Policy Configuration
RegScale provides multiple configurations to allow customers to lock down their instance of the platform based on their unique security requirements. While RegScale is hardened out of the box to meet stringent security requirements, we also support a policy engine that allows each customer to tailor their instance of RegScale based on their organizational risk tolerances and the desired user experience. The following settings are supported:
Pre-Requisites and Background
- Must be logged in with an administrator account to set policies
- Policies are available under Setup -> Security Policies
- NOTE: Account based policies only apply to local RegScale accounts. If using SSO, security settings for accounts do not apply.
Multi-Factor Authentication
- Checking this box enables Multi-Factor authentication for all local RegScale accounts
- Users must obtain an access code to unlock a QR code that they can register with Google Authenticator
- They will then be required to sign in with username, password, and one-time token from Google Authenticator
- The first time users of MFA will use the Generate MFA Token button on the login page. This will send an access code to the users email to be entered into the pop up window. Once entered the QR code will appear for the user to scan/enter into their Google Authenticator app. See Local Accounts for more information.
Disable Temporary Password Distribution
- RegScale distributes a username and temporary password in two separate emails once a new account is created
- Some customers do not allow for passwords to be distributed via email
- Checking this box removes the temporary password distribution email
- The customer will then be responsible for distributing the password outside of RegScale via other secure means
Minimum Password Length
- Sets the minimum length of passwords in RegScale
Password Rotation Frequency
- Sets the number of days a password can be used before it must be changed
- Once the expiration date is reached, the user will be redirected to the Change Password page and forced to change their password to continue using RegScale
Session Length
- Sets the period of inactivity after which a user's session will be automatically terminated
Maximum Password Retry
- Number of tries a user can fail their password prompt before their account is locked
Lockout Duration
- Sets the amount of time the user is locked out of their account after exceeding the maximum password retry policy
- NOTE: An administrator can manually unlock their account
Underlying Password Policies
These policies are in place regardless of what the above settings are.
- Minimum of 12 characters in length
- Must contain upper and lower case letters
- Must contain one or more numbers
- Must contain one or more special characters
Screenshot
Updated 5 months ago