to the configuration. The default value is true. The following user statistics are logged and can be exported:

  • Organizational chart deleted
  • Organizational chart updated
  • One-time password requested
  • Password changed
  • Password reset
  • Password transferred between users
  • Profile picture deleted
  • Profile picture imported
  • Privilege assigned
  • Privilege assignment removed
  • Configuration option changed
  • Configuration file deleted
  • Configuration file imported
  • Data backup imported
  • Tenant created
  • Tenant deleted
  • Tenant updated

true, false

true

com.aris.umc.audit.log.license.privilege.enabled

Log changes to licenses/privileges

Enables logging of changes to licenses or privileges. The default value is true. The following user statistics are logged and can be exported:

  • License deleted
  • License imported
  • License consumed
  • License released
  • Violation of user group license limit
  • Violation of user license limit
  • Replace license file for tenant

true, false

true

com.aris.umc.audit.log.user.group.enabled

Log changes to users/user groups

Enables logging of changes to users or user groups. The default value is true. The following user statistics are logged and can be exported:

  • User created
  • User deleted
  • Escalation manager assignment removed
  • User group created
  • User group deleted
  • Group assigned to group
  • Group unassigned from group
  • User group updated
  • LDAP data imported
  • Synchronized with LDAP

true, false

true

com.aris.umc.audit.log.application.enabled

Log application changes

Enables logging of all changes to applications, regardless of whether they are internal or external. The default value is true.

 

 

 

com.aris.umc.authentication.sso.only

Force SSO

Specifies that only an SSO login is allowed. If this option is enabled no local users except local superuser and the system user can log in. Otherwise, the system would not be accessible at all in case of SSO errors or misconfiguration. The default value is false.

true, false

false

com.aris.umc.authentication.sso.for.downloadclient.only

Force SSO for ARIS Download Client

If this option is enabled, a user must be logged in to the portal to be able to start ARIS Download Client. The default value is false.

true, false

false

com.aris.umc.authentication.delay.min

Minimum authentication delay (in milliseconds)

Specifies the minimum delay that is added at each login. This is defined in milliseconds.

Integer > 0

 

com.aris.umc.authentication.delay.max

Maximum authentication delay (in milliseconds)

Specifies the maximum delay that is added at each login. This is defined in milliseconds.

Integer > 0

 

com.aris.umc.otp.active

Use OTPs

Specifies whether or not the generation of one-time passwords (OTPs) is allowed.

true, false

 

com.aris.umc.otp.ttl

Lifetime (in seconds)

Specifies the lifetime of a one-time password (OTP) in seconds. Passwords become invalid after this time period at the latest.

 

 

com.aris.umc.license.distribution.handling

License pools at user group-level

Specifies that license pools are assigned at the user group level. If this option is enabled, licenses must not be assigned to users directly, but are to be assigned via user groups only.

true, false

false

com.aris.ums.user.statistics.backup

User statistics in backup

Specifies that the user statistics are part of the backup. The default value is true.

true, false

false

com.aris.ums.user.statistics.persistent.days

Purge user statistics generated before (in days)

Specifies the number of days user statistics must be available.

Integer

365

com.aris.ums.applications.registration

Application registration

Specifies a comma-separated list of internal applications for registering an application. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual.