Account password rules govern the construction of a new password created by Safeguard for Privileged Passwords during an automatic account password change. You can create rules governing the allowable account passwords, such as:
Navigate to Asset Management > Profiles > View Password Profile Components > Account Password Rules.
Use these toolbar buttons to manage your account password rules.
It is the responsibility of the Asset Administrator, or a partition's delegated administrator, to configure account password complexity rules.
IMPORTANT:
Some Unix systems silently truncate passwords to their maximum allowed length. For example, Macintosh OS X only allows a password of 128 characters. If an Asset Administrator creates a profile with an Account Password Rule that sets the password length to 136 characters, when Safeguard for Privileged Passwords changes the password for an account governed by that profile, the asset's operating system truncates the new password to the allowable length and does not return an error; however, the full 136-character password is stored in Safeguard for Privileged Passwords. This causes the following issues:
Navigate to Asset Management > Profiles > View Password Profile Components > Account Password Rules.
To add an account password rule
- Click Add to open the New Account Password Rule dialog.
- Enter a Name for the account password rule (up to 50 characters).
- Enter a Description for the account password rule (up to 255 characters).
- Select a partition using the Browse button.
-
On the Password Rules tab, set the password requirements.
-
Password Length: Set a range for the password allowable length from three to 255 characters. The default is 8 to 64 characters. The maximum length must be equal to or greater than the sum of minimum characters required in the following steps. For example, if the password must have two uppercase letters, two lowercase letters, and two numeric characters, the minimum Password Length must be six. Note that a diacritical letter is one character.
- First Character Type: Choose one of the following:
- All: Alphabetical, numeric, or symbols
- Alphanumeric: Alphabetical or numeric
- Alphabetic: Only alphabetical characters
- Last Character Type: Choose one of the following:
- All: Alphabetical, numeric, or symbols
- Alphanumeric: Alphabetical or numeric
- Alphabetic: Only alphabetical characters
- Repeated Characters: Choose one of the following:
- Allow repeated characters: Any letters, numbers, or symbols can be repeated in any order, including consecutively.
- No consecutive repeated characters: No letter, number, or symbol can be repeated after itself. You can restrict the number of consecutively repeated characters later by uppercase letters, lowercase letters, numbers, symbols, or a combination of those.
- No repeated characters: All letters, numbers, or symbols can only be used once in the password.
-
Allow Uppercase: Select to allow uppercase (capital) letters.
- Require a Minimum of Uppercase Characters: Enter a number to identify the least number of uppercase letters required. To allow but not require uppercase letters, set this value at zero.
- Limit Consecutively Repeated Uppercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated uppercase letters. You must enter a Maximum Allowed Characters value of one or more.
- Exclude these Uppercase Characters: Enter any uppercase characters you want to exclude from the password. This field is case-sensitive.
- Allow Lowercase: Select to allow lowercase (small) letters.
- Require a Minimum of Lowercase Characters: Enter a number to identify the least number of lowercase letters required. To allow but not require lowercase letters, set this value at zero.
- Limit Consecutively Repeated Lowercase Characters: If you allowed repeated characters earlier, select the check box to limit the number of consecutively repeated lowercase letters. You must enter a Maximum Allowed Characters value of one or more.
- Excluded these Lowercase Characters: Enter any lowercase characters you want to exclude from the password. This field is case sensitive.
-
Limit Consecutively Repeated Alpha Characters: To set the number of repeated lowercase or uppercase letters combined, enter the Maximum Allowed Characters.
For example, if you set the Max Allowed at 2 then you can not have more than two alphabet characters next to each other in the password. Using this example, Ab1Cd2EF is valid but AbC1d2EF is not because it has three alphabet characters in a row.
- Allow Numeric Character (0-9): Select to allow numeric characters in the password.
- Require a Minimum of Numeric Characters: Enter a number to identify the amount of numbers required in a password. To allow but not require numbers, set this value at zero.
