Skip to main content

security login role config show

Contributors
Suggest changes

Show local user account restrictions

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security login role config show command displays the following information about account restrictions for management-utility user accounts:

  • Role name -role

  • Minimum size of the password, in characters -passwd-minlength

  • Whether the password requires alphanumeric characters -passwd-alphanum

  • Number of previous passwords that cannot be reused -disallowed-reuse

  • Minimum number of days that must elapse before users can change their passwords -change-delay

You can display detailed information about the restrictions on a specific account by specifying the -role parameter. This adds the following information:

  • Minimum length of the user name, in characters -username-minlength

  • Whether the user name requires alphanumeric characters -username-alphanum

  • Minimum length of the password, in characters -passwd-minlength

  • Whether the password requires alphanumeric characters -passwd-alphanum

  • Minimum number of special characters required in password -passwd-min-special-chars

  • Minimum number of lowercase characters required in password -passwd-min-lowercase-chars

  • Minimum number of uppercase characters required in password -passwd-min-uppercase-chars

  • Minimum number of digits required in password -passwd-min-digits

  • Minimum number of days that must elapse before users can change their passwords -change-delay

  • Whether the password must be changed at the initial login -require-initial-passwd-update

  • Password-expiration time, in days -passwd-expiry-time

  • Display warning message days prior to password expiry -passwd-expiry-warn-time

  • Number of previous passwords that cannot be reused -disallowed-reuse

  • Maximum number of failed login attempts permitted before the account is locked out -max-failed-login-attempts

  • (DEPRECATED)-Number of days for which the user account is locked after the maximum number of failed login attempts is reached. For roles which were created in a release before ONTAP 9.15.0 with the default value of 0 , this value will be automatically changed to 1 during upgrade to ONTAP 9.15.0. In other words, the value of this field for roles created before ONTAP 9.15.0 is defaulted to 24 hrs. For the roles which are created in ONTAP 9.15.0 or later, the value of this field defaults to 1 hour. This parameter is deprecated in ONTAP 9.15.0 and later. It may be removed from a future release of ONTAP -lockout-duration

  • Account-expiration time, in days -account-expiry-time

  • Maximum duration of inactivity before account expiration, in days -account-inactive-limit

  • Delay after each failed login attempt, in secs -delay-after-failed-login

  • Duration for which the user account is locked after the maximum number of failed login attempts is reached -account-lockout-duration

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

| [-instance ] }

If you specify the -instance parameter, the command displays detailed information about all fields.

[-vserver <vserver name>] - Vserver

Selects the profile configurations that match this parameter value

[-role <text>] - Role Name

If this parameter is specified, the command displays detailed information about restrictions for the specified user account.

[-username-minlength <integer>] - Minimum Username Length Required

Selects the profile configurations that match this parameter value.

[-username-alphanum {enabled|disabled}] - Username Alpha-Numeric

Selects the profile configurations that match this parameter value. Enabled means a user name must contain both letters and numbers.

[-passwd-minlength <integer>] - Minimum Password Length Required

Selects the profile configurations that match this parameter value.

[-passwd-alphanum {enabled|disabled}] - Password Alpha-Numeric

Selects the profile configurations that match this parameter value. Enabled means a password must contain both letters and numbers.

[-passwd-min-special-chars <integer>] - Minimum Number of Special Characters Required in the Password

Selects the profile configurations that match this parameter value.

[-passwd-expiry-time <integer_or_unlimited>] - Password Expires In (Days)

Selects the profile configurations that match this parameter value.

[-require-initial-passwd-update {enabled|disabled}] - Require Initial Password Update on First Login

Selects the profile configurations that match this parameter value.

[-max-failed-login-attempts <integer>] - Maximum Number of Failed Attempts

Selects the profile configurations that match this parameter value.

[-lockout-duration <integer>] - (DEPRECATED)-Maximum Lockout Period (Days)

Selects the profile configurations that match this parameter value.

[-disallowed-reuse <integer>] - Disallow Last 'N' Passwords

Selects the profile configurations that match this parameter value.

[-change-delay <integer>] - Delay Between Password Changes (Days)

Selects the profile configurations that match this parameter value.

[-delay-after-failed-login <integer>] - Delay after Each Failed Login Attempt (Secs)

Selects the profile configurations that match this parameter value.

[-passwd-min-lowercase-chars <integer>] - Minimum Number of Lowercase Alphabetic Characters Required in the Password

Selects the profile configurations that match this parameter value.

[-passwd-min-uppercase-chars <integer>] - Minimum Number of Uppercase Alphabetic Characters Required in the Password

Selects the profile configurations that match this parameter value.

[-passwd-min-digits <integer>] - Minimum Number of Digits Required in the Password

Selects the profile configurations that match this parameter value.

[-passwd-expiry-warn-time <integer_or_unlimited>] - Display Warning Message Days Prior to Password Expiry (Days)

Selects the profile configurations that match this parameter value.

[-account-expiry-time <integer_or_unlimited>] - Account Expires in (Days)

Selects the profile configurations that match this parameter value.

[-account-inactive-limit <integer_or_unlimited>] - Maximum Duration of Inactivity before Account Expiration (Days)

Selects the profile configurations that match this parameter value.

[-account-lockout-duration {P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W | disabled}] - Account Lockout Duration (ISO 8601 Duration Format)

Selects the profile configurations that match this parameter value.

Examples

The example below displays restriction information about all user accounts:

cluster1::> security login role config show
                          ----- Password Restrictions -----
Vserver     RoleName      Size AlphaNum NoReuse ChangeDelay
----------- ------------- ---- -------- ------- -----------
vs          vsadmin          8  enabled       6      0 days
vs          vsadmin-protocol 8  enabled       6      0 days
vs          vsadmin-readonly 8  enabled       6      0 days
vs          vsadmin-volume   8  enabled       6      0 days
cluster1    admin            6  enabled       6      0 days
cluster1    readonly         6  enabled       6      0 days