Info
KeePass Hub
J. User Administration
SAML Single Sign-On
User Policies
IP Filter Policies
Two-Factor Authentication
Change Password
Setup Password Reset
Privilege Elevation and Security Zones
Sitemap
Info  >  KeePass Hub  >  J. User Administration  >  User Policies Page last modified Nov 23 2021, 21:23

User Policies

See why customers choose Pleasant Password Server with a KeePass client

User Policies allow administrators to manage the security configurations of their "User Accounts".

To edit a User Policy, navigate to the Web browser menu:

  • Users and Roles -> Manage Policies -> Actions -> Edit

Policy Setup - Best Practices

Use the following steps to setup a series of User Policies for your company:

  1. Start by setting the Default Policy to be the minimum requirements for Password and Lockout
  2. Create additional Policies for more Levels of Access
    • Stricter password requirements
    • Fewer attempts before lockout
    • Longer lockout time or disable user to force manual re-enable
    • Require Two-Factor Authentication
      • Usually when requiring Two-Factor Authentication the user's configurations will usually be managed by an administrator directly
      • Self-managed YubiKeys, for example
  3. Apply stricter Policies to the appropriate Roles or Users
    • Policies may be reused for multiple roles and/or users
  4. Consider enabling Two Factor Providers for additional security, that the user can easily self configure and use if they wish:
    • Authenticator
    • YubiKey

Password Policy

  • Applies only to the user when they are setting their own password for accessing the password server.
    • Users with the Administer Users permission can set other user's passwords directly without having to obey the policy
  • Minimum Length: (required)
  • Maximum Length: (not required, can be blank)
  • Minimum Characters of each type: (uppercase, lowercase, digit, special)
  • Minimum Varieties: specify minimum number of types, (1 - 4)
    • Can be used instead of setting a minimum per type

Lockout Policy

(Not applicable to Reset users)

Enabling a Lockout Policy will lock users out of the application, after a set number of consecutive failed sign-in attempts. Lockouts can be a temporary duration, or require an Administrative reset.

A user with the Administer Users permission can re-enable users or reset the lockouts early.

  • Status: enable or disable Lockout
  • Maximum Consecutive Failures: an account can be locked or disabled, after a number of consecutive failed attempts
  • Duration Until Reset:
    • Setting this option to blank will disable the user instead of locking them out
    • The admin user will not be disabled, but will instead be locked out for a short time
  • Alerts: can be enabled for administrators or users

Timeout Policy

(Not applicable to Reset users)

  • Web Client Timeout
    • The duration of browser inactivity before the User is signed out or the remembered login expires.
    • This setting only affects the Web Client login, and will only take effect once the user logs in after the setting is applied.
  • Application Authentication Timeout
    • (for KeePass, Mobile, and REST API clients)
    • The fixed amount of time an authentication token (OAuth) remains valid. This determines how long access is permitted before having to re-verify.
    • Mobile clients: The workspace locks and requires re-authentication.
    • KeePass clients: The workspace remains unlocked unless KeePass locking options are set (next section). Authentication tokens are requested from the server at this time. However, users will be not be required to re-authenticate, unless using Two-Factor Authentication.

KeePass Inactivity Timeouts

The KeePass for Pleