Authentication Tasks

How to Change Internal Account Policies

Here are the initial server-level policies for internal accounts:

Accounts don't expire and aren't suspended due to inactivity.
Passwords must be at least six characters, don't have to include numbers or mixed case, and don't expire.
The five most recent passwords can't be reused.
After three failed attempts to log on, an account is locked for one hour. An administrator can unlock the account by accessing the Accounts tab in the user's definition in SAS Management Console.
A forced password change occurs on first use and after a password is reset. This policy applies only to accounts with passwords that periodically expire. By initial policy, passwords don't expire, so forced password changes don't occur.

To change these settings for all internal accounts (except those that have an overriding per-account setting), edit the metadata server's omaconfig.xml file and restart that server. Here is the syntax:

Note: The following option names are case-sensitive. [cautionend]

Note: A value of T has aliases (1 or Y). A value of F has aliases (0 or N). [cautionend]

ChangeDelayInMinutes="number"

specifies the number of minutes that must elapse between password changes. Applies only when you are resetting your own password.

Range:	0-1440
Default:	0

DigitRequired="T | F"

specifies whether passwords must include at least one digit. To enforce this requirement, specify T.

Default:

ExpirationDays="number"

specifies the number of days after password is set that the password expires. A value of 0 prevents passwords from expiring.

Range:	0-32767
Default:	0

ExpirePasswordOnReset="T | F"

specifies whether a forced password change occurs on first use and after an administrative password reset. To disable this requirement, specify F.

Default:	T
Exceptions:	This option affects only accounts with passwords that expire and doesn't apply when you reset your own password.

MinLength="number-of-characters"

specifies the minimum length for passwords.

Range:	1-32
Default:	6

MixedCase="T | F"

specifies whether passwords must include at least one upper case letter and at least one lower case letter. To enforce this requirement, specify T.

Default:

NumPriorPasswords="number"

specifies the number of passwords that are maintained in each account's password history. A user can't reuse a password that is in the user's account history.

Range:	0-5
Default:	5

InactiveDaysToSuspension="number"

specifies the number of days after which an unused account is suspended. A value of 0 prevents suspensions due to inactivity.

Range:	0-32767
Default:	0

LockoutDurationInMinutes="number"

specifies the number of minutes for which an account is locked following excessive login failures.

Range:	1-2³¹
Default:	60

NumFailuresForLockout="number"

specifies the number of consecutive unsuccessful logon attempts that cause an account to be locked. We recommend that you do not specify 0, because doing so can make your system vulnerable to password guessing attacks.

Range:	0-100
Default:	3

Per-Account Policies

To override server-level policies on a per-account basis:

Log on to SAS Management Console as someone who has user administration capabilities.
On the Plug-ins tab, select User Manager (in the foundation repository).
In the display pane, clear the Show Groups and Show Roles check boxes. Right-click the user definition of the user whose SAS internal account policies you want to change. Select Properties.
At the bottom of the user's Accounts tab, click Update.

Make changes in the Custom Settings box. Not all server-level settings can be modified on a per-account basis.

Note: There are two distinct expiration settings. Don't confuse the account expiration date with the password expiration period. [cautionend]

Note: To minimize administrative maintenance effort for any predefined or service identities that have internal accounts, don't add expiration dates to these accounts or expiration periods to these passwords. [cautionend]

The following table maps server-level policies to corresponding account-level policies. Not all policies can be set at both levels.

Internal Account Policy Mapping
Server-Level Policy	Related Account Level Setting
ExpirationDays	Set a custom password expiration period.
LockoutDurationinMinutes NumFailuresForLockout	Exempt from account lockout policy.
NumPriorPasswords	Exempt from password reuse policy.

For example, if you want to force a particular user to change his or her internal password after you create (or reset) the user's internal account, but you don't otherwise want the password to expire, set per-account settings as depicted in the following display.

[untitled graphic]

By using the maximum password expiration period, 32767 days (approximately 89 years) you force a password change on first use but don't require any further password updates in a plausible time frame.

	SAS Internal Authentication
	How to Configure SAS Internal Authentication