HomeGuidesAPI ReferenceChangelog
Guides

Setup Security Policies

RegScale offers configurable security policies to align with your organization’s risk tolerance and user experience requirements. While secure by default, administrators can further tailor settings using the built-in policy engine.

⚠️

Note: Policies only apply to local accounts. SSO-managed accounts are governed by external identity provider settings.

Security Settings

SettingDescription
Require MFA for All Local User AccountsEnforces MFA for all local accounts using the configured MFA Prefix.
Disable Temporary Password DistributionPrevents RegScale from emailing temporary passwords. Organizations must distribute passwords manually.
Forward All History Events to SyslogSends system history events to an external Syslog server for monitoring.
MFA PrefixPrefix used for identifying MFA tokens.
Minimum Password LengthSets the required password length (default: 12).
Password Rotation Frequency (Days)Defines how often users must update their passwords (default: 180 days).
Inactive Account Deactivation (Days)Automatically deactivates accounts after a period of inactivity (default: 365 days).
Session Timeout (Minutes)Maximum session duration regardless of activity (default: 1440 minutes / 24 hours).
Browser Inactivity Timeout (Minutes)Terminates session after browser inactivity (default: 60 minutes).
Refresh Token Validity Duration (Hours)Defines lifespan of refresh tokens. Set to 0 to disable token refresh.
Concurrent Session LimitLimits the number of simultaneous sessions per user. Set to 0 to disable.
Maximum Password RetryNumber of failed login attempts before account lockout (default: 5).
Lockout Duration (Minutes)Time a user must wait before retrying after lockout. Set to 0 to require admin unlock.

Enforced Password Requirements

These apply regardless of configurable settings:

  • Minimum 12 characters
  • Must include uppercase and lowercase letters
  • At least one number
  • At least one special character

Multi-Factor Authentication (MFA)

Enable MFA for all local users:

  1. Check Require MFA and enter an MFA Prefix.
  2. Save changes.
  3. Users receive an email with a QR code and token.
  4. They scan the QR code using an authenticator app (e.g., Google Authenticator).
  5. Users log in with username, password, and six-digit token.

⚠️

Important: Verify email is properly configured to avoid user lockouts, including for the Global Admin.

First-time setup:

  • Use the Generate MFA Token button on the login page.
  • Enter the emailed access code.
  • Scan the QR code to complete setup.