security login role config modify

Modify local user account restrictions

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security login role config modify command modifies user account and password restrictions.

For the password character restrictions documented below (uppercase, lowercase, digits, etc.), the term "characters" refers to ASCII-range characters only - not extended characters.

Parameters

-vserver <vserver name> - Vserver
This specifies the Vserver name associated with the profile configuration.
-role <text> - Role Name
This specifies the role whose account restrictions are to be modified.
[-username-minlength <integer>] - Minimum Username Length Required
This specifies the required minimum length of the user name. Supported values are 3 to 16 characters. The default setting is 3 characters.
[-username-alphanum {enabled|disabled}] - Username Alpha-Numeric
This specifies whether a mix of alphabetic and numeric characters are required in the user name. If this parameter is enabled, a user name must contain at least one letter and one number. The default setting is disabled.
[-passwd-minlength <integer>] - Minimum Password Length Required
This specifies the required minimum length of a password. Supported values are 3 to 64 characters. The default setting is 8 characters.
[-passwd-alphanum {enabled|disabled}] - Password Alpha-Numeric
This specifies whether a mix of alphabetic and numeric characters is required in the password. If this parameter is enabled, a password must contain at least one letter and one number. The default setting is enabled.
[-passwd-min-special-chars <integer>] - Minimum Number of Special Characters Required in the Password
This specifies the minimum number of special characters required in a password. Supported values are from 0 to 64 special characters. The default setting is 0, which requires no special characters.
[-passwd-expiry-time <unsigned32_or_unlimited>] - Password Expires In (Days)
This specifies password expiration in days. A value of 0 means all passwords associated with the accounts in the role expire now. The default setting is unlimited, which means the passwords never expire.
[-require-initial-passwd-update {enabled|disabled}] - Require Initial Password Update on First Login
This specifies whether users must change their passwords when logging in for the first time. Initial password changes can be done only through SSH or serial-console connections. The default setting is disabled.
[-max-failed-login-attempts <integer>] - Maximum Number of Failed Attempts
This specifies the allowed maximum number of consecutive invalid login attempts. When the failed login attempts reach the specified maximum, the account is automatically locked. The default is 0, which means failed login attempts do not cause an account to be locked.
[-lockout-duration <integer>] - Maximum Lockout Period (Days)
This specifies the number of days for which an account is locked if the failed login attempts reach the allowed maximum. The default is 0, which means the accounts will be locked for 1 day.
[-disallowed-reuse <integer>] - Disallow Last 'N' Passwords
This specifies the number of previous passwords that are disallowed for reuse. The default setting is six, meaning that the user cannot reuse any of their last six passwords. The minimum allowed value is 6.
[-change-delay <integer>] - Delay Between Password Changes (Days)
This specifies the number of days that must pass between password changes. The default setting is 0.
[-delay-after-failed-login <integer>] - Delay after Each Failed Login Attempt (Secs)
This specifies the amount of delay observed by the system in seconds upon invalid login attempts. The default setting is 4 seconds.
[-passwd-min-lowercase-chars <integer>] - Minimum Number of Lowercase Alphabetic Characters Required in the Password
This specifies the minimum number of lowercase characters required in a password. Supported values are from 0 to 64 lowercase characters. The default setting is 0, which requires no lowercase characters.
[-passwd-min-uppercase-chars <integer>] - Minimum Number of Uppercase Alphabetic Characters Required in the Password
This specifies the minimum number of uppercase characters required in a password. Supported values are from 0 to 64 uppercase characters. The default setting is 0, which requires no uppercase characters.
[-passwd-min-digits <integer>] - Minimum Number of Digits Required in the Password
This specifies the minimum number of digits required in a password. Supported values are from 0 to 64 digits charaters. The default setting is 0, which requires no digits.
[-passwd-expiry-warn-time <unsigned32_or_unlimited>] - Display Warning Message Days Prior to Password Expiry (Days)
This specifies the warning period for password expiry in days. A value of 0 means warn user about password expiry upon every successful login. The default setting is unlimited, which means never warn about password expiry.
[-account-expiry-time <unsigned32_or_unlimited>] - Account Expires in (Days)
This specifies account expiration in days. The default setting is unlimited, which means the accounts never expire. The account expiry time must be greater than account inactive limit.
[-account-inactive-limit <unsigned32_or_unlimited>] - Maximum Duration of Inactivity before Account Expiration (Days)
This specifies inactive account expiry limit in days. The default setting is unlimited, which means the inactive accounts never expire. The account inactive limit must be less than account expiry time.

Examples

The following command modifies the user-account restrictions for an account with the role name admin for a Vserver named vs. The minimum size of the password is set to 12 characters.
cluster1::> security login role config modify -role admin -vserver vs
-passwd-minlength 12