How to Change Internal Account Policies

Server-Level Policies

Initial Server-Level Policies

Here are the initial server-level policies for internal accounts:
  • Accounts don't expire and aren't suspended due to inactivity.
  • Passwords must be at least six characters, don't have to include numbers or mixed case, and don't expire.
  • The five most recent passwords can't be reused.
  • After three failed attempts to log on, an account is locked for one hour. An administrator can unlock the account by accessing the Accounts tab in the user's definition in SAS Management Console.
  • A forced password change occurs on first use and after a password is reset. This policy applies only to accounts with passwords that periodically expire. By initial policy, passwords don't expire, so forced password changes don't occur.

Syntax for the InternalAuthenticationPolicy Element

To change the server-level policies, edit the InternalAuthenticationPolicy element in the metadata server's omaconfig.xml file, and then restart that server.
Here is the syntax for each policy option:
Note: The following option names are case-sensitive.
Note: A value of T has aliases (1 or Y). A value of F has aliases (0 or N).
specifies the number of minutes that must elapse between password changes. Applies only when you are resetting your own password.
DigitRequired="T | F"
specifies whether passwords must include at least one digit. To enforce this requirement, specify T.
specifies the number of days after password is set that the password expires. A value of 0 prevents passwords from expiring.
ExpirePasswordOnReset="T | F"
specifies whether a forced password change occurs on first use and after an administrative password reset. To disable this requirement, specify F.
HashPasswords="SHA256 | MD5"
specifies how the internal account password is stored in the metadata.
SHA256 the SHA-256 hash function is used. SHA (secure hash algorithm) is FIPS (Federal Information Processing Standard) compliant. If you have SAS/SECURE, this is the default.
MD5 MD5 hashing is used. MD5 (message digest algorithm 5) is appropriate for preventing accidental exposure of information. If you don't have SAS/SECURE, this is the default.
Passwords that are stored in SHA-256 format become unusable and inaccessible if SAS/SECURE is unavailable.
If you use SAS/SECURE, it is important to keep your SAS/SECURE license current. If you choose to discontinue use of SAS/SECURE, you must revert all stored internal account passwords to MD5 format before you uninstall the software. To revert passwords, set HashPasswords="MD5", restart the metadata server, and update the password in every internal account.
specifies the minimum length for passwords.
MixedCase="T | F"
specifies whether passwords must include at least one upper case letter and at least one lower case letter. To enforce this requirement, specify T.
specifies the number of passwords that are maintained in each account's password history. A user can't reuse a password that is in the user's account history.
specifies the number of days after which an unused account is suspended. A value of 0 prevents suspensions due to inactivity.
specifies the number of minutes for which an account is locked following excessive login failures.
specifies the number of consecutive unsuccessful logon attempts that cause an account to be locked. We recommend that you do not specify 0, because doing so can make your system vulnerable to password guessing attacks.

Example of the InternalAuthenticationPolicy Element

<InternalAuthenticationPolicy ChangeDelayInMinutes="0" DigitRequired="F"
 ExpirationDays="0" MinLength="6" MixedCase="F" NumPriorPasswords="5"
 InactiveDaysToSuspension="0" LockoutDurationInMinutes="60"

Per-Account Policies

To override server-level policies on a per-account basis:
  1. Log on to SAS Management Console as someone who has user administration capabilities.
  2. On the Plug-ins tab, select User Manager (in the foundation repository).
  3. In the display pane, clear the Show Groups and Show Roles check boxes. Right-click the user definition of the user whose SAS internal account policies you want to change. Select Properties.
  4. At the bottom of the user's Accounts tab, click Update.
  5. Make changes in the Custom Settings box. Not all server-level settings can be modified on a per-account basis.
    Note: There are two distinct expiration settings. Don't confuse the account expiration date with the password expiration period.
    Note: To minimize administrative maintenance effort for any predefined or service identities that have internal accounts, don't add expiration dates to these accounts or expiration periods to these passwords.
    The following table maps server-level policies to corresponding account-level policies. Not all policies can be set at both levels.
    Internal Account Policy Mapping
    Server-Level Policy
    Related Account Level Setting
    Set a custom password expiration period.
    Exempt from account lockout policy.
    Exempt from account lockout policy.
    Exempt from password reuse policy.
If you want to force a particular user to change his or her internal password after you create (or reset) the user's internal account, but you don't otherwise want the password to expire, set a custom password expiration period of 32767 days (approximately 89 years).