- Limit Consecutively Repeated Numeric Characters: Select the check box to limit the number of consecutively repeated numeric characters. You must enter a Maximum Allowed Characters value of one or more.
- Exclude these Numeric Characters: Enter any numeric characters you want to exclude from the password. This field is case sensitive.
-
Allow Symbols (e.g. @ # $ % &): Select this check box to allow characters that are printable ASCII characters. These often include: ~ ` ! @ # $ % ^ & * ( ) _ - + = { } [ ] \ | : ; " ' < > , . ? /
- Require a Minimum of Symbols: Enter a number to identify the least number of symbols required. To allow but not require symbols, set this value at zero.
- Limit Consecutively Repeated Symbols: If you allowed repeated characters earlier, select the check box to limit the number of symbols that can repeat consecutively. You must enter a Maximum Allowed Characters value of one or more.
- Set the following:
- Valid Symbols: Select this option to enter allowable special characters. Enter the allowable symbols in the Symbol List text box.
- Invalid Symbols: Select this option to enter prohibited special characters. Enter the prohibited symbols in the Symbol List text box.
- Click Test Rule to check the rules set.
- When the rules are complete, click OK.
A password sync group is used to control password validation and reset across all associated accounts. The same password is used for one or more accounts associated with the same or different assets. For example, synchronized passwords can be used for accounts that support clusters or systems that sync between development, test, and production. An account can belong to only one password sync group. Multiple password sync groups can be added to a profile.
The profile change schedule is applied to the sync group. The sync group controls the tasks to change the passwords for the accounts in the sync group. Change tasks occur in the order of password sync group account priority. If synchronization fails for an individual account in the sync group, the account is retried multiple times and, if failing after that, the sync task halts and is rescheduled. The administrator must correct the cause of the failure for the sync task to continue.
If an account is associated with a profile with a daily check schedule and also associated with a password sync group, a mismatch on the daily check will trigger a task to set the account password to the current sync group password.
For more information, see Creating a password profile.
Password sync group account priority
When an account is added to a password sync group, the default priority is 0, which is the highest priority. Subsequent numbers are lower priority (for example, 0, 1, or 2, where 0 is the highest priority and 2 is the lowest). Priority determines the order in which account passwords are changed. If all accounts have the same priority, they are synchronized simultaneously. When different priorities are set, accounts at the highest priority (for example, 0) are synchronized first. If priority 0 is successful, accounts at the next priority are synchronized. If any account at a priority fails, the synchronization processing stops and the group is scheduled for synchronization retry. For example, a cluster of systems may have an admin account with the same password. If one primary system is set at priority 0 and the subordinates are set at priority 1, the password change on the primary must be successful before the passwords on the subordinates are changed. If the primary password change fails, the subordinates are unaffected, the cluster continues to function, password change is rescheduled, and the error is logged.
Navigate to Asset Management > Profiles > View Password Profile Components > Password Sync Groups.
Table 161: Sync Groups: Properties
Enable |
If Enable is selected, the sync runs with the profile change schedule. |
Status |
The Status displays if all account passwords are in sync with the password sync group. The Status is if any password for any account within the sync group does not match the common password. |
Name |
The name of the password sync group. |
Accounts |
The number of accounts to synchronize with a common password. |
Next Sync Date |
The date the sync group password will be synchronized across all accounts. |
Description |
Information about the rule. |
Use the following toolbar buttons to manage password sync groups.
NOTE: Changes made from the Password Sync Groups pane are reflected in the password sync groups in the profile. See Creating a password profile.
Table 162: Sync Groups: Toolbar
Add |
Add a password sync group. For more information, see Adding a password sync group. |
Delete |
Permanently remove the selected password sync group. |
View Details |
Modify the selected password sync group rule. |
Change Sync Group Password |
Change the password for the selected sync group. All accounts in the password sync group synchronize with the new password. |
Refresh |
Update the list of password sync groups. |
Search |
To locate a value in this list, enter the character string to be used to search for a match. For more information, see Search box. |