security login role config modify
Modify local user account restrictions
Availability: This command is available to cluster administrators at the admin privilege level.
Description
The security login role config modify
command modifies user account and password restrictions.
For the password character restrictions documented below (uppercase, lowercase, digits, etc.), the term "characters" refers to ASCII-range characters only - not extended characters.
Parameters
-vserver <vserver name>
- Vserver-
This specifies the Vserver name associated with the profile configuration.
-role <text>
- Role Name-
This specifies the role whose account restrictions are to be modified.
[-username-minlength <integer>]
- Minimum Username Length Required-
This specifies the required minimum length of the user name. Supported values are 3 to 16 characters. The default setting is
3
characters. [-username-alphanum {enabled|disabled}]
- Username Alpha-Numeric-
This specifies whether a mix of alphabetic and numeric characters are required in the user name. If this parameter is enabled, a user name must contain at least one letter and one number. The default setting is
disabled
. [-passwd-minlength <integer>]
- Minimum Password Length Required-
This specifies the required minimum length of a password. Supported values are 3 to 64 characters. The default setting is
8
characters. [-passwd-alphanum {enabled|disabled}]
- Password Alpha-Numeric-
This specifies whether a mix of alphabetic and numeric characters is required in the password. If this parameter is enabled, a password must contain at least one letter and one number. The default setting is
enabled
. [-passwd-min-special-chars <integer>]
- Minimum Number of Special Characters Required in the Password-
This specifies the minimum number of special characters required in a password. Supported values are from 0 to 64 special characters. The default setting is
0
, which requires no special characters. [-passwd-expiry-time <integer_or_unlimited>]
- Password Expires In (Days)-
This specifies password expiration in days. A value of
0
means all passwords associated with the accounts in the role expire now. The default setting isunlimited
, which means the passwords never expire. [-require-initial-passwd-update {enabled|disabled}]
- Require Initial Password Update on First Login-
This specifies whether users must change their passwords when logging in for the first time. Initial password changes can be done only through SSH or serial-console connections. The default setting is
disabled
. [-max-failed-login-attempts <integer>]
- Maximum Number of Failed Attempts-
This specifies the allowed maximum number of consecutive invalid login attempts. When the failed login attempts reach the specified maximum, the account is automatically locked. The default is
5
, which means5
failed login attempts will cause an account to be locked. [-lockout-duration <integer>]
- (DEPRECATED)-Maximum Lockout Period (Days)-
(DEPRECATED)-This specifies the number of days for which an account is locked if the failed login attempts reach the allowed maximum. The default is
0
, which means the accounts will be locked for1
hour. For roles which were created in a release before ONTAP 9.15.0 with the default value of0
, this value will be automatically changed to1
during upgrade to ONTAP 9.15.0. In other words, the value of this field for roles created before ONTAP 9.15.0 is defaulted to 24 hrs. For the roles which are created in ONTAP 9.15.0 or later, the value of this field defaults to 1 hour. This parameter is deprecated in ONTAP 9.15.0 and later. It may be removed from a future release of ONTAP. [-disallowed-reuse <integer>]
- Disallow Last 'N' Passwords-
This specifies the number of previous passwords that are disallowed for reuse. The default setting is six, meaning that the user cannot reuse any of their last six passwords. The minimum allowed value is
6
. [-change-delay <integer>]
- Delay Between Password Changes (Days)-
This specifies the number of days that must pass between password changes. The default setting is
0
. [-delay-after-failed-login <integer>]
- Delay after Each Failed Login Attempt (Secs)-
This specifies the amount of delay observed by the system in seconds upon invalid login attempts. The default setting is
4
seconds. [-passwd-min-lowercase-chars <integer>]
- Minimum Number of Lowercase Alphabetic Characters Required in the Password-
This specifies the minimum number of lowercase characters required in a password. Supported values are from 0 to 64 lowercase characters. The default setting is
0
, which requires no lowercase characters. [-passwd-min-uppercase-chars <integer>]
- Minimum Number of Uppercase Alphabetic Characters Required in the Password-
This specifies the minimum number of uppercase characters required in a password. Supported values are from 0 to 64 uppercase characters. The default setting is
0
, which requires no uppercase characters. [-passwd-min-digits <integer>]
- Minimum Number of Digits Required in the Password-
This specifies the minimum number of digits required in a password. Supported values are from 0 to 64 digits charaters. The default setting is
0
, which requires no digits. [-passwd-expiry-warn-time <integer_or_unlimited>]
- Display Warning Message Days Prior to Password Expiry (Days)-
This specifies the warning period for password expiry in days. A value of
0
means warn user about password expiry upon every successful login. The default setting isunlimited
, which means never warn about password expiry. [-account-expiry-time <integer_or_unlimited>]
- Account Expires in (Days)-
This specifies account expiration in days. The default setting is
unlimited
, which means the accounts never expire. The account expiry time must be greater than account inactive limit. [-account-inactive-limit <integer_or_unlimited>]
- Maximum Duration of Inactivity before Account Expiration (Days)-
This specifies inactive account expiry limit in days. The default setting is
unlimited
, which means the inactive accounts never expire. The account inactive limit must be less than account expiry time. [-account-lockout-duration {P[<integer>D]T[<integer>H][<integer>M][<integer>S] | P<integer>W | disabled}]
- Account Lockout Duration (ISO 8601 Duration Format)-
This specifies the duration in ISO 8601 format for which an account is locked if the failed login attempts reach the allowed maximum. The default is 1 hour. Specifying this field will set the field
lockout-duration
as0
and the fieldaccount-lockout-duration
will be used for further operations.
Examples
The following command modifies the user-account restrictions for an account with the role name admin for a Vserver named vs1. The minimum size of the password is set to 12 characters.
cluster1::> security login role config modify -role admin -vserver vs1 -passwd-minlength 12
The following command sets the maximum allowed number of consecutive invalid login attempts to 3 and the maximum account lockout duration to 1 minute 30 seconds after 3 failed login attempts for role admin for vserver vs1:
cluster1::> security login role config modify -role admin -vserver vs1 -max-failed-login-attempts 3 -account-lockout-duration PT1M30S