System Settings -- Security Policies tab |
The Security Policies tab is visible to operators who have the pzViewAuthPoliciesLP privilege in their Access Roles. This privilege is part of the role PegaRULES:SysAdm4.
The tab controls the appearance and functions of a CAPTCHA, a test that verifies that a human, not a computer process, is attempting to log in or change an operator password. The user must enter the characters that appear above an image that makes it difficult for a machine to read the characters. If you cannot read the characters, click the Refresh button to get a different image and character set.
A CAPTCHA may appear on the login screen when the user first attempts to log into the system from a given computer or after an authentication failure, and on the password-change screen. The goal is to counter "brute-force" automated attacks on system security.
The tab offers a check box, a button, and a series of settings that allow the operator to fine-tune CAPTCHA behavior. Each setting has default, minimum, and maximum values.
Check the Enable Security Policies check box to enable the settings the tab displays. Uncheck the check box to prevent the CAPTCHA functions from operating.
Click Display Audit Log to display the log that can record login attempts. Audit log behavior is governed by The Audit log level policy setting, described below.
A Report Definition report displays the "Security Audit Log" report, with a default filter to display all audit events (the filter is set to ".pxCreateDateTime is Less or Equal to Current Month"). Click the link to the right of "Filters in the report header to adjust the date range.
For each logged event, the log captures:
Click View History to see a report of changes to security settings, including the date, the operator who made the change, and what change was made.
You can set the following policies:
Policy | Notes | Default value | Min value | Max value |
---|---|---|---|---|
Minimum operator identifier (ID) length | 8 | 3 | 64 | |
Minimum operator password length | 8 | 3 | 64 | |
Minimum numeric [0-9] characters required in operator password | 1 | 0 | 64 | |
Minimum alphabetic [a-zA-Z] characters required in operator password | 1 | 0 | 64 | |
Minimum special characters required in operator password | The available special characters are: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } [ ] | \ : " ; ' < >? , . / | 1 | 0 | 64 |
Minimum unique historical operator passwords | If the value is 5, you cannot change your password to match any of the most recent five passwords you used. | 5 | 0 | 128 |
Maximum operator password age |
The maximum number of days before the operator must change the password. Note: If you set the value to 0, the password will never expire. To have the password expire, select a value between 1 and 128 |
5 | 0 | 128 |
CAPTCHA implementation |
If Default, the system presents the CAPTCHA implementation shipped with Pega 7. If Custom, the system presents the custom CAPTCHA implementation enabled for this system. An application can make use of third-party CAPTCHA solutions on the application login screen; however, a certain amount of developer work is required to prepare the custom RuleSet to deliver the third-party resource. |
Default | ||
Enable CAPTCHA Reverse Turing Test Module | If enabled, the system presents the CAPTCHA upon authentication failure, with a probability set by the following field. If disabled, no CAPTCHA is presented even on login failure. |
Enabled | ||
Probability that CAPTCHA will be presented upon authentication failure | If the CAPTCHA Revers Turing Test is enabled in the field above, the percentage set here is the likelihood CAPTCHA appears. | 5 | 0 | 100 |
Enable presentation of CAPTCHA upon initial login | If enabled, CAPTCHA displays the first time the user tries to log on a new system or from a new compute. | Enabled | ||
Enable authentication lockout penalty mechanism | If enabled, after n failed login attempts, the system imposes a delay of mm seconds after every unsuccessful login attempt. The values are set in the fields below. | Enabled | ||
Failed login attempts before employing authentication lockout penalty | After the number of failed attempts set here, the user will experience a delay after each further attempt. The delay will get longer with each attempt. | 5 | 0 | 128 |
Initial authentication lockout penalty | Set the initial delay, in seconds | 8 | 0 | 128 |
Audit log level | Set the Audit log level: the options are
|
For an example, see PDN article How to configure login security and password policies.
More advanced customizations are possible. See PDN article Customizing CAPTCHA presentation and function.