|
9.2.3 Security: Account lockout policy
This page enables you to set up an account lockout policy for different user roles within WebSphere Commerce. An account lockout policy disables a user account if malicious actions are launched against it, in order to reduce possible compromising of the account. The page lists all existing account lockout policies, including the ones supplied by default:
The account lockout policy enforces the following items:
| The account lockout threshold. This is the number of invalid logon attempts before the account is disabled.
|
|
| Consecutive unsuccessful login delay. This is the time period for which the user is not allowed to log on, after two failed logon attempts. The delay gets incremented by the configured time delay value (for example, 10 seconds) with every consecutive logon failure.
|
Figure 9-4 depicts the Account Lockout Policy page.
Figure 9-4 Account Lockout policy
To add a new account lockout policy:
| 1.
| 
|
| From the Security menu, select Account Lockout Policy.
|
| 2.
|
|
| Click New.
|
| 3.
|
|
| Enter a unique name for the new account lockout policy.
|
| 4.
|
|
| Make required changes to the default values supplied on the page.
|
| 5.
|
|
| Click OK.
|
To change an existing account lockout policy:
| 1.
|
|
| From the Security menu, select Account Lockout Policy.
|
| 2.
|
|
| Check the box next to the account lockout policy to be changed.
|
| 3.
|
|
| Click Change.
|
| 4.
|
|
| Make any desired changes.
|
| 5.
|
|
| Click OK.
|
To delete an existing account lockout policy:
| 1.
|
|
| From the Security menu, select Account Lockout Policy.
|
| 2.
|
|
| Check the box next to the account lockout policy to be deleted.
|
| 3.
|
|
| Click Delete.
|
|
Note: You cannot delete an account lockout policy that is in use.
|
| 
