Setup Security Policies
RegScale offers configurable security policies to align with your organization’s risk tolerance and user experience requirements. While secure by default, administrators can further tailor settings using the built-in policy engine.
Note: Policies only apply to local accounts. SSO-managed accounts are governed by external identity provider settings.
Security Settings
| Setting | Description |
|---|---|
| Require MFA for All Local User Accounts | Enforces MFA for all local accounts using the configured MFA Prefix. |
| Disable Temporary Password Distribution | Prevents RegScale from emailing temporary passwords. Organizations must distribute passwords manually. |
| Forward All History Events to Syslog | Sends system history events to an external Syslog server for monitoring. |
| MFA Prefix | Prefix used for identifying MFA tokens. |
| Minimum Password Length | Sets the required password length (default: 12). |
| Password Rotation Frequency (Days) | Defines how often users must update their passwords (default: 180 days). |
| Inactive Account Deactivation (Days) | Automatically deactivates accounts after a period of inactivity (default: 365 days). |
| Session Timeout (Minutes) | Maximum session duration regardless of activity (default: 1440 minutes / 24 hours). |
| Browser Inactivity Timeout (Minutes) | Terminates session after browser inactivity (default: 60 minutes). |
| Refresh Token Validity Duration (Hours) | Defines lifespan of refresh tokens. Set to 0 to disable token refresh. |
| Concurrent Session Limit | Limits the number of simultaneous sessions per user. Set to 0 to disable. |
| Maximum Password Retry | Number of failed login attempts before account lockout (default: 5). |
| Lockout Duration (Minutes) | Time a user must wait before retrying after lockout. Set to 0 to require admin unlock. |
Enforced Password Requirements
These apply regardless of configurable settings:
- Minimum 12 characters
- Must include uppercase and lowercase letters
- At least one number
- At least one special character
Multi-Factor Authentication (MFA)
Enable MFA for all local users:
- Check Require MFA and enter an MFA Prefix.
- Save changes.
- Users receive an email with a QR code and token.
- They scan the QR code using an authenticator app (e.g., Google Authenticator).
- Users log in with username, password, and six-digit token.
Important: Verify email is properly configured to avoid user lockouts, including for the Global Admin.
First-time setup:
- Use the Generate MFA Token button on the login page.
- Enter the emailed access code.
- Scan the QR code to complete setup.
Updated about 1 month ago