policy set

Sets the policy for user passwords, account rules, and conditions. Requires authentication (administrator ID and password) to use.

policy set account-expiry-date {unlimited|absolute_time|unset}[-user user_name]

policy set disable-time-interval {number|unset|disable}[-user user_name]

policy set max-concurrent-web-sessions {number|displace|unlimited|unset}[-user user_name]

policy set max-login-failures {number|unset}[-user user_name]

policy set max-password-age {unset|relative_time}[-user user_name]

policy set max-password-repeated-chars {number|unset}[-user user_name]

policy set min-password-alphas {unset|number}[-user user_name]

policy set min-password-length {unset|number}[-user user_name]

policy set min-password-non-alphas {unset|number}[-user user_name]

policy set password-spaces {v|no|unset}[-user user_name]

policy set tod-access {{anyday|weekday|day_list}:{anytime|time_spec}[:{utc|local}]|unset}[-user user_name]

The valid range for numbers can be any number. However, use a reasonable number for the task that we want to complete. For example, a minimum password length must be long enough to protect the system. In addition, the password must not be so short as to make it easy for someone to determine your password by trying different combinations.

When we define the password policy, ensure that this definition complies with the password policy of the underlying operating systems and user registries.

Options

account-expiry-date {unlimited|absolute_time|unset}

Set the account expiration date. The absolute_time format is specified in the following format:

YYYY-MM-DD-hh:mm:ss

The hours must be entered using a 24-hour clock (for example, 09 for 9 a.m. or 14 for 2 p.m.). Default is unset. If we set the account expiration date, it is set for all accounts that do not use the -user user_name option. By default, the sec_master user account has a per-user account expiration date of unlimited. If we set the account expiration date to unlimited, do the following actions:

• Set max-password-age to 0 for unlimited.

• Set tod-access to anyday:anytime:local.
• Use the -user user_name option.

disable-time-interval {number|unset|disable}

Set the time, in seconds, to disable each user account when the maximum number of login failures is exceeded. Security Verify Access does not impose an upper limit for the maximum number allowed. Use a range from 0 (unlimited) to a number representing the value that is most logical for the parameter we are trying to set. The default value is 180 seconds.

max-concurrent-web-sessions {number|displace|unlimited|unset}

Set the maximum number of concurrent web sessions. This policy applies only to certain components. A web session is a user session that is maintained by a web security solution, such as WebSEAL or the plug-in for web Servers. See the IBM Knowledge Center to determine whether this setting is applicable and Whether specific configuration options are required to enforce this policy. This option supports the following values:

number

Maximum number of concurrent web sessions that can be established. This value is a number that is equal to or greater than one.

displace

Specifies that if a user starts a new web session, any existing web session ends.

unlimited

Allows unlimited concurrent web sessions.

unset

Specifies to unset concurrent web session policy.

max-login-failures {number|unset}

Set the maximum number of login failures allowed. Security Verify Access does not impose an upper limit for the maximum number allowed. Instead, use a range from zero to a number representing the value that is most logical for the parameter we are trying to set. If the number is too large, it might render the login policy ineffective. The default value is 10.

To enforce maximum login failures, the disable-time-interval parameter must be set. See disable-time-interval for more information about disable-time-interval.

max-password-age {unset|relative_time}

Set the maximum time, in days, that a password is valid. This policy is a global password policy as opposed to the individual user policy. The individual user policy:

• Is set using the user modify command with the user_name password-valid option.
• Enable or disable the validity of a password for the specified user account.

The relative_time option is relative to the number of days since the last password change occurred. The relative_time format is specified in the following format:

DDD-hh:mm:ss

The valid range is from 000-00:00:00 to 999-23:59:59. A value of zero (000-00:00:00) indicates the password never expires. Default is 91 days. This value is expressed as 91-00:00:00.

max-password-repeated-chars {number|unset}

Set the maximum number of consecutively, repeated characters allowed in a password. Security Verify Access does not impose an upper limit on the maximum number allowed. Instead, use a range from 0 to a number representing the most logical value for the parameter we are trying to set. If the number is too large, it might render the password policy ineffective. The default value is 2.

Example: If max-password-repeated-chars is set to 2, then password and pspassword are both valid values. However, passsword is not valid because the character s occurs three times consecutively.

min-password-alphas {unset|number}

Set the minimum number of alphabetic characters required in a password. Security Verify Access does not impose an upper limit for the minimum number allowed. Instead, use a number representing the value that is most logical for the parameter we are trying to set. If the number is too small, it might render the password policy ineffective. Default is 4.

min-password-length {unset|number}

Set the minimum password length. Security Verify Access does not impose an upper limit for the minimum number allowed. Instead, use a number representing the value that is most logical for the parameter we are trying to set. If the number is too large, the password policy might be difficult to adhere to. Default is 8.

min-password-non-alphas {unset|number}

Set the minimum number of non-alphabetic characters that are required in a password. Security Verify Access does not impose an upper limit for the minimum number allowed. Instead, use a number representing the value that is most logical for the parameter we are trying to set. If the number is too large, the password policy might be difficult to adhere to. Default is 1.

password-spaces {v|no|unset}

Set the policy of Whether spaces are allowed in passwords. The default value is unset.

tod-access {{anyday|weekday|day_list}:{anytime|time_spec}[:{utc|local}]|unset}

Set the time of day access policy.

The day_list is a comma-separated list of days of the week, each of which is represented by a three-character value (for example, mon,wed,fri). The day_list specifies which days of the week we can log in to the account. To list every day of the week, specify anyday; if we do not want to include the weekend days, specify weekday. The time_spec format is specified in the following format:

hhmm

The format is expressed using a 24-hour clock. For example, 0900 for 9 a.m. or 1430 for 2:30 p.m. Default is unset, and the optional time zone is local by default. The time_spec value and time zone specify the time of day when we can log in to the account.

• utc=GMT
• When we modify a password policy, you provide a list of days, start time, and end time. The start time and end time apply to each day on the list. If the specified start time is greater than the specified end time, then the access is allowed until the specified end time of the next day.

-user user_name

User whose policy information is to be set. If this option is not specified, the general policy is set. For any specified policy, if a user has a specific policy that is applied, this specific policy takes precedence over any general policy that might also be defined. The precedence applies regardless of Whether the specific policy is more or less restrictive than the general policy.

A valid user name is an alphanumeric string that is not case-sensitive. String values are expected to be characters that are part of the local code set.

Examples of user names are dlucas, sec_master, and "Mary Jones". (Optional)

Return codes

0

The command completed successfully.

1

The command failed. When a command fails, the pdadmin command provides a description of the error and an error status code in hexadecimal format (for example, 0x14c012f2). See "Error messages" in the IBM Knowledge Center. This reference provides a list of the ISAM error messages by decimal or hexadecimal codes.

Examples

• The following example sets the account expiration date of December 30, 1999, at 11:30 p.m. for the specified user dlucas:

  pdadmin sec_master> policy set account-expiry-date 1999-12-30-23:30:00
  -user dlucas

The following example sets the maximum password age of 31 days, 8 hours, 30 minutes, and 0 seconds for the specified user dlucas:

pdadmin sec_master> policy set max-password-age 031-08:30:00 -user dlucas

The following example sets the maximum of 12 concurrent web sessions:

pdadmin sec_master> policy set max-c 12

See also

policy get

Parent topic: pdadmin commands