Skip to main content

security login role config modify

Contributors
Suggest changes

Modify local user account restrictions

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security login role config modify command modifies user account and password restrictions.

For the password character restrictions documented below (uppercase, lowercase, digits, etc.), the term "characters" refers to ASCII-range characters only - not extended characters.

Parameters

-vserver <vserver name> - Vserver

This specifies the Vserver name associated with the profile configuration.

-role <text> - Role Name

This specifies the role whose account restrictions are to be modified.

[-username-minlength <integer>] - Minimum Username Length Required

This specifies the required minimum length of the user name. Supported values are 3 to 16 characters. The default setting is 3 characters.

[-username-alphanum {enabled|disabled}] - Username Alpha-Numeric

This specifies whether a mix of alphabetic and numeric characters are required in the user name. If this parameter is enabled, a user name must contain at least one letter and one number. The default setting is disabled .

[-passwd-minlength <integer>] - Minimum Password Length Required

This specifies the required minimum length of a password. Supported values are 3 to 64 characters. The default setting is 8 characters.

[-passwd-alphanum {enabled|disabled}] - Password Alpha-Numeric

This specifies whether a mix of alphabetic and numeric characters is required in the password. If this parameter is enabled, a password must contain at least one letter and one number. The default setting is enabled .

[-passwd-min-special-chars <integer>] - Minimum Number of Special Characters Required in the Password

This specifies the minimum number of special characters required in a password. Supported values are from 0 to 64 special characters. The default setting is 0 , which requires no special characters.

[-passwd-expiry-time <integer_or_unlimited>] - Password Expires In (Days)

This specifies password expiration in days. A value of 0 means all passwords associated with the accounts in the role expire now. The default setting is unlimited , which means the passwords never expire.

[-require-initial-passwd-update {enabled|disabled}] - Require Initial Password Update on First Login

This specifies whether users must change their passwords when logging in for the first time. Initial password changes can be done only through SSH or serial-console connections. The default setting is disabled .

[-max-failed-login-attempts <integer>] - Maximum Number of Failed Attempts

This specifies the allowed maximum number of consecutive invalid login attempts. When the failed login attempts reach the specified maximum, the account is automatically locked. The default is 5 , which means 5 failed login attempts will cause an account to be locked.

[-lockout-duration <integer>] - (DEPRECATED)-Maximum Lockout Period (Days)

(DEPRECATED)-This specifies the number of days for which an account is locked if the failed login attempts reach the allowed maximum. The default is 0 , which means the accounts will be locked for 1 hour. For roles which were created in a release before ONTAP 9.15.0 with the default value of 0 , this value will be automatically changed to 1 during upgrade to ONTAP 9.15.0. In other words, the value of this field for roles created before ONTAP 9.15.0 is defaulted to 24 hrs. For the roles which are created in ONTAP 9.15.0 or later, the value of this field defaults to 1 hour. This parameter is deprecated in ONTAP 9.15.0 and later. It may be removed from a future release of ONTAP.

[-disallowed-reuse <integer>] - Disallow Last 'N' Passwords

This specifies the number of previous passwords that are disallowed for reuse. The default setting is six, meaning that the user cannot reuse any of their last six passwords. The minimum allowed value is 6 .

[-change-delay <integer>] - Delay Between Password Changes (Days)

This specifies the number of days that must pass between password changes. The default setting is 0 .

[-delay-after-failed-login <integer>] - Delay after Each Failed Login Attempt (Secs)

This specifies the amount of delay observed by the system in seconds upon invalid login attempts. The default setting is 4 seconds.

[-passwd-min-lowercase-chars <integer>] - Minimum Number of Lowercase Alphabetic Characters Required in the Password

This specifies the minimum number of lowercase characters required in a password. Supported values are from 0 to 64 lowercase characters. The default setting is 0 , which requires no lowercase characters.

[-passwd-min-uppercase-chars <integer>] - Minimum Number of Uppercase Alphabetic Characters Required in the Password

This specifies the minimum number of uppercase characters required in a password. Supported values are from 0 to 64 uppercase characters. The default setting is 0 , which requires no uppercase characters.

[-passwd-min-digits <integer>] - Minimum Number of Digits Required in the Password

This specifies the minimum number of digits required in a password. Supported values are from 0 to 64 digits charaters. The default setting is 0 , which requires no digits.

[-passwd-expiry-warn-time <integer_or_unlimited>] - Display Warning Message Days Prior to Password Expiry (Days)

This specifies the warning period for password expiry in days. A value of 0 means warn user about password expiry upon every successful login. The default setting is unlimited , which means never warn about password expiry.

[-account-expiry-time <integer_or_unlimited>] - Account Expires in (Days)

This specifies account expiration in days. The default setting is unlimited , which means the accounts never expire. The account expiry time must be greater than account inactive limit.

[-account-inactive-limit <integer_or_unlimited>] - Maximum Duration of Inactivity before Account Expiration (Days)

This specifies inactive account expiry limit in days. The default setting is unlimited , which means the inactive accounts never expire. The account inactive limit must be less than account expiry time.

[-account-lockout-duration {P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W | disabled}] - Account Lockout Duration (ISO 8601 Duration Format)

This specifies the duration in ISO 8601 format for which an account is locked if the failed login attempts reach the allowed maximum. The default is 1 hour. Specifying this field will set the field lockout-duration as 0 and the field account-lockout-duration will be used for further operations.

Examples

The following command modifies the user-account restrictions for an account with the role name admin for a Vserver named vs1. The minimum size of the password is set to 12 characters.

cluster1::> security login role config modify -role admin -vserver vs1
    -passwd-minlength 12

The following command sets the maximum allowed number of consecutive invalid login attempts to 3 and the maximum account lockout duration to 1 minute 30 seconds after 3 failed login attempts for role admin for vserver vs1:

cluster1::> security login role config modify -role admin -vserver vs1
    -max-failed-login-attempts 3 -account-lockout-duration PT1M30S