Password policy settings

Follow

Karl Hertz

• December 01, 2022 13:28

As a solution developer

I want to be able to control password settings for user passwords

So That I can make sure passwords are up to security standards

Benefits: MooD can more easily be accepted as (for instance) an external portal.

Acceptance Criteria

1. Password settings with ability control (at a minimum) password lengths.
2. Ability to differentiate between MAE only users and MBA users and set up "webb only" accounts and "client only" accounts.
3. "Nice to have": Ability to control password strength requirement based on user groups.

Customer / Originator Me

Priority Mid/High

0

• 

  Soren Staun

  • December 02, 2022 14:41

  @karl I did report that "feature" that only Administrator could see those tabs "somewhere" (??), but it's a been busy bug-reporting week this one. It still seems peculiar to me that member of the "Administrators" group cannot see this tabs.

  2

  Comment actions Permalink
• 

  Soren Staun

  • December 01, 2022 14:14
  • Edited

  Hey Karl!

  If you go to Manage Repository -> "Audit and Security Settings" (as administrator, otherwise you don't see the tabs), you'll get options to set minimum (and max) password length, also the option to enforce a certain password completely that lives up to modern standards.

  This might be a bit annoying from a MooD BA perspective? But fear not, goto the preview tab "Authentication" and set "Verify Credentials with" -> "Windows Authentication (recommended) which will give you single sign on for your MooD BA users.

  Only issue is that merging via MooD integrator is not supported with this method yet, but you'll have to punch or copy in your password.

  Could that work? This would allow easy access to MBA, but strong passwords from a web frontend? (Internet?)

   

  0

  Comment actions Permalink
• 

  Karl Hertz

  • December 02, 2022 08:52

  Hi Sören,

  Thanks! The issue was (I assume) that I didn't log in via the Administrator account, but rather with an account in the administrator group. I'll check it out.

  Sounds like it does everything we'd like it to do except for variable password policy, based on user groups (e.g. allowing for some "free to access" demo accounts with no password all the way up to very stringent security settings for admin rights).

  Thanks!

  -kHz

  0

  Comment actions Permalink
• 

  Giles Middleton

  • December 02, 2022 09:47

  Thank you @Soren for helping Karl out there. Great community spirit!

   

  Karl, for now, you can use the Anonymous account - and assign permissions to hierarchies appropriately. I know that's not a great solution for allowing you to separate users and actually track their movements. 

  If the Anonymous user isn't what you're after, then I think your safest option would be a parallel demo web site, where password policy was non-existent, users could easily log in as each other and destroy each other's work. As, with no password, i could easily log in as someone else!

   

   

  0

  Comment actions Permalink

Please sign in to leave a comment.