Customize security settings

You can customize your system configuration as required. You carry out this part of the configuration in ARIS Administration.

Prerequisite

You have the Technical configuration administrator function privilege.

Procedure

  1. Click Configuration Configuration.

  2. Click the arrow next to Security.

  3. Click a configuration category. The following categories are available:

    Account lockout

    Lock users after failed login attempts

    Specifies whether a user login is temporarily locked when a user causes too many failed logins. The default value is false. This corresponds to the following property: com.aris.umc.authentication.lock.enabled

    Attempt limit

    Specifies the number of failed login attempts that are allowed before user login is locked. This corresponds to the following property: com.aris.umc.authentication.lock.counter.limit

    Lockout duration

    Specifies how long a user login is temporarily locked when a user causes too many failed logins. This is defined in seconds. This corresponds to the following property: com.aris.umc.authentication.lock.ttl

    Lock counter duration

    Time that must elapse before the number of failed login attempts is reset. This is defined in seconds. This corresponds to the following property: com.aris.umc.authentication.lock.counter.ttl

    User sessions

    Session cache size

    Specifies how many session IDs are saved in the session renewal cache. When the cache is full, the least recently used sessions are removed. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual. This corresponds to the following property: com.aris.umc.session.renewal.cache.size

    Session cache lifetime

    Specifies the maximum duration in seconds that a renewed session remains in the session renewal cache. A session can be renewed at the earliest after this period of time. This is defined in seconds. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual. This corresponds to the following property: com.aris.umc.session.renewal.cache.ttl

    Session ID generator

    Specifies the random number generator used for generating session IDs. This corresponds to the following property: com.aris.umc.session.identifier.generator

    Minimum length of session ID

    Specifies the minimum length of a session ID in bytes. For security reasons this value should not be less than 32. This corresponds to the following property: com.aris.umc.session.identifier.length.min

    Maximum length of session ID

    Specifies the maximum length of a session ID in bytes. This corresponds to the following property: com.aris.umc.session.identifier.length.max

    Maximum concurrent sessions

    Specifies the maximum number of concurrent sessions that can be active for a single user. This does not apply to the arisservice and superuser users. This corresponds to the following property: com.aris.umc.session.concurrent.max

    Multi-factor authentication

    Use multi-factor authentication

    Specifies whether multi-factor authentication is required. The default value is false. This corresponds to the following property: com.aris.umc.authentication.multiFactor.active

    Clock skew intervals

    Specifies the clock skew in number of intervals. One-time passwords (OTPs) that are within the valid range [currentTimeStep - clock_skew, currentTimeStep + clock_skew] are permitted. This is defined in milliseconds. This corresponds to the following property: com.aris.umc.authentication.multiFactor.clockSkew

    Excluded users

    Specifies a comma-separated list of users for whom the multi-factor authentication is not required. This corresponds to the following property: com.aris.umc.authentication.multiFactor.excludedUsers

    Advanced settings

    Generate user statistics

    Enables the generation of user statistics. The default value is false. If you specify this as true, the following properties for distinct user statistics are enabled as default:

    • Log authentication

    • Log changes to configuration

    • Log changes to licenses/privileges

    • Log changes to users/user groups

    • You can disable/enable the properties mentioned above.

    This corresponds to the following property: com.aris.umc.audit.enabled

    Log authentication

    Enables authentication logging. The default value is true but this property is only enabled when Generate user statistics is specified as true. The following user statistics are logged and can be exported:

    • Login failed

    • Login successful

    • Logged out

    • Logged out by administrator

    This corresponds to the following property: com.aris.umc.audit.log.auth.enabled

    Log changes to configuration

    Enables logging of changes to the configuration. The default value is true but this property is only enabled when Generate user statistics is specified as true. The following user statistics are logged and can be exported:

    • Organizational chart deleted

    • Organizational chart updated

    • One-time password requested

    • Password changed

    • Password reset

    • Password transferred between users

    • Profile picture deleted

    • Profile picture imported

    • Privilege assigned

    • Privilege assignment removed

    • Configuration option changed

    • Configuration file deleted

    • Configuration file imported

    • Data backup imported

    • Tenant created

    • Tenant deleted

    • Tenant updated

    This corresponds to the following property: com.aris.umc.audit.log.conf.enabled

    Log changes to licenses/privileges

    Enables logging of changes to licenses or privileges. The default value is true but this property is only enabled when Generate user statistics is specified as true. The following user statistics are logged and can be exported:

    • License deleted

    • License imported

    • License consumed

    • License released

    • Violation of user group license limit

    • Violation of user license limit

    • Replace license file for tenant

    This corresponds to the following property: com.aris.umc.audit.log.license.privilege.enabled

    Log changes to users/user groups

    Enables logging of changes to users or user groups. The default value is true but this property is only enabled when Generate user statistics is specified as true. The following user statistics are logged and can be exported:

    • User created

    • User deleted

    • Escalation manager assignment removed

    • User group created

    • User group deleted

    • Group assigned to group

    • Group unassigned from group

    • User group updated

    • LDAP data imported

    • Synchronized with LDAP

    This corresponds to the following property: com.aris.umc.audit.log.user.group.enabled

    Force SSO

    Specifies that only an SSO login is allowed. The default value is false. This corresponds to the following property: com.aris.umc.authentication.sso.only

    Minimum authentication delay

    Specifies the minimum delay that is added at each login. This is defined in milliseconds. This corresponds to the following property: com.aris.umc.authentication.delay.min

    Maximum authentication delay

    Specifies the maximum delay that is added at each login. This is defined in milliseconds. This corresponds to the following property: com.aris.umc.authentication.delay.max

    Use OTPs

    Specifies whether or not the generation of one-time passwords (OTPs) is allowed. This corresponds to the following property: com.aris.umc.otp.active

    Lifetime

    Specifies the lifetime of a one-time password (OTP) in seconds. Passwords become invalid after this time period at the latest. This corresponds to the following property: com.aris.umc.otp.ttl

    License pools at user group-level

    Specifies that license pools are assigned at the user group level. If this option is enabled, licenses must not be assigned to users directly, but are to be assigned via user groups only. This corresponds to the following property: com.aris.umc.license.distribution.handling

    User statistics in backup

    Specifies that the user statistics are part of the backup. The default value is false. This corresponds to the following property: com.aris.ums.user.statistics.backup

  4. Click Edit Edit.

    The Cross-tenant symbol Cross-tenant indicates that the settings made apply to all tenants on this server and cannot be changed.

  5. Adjust your settings.

  6. Click Save Save.

You have customized your system configuration.

See also

What security properties are available?