Back Forward System Settings -- Security Policies tab

Security Policies

The Security Policies tab is visible to operators who have the pzViewAuthPoliciesLP privilege in their Access Roles. This privilege is part of the role PegaRULES:SysAdm4.

The tab controls the appearance and functions of a CAPTCHA, a test that verifies that a human, not a computer process, is attempting to log in or change an operator password. The user must enter the characters that appear above an image that makes it difficult for a machine to read the characters. If you cannot read the characters, click the Refresh button to get a different image and character set.

A CAPTCHA may appear on the login screen when the user first attempts to log into the system from a given computer or after an authentication failure, and on the password-change screen. The goal is to counter "brute-force" automated attacks on system security.

The tab offers a check box, a button, and a series of settings that allow the operator to fine-tune CAPTCHA behavior. Each setting has default, minimum, and maximum values.

Check the Enable Security Policies check box to enable the settings the tab displays. Uncheck the check box to prevent the CAPTCHA functions from operating.

Click Display Audit Log to display the log that can record login attempts. Audit log behavior is governed by The Audit log level policy setting, described below.

A Report Definition report displays the "Security Audit Log" report, with a default filter to display all audit events (the filter is set to ".pxCreateDateTime is Less or Equal to Current Month"). Click the link to the right of "Filters in the report header to adjust the date range.

For each logged event, the log captures:

Click View History to see a report of changes to security settings, including the date, the operator who made the change, and what change was made.

You can set the following policies:

Policy Notes Default value Min value Max value
Minimum operator identifier (ID) length   8 3 64
Minimum operator password length   8 3 64
Minimum numeric [0-9] characters required in operator password   1 0 64
Minimum alphabetic [a-zA-Z] characters required in operator password   1 0 64
Minimum special characters required in operator password The available special characters are: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } [ ] | \ : " ; ' < >? , . / 1 0 64
Minimum unique historical operator passwords If the value is 5, you cannot change your password to match any of the most recent five passwords you used. 5 0 128
Maximum operator password age

The maximum number of days before the operator must change the password.

Note: If you set the value to 0, the password will never expire. To have the password expire, select a value between 1 and 128

5 0 128
CAPTCHA implementation

If Default, the system presents the CAPTCHA implementation shipped with Pega 7.

If Custom, the system presents the custom CAPTCHA implementation enabled for this system. An application can make use of third-party CAPTCHA solutions on the application login screen; however, a certain amount of developer work is required to prepare the custom RuleSet to deliver the third-party resource.

Default    
Enable CAPTCHA Reverse Turing Test Module If enabled, the system presents the CAPTCHA upon authentication failure, with a probability set by the following field.
If disabled, no CAPTCHA is presented even on login failure.
Enabled    
Probability that CAPTCHA will be presented upon authentication failure If the CAPTCHA Revers Turing Test is enabled in the field above, the percentage set here is the likelihood CAPTCHA appears. 5 0 100
Enable presentation of CAPTCHA upon initial login If enabled, CAPTCHA displays the first time the user tries to log on a new system or from a new compute. Enabled    
Enable authentication lockout penalty mechanism If enabled, after n failed login attempts, the system imposes a delay of mm seconds after every unsuccessful login attempt. The values are set in the fields below. Enabled    
Failed login attempts before employing authentication lockout penalty After the number of failed attempts set here, the user will experience a delay after each further attempt. The delay will get longer with each attempt. 5 0 128
Initial authentication lockout penalty Set the initial delay, in seconds 8 0 128
Audit log level Set the Audit log level: the options are
  • None — No log entry is added.
  • Basic — Record failed login attempts only.
  • Advanced — Record failed and successful login attempts.

For an example, see PDN article How to configure login security and password policies.

AdvancedMore advanced customizations are possible. See PDN article Customizing CAPTCHA presentation and function.