3.5. User Passwords

Password Policy

Starting with v17.09, at the Tenant level, there is the possibility of defining a password policy. The Password Policy tab is used to define a set of rules for the account access passwords. The following fields and check-boxes are available:

Complexity section:

• Minimum Lenght - The minimum number of characters used in the password,

• Use letter - Use at least one character from ISO basic Latin alphabet (a-z or A-Z),

• Use uppercase letter - Use at least one uppercase character from ISO basic Latin alphabet (A to Z),

• Use lowercase letter - Use at least one lowercase character from ISO basic Latin alphabet (a to z),

• Use numeric character - Use at least one numeric character (0 to 9),

• Use non alphanumeric character - Use at least one character that is not a letter, nor a numeric or white-space character(such as ! $ # % < > _ etc.).

Maintenance section:

• Expiration Period (days) - Password expiration period,

• Historical Passwords Count - The number of previous passwords that cannot be reused.

Options section:

• Apply for API Users - Apply the password policy for API users,

• Apply External Authentication Services Policy Only - Access security is performed only by external authentication services. Login with local email/password is not allowed (except via API).

Change Password

The Change Password process allows users to change their passwords:

• In the Old Password field, enter the current password (the password you used to log into SocrateCloud);

• In the New Password and Reenter new password fields, enter the new password;

• Press Start to run the process.

A message indicating whether the process has been run successfully will be displayed in the Log section.

Change User Passwords and Email

The Change User Passwords and Email process from the System Admin -> General Rules -> Security menu, an administrator can change passwords and email settings for users:

• User/Contact - select the user for which you would like to change the password and/or email settings;

• Your Current Password - enter the current password (the password you used to log into SocrateCloud as an administrator);

• To change the user's password, enter the new password in the New Password and Password Confirmation fields;

• To change the user's email settings, fill in the New Email Address, New Email User ID and New Email User PW (password);

• Press Start to run the process.

A message indicating whether the process has been run successfully will be displayed in the Log section.

Generate Random Password

The Generate Random Password process from the System Admin -> General Rules -> Security can be used to generate random passwords for multiple SocrateCloud users.

• Overwrite existing - check if the generated passwords will overwrite existing passwords. If left unchecked new passwords will be generated only for users without passwords;

• Business Partner - generate passwords for users/contacts belonging to a business partner;

• Business Partner Group - generate passwords for users/contacts belonging to a business partner group;

Either a business partner or a business partner group must be selected for the process to run.

The new passwords will be displayed in the Log section.

HASH Passwords

In order to secure passwords using the HASH functionality the following settings need to be made:

1. Activate the SocrateCloud Enhanced Security (csec.sar) component.

2. Log in with System user, open the System window and check the Use Hash for passwords option.

Attention! This action is reversible! Once activated the Use Hash for passwords option can no longer be deactivated!

When saving the record the following settings need to be made for the System user:

• • calculate a hash for the existing password and enter it in the "PasswordHash" column, "Ad_User" table;

  • delete the password in the Password column;

The other user passwords should remain unchanged.

3. Immediately after step 2 it is mandatory that you run the Migrate Existing Passwords to Hash process.

The process will update the other users passwords using HASH. The hash is calculated based on the existing passwords and is entered in the PasswordHash column, AD_User table. The values contained by the Password column will become null. Until running th process, no user, except the system user will be able to log into SocrateCLoud!

Consequences (when activating the HASH option):

For systems with MicroStrategy integration, you will only be able to log into SocrateBI using Single Sign On (by using the WEB interface).

Resetting a forgotten password can no longer be done by editing the database

Recommendation: although the functionality has been thoroughly tested, we recommend that you create a backup for the AD_User table (columns AD_User_ID and Password) before migrating to HASH passwords (if any unexpected errors occur this will allow you to recover the existing passwords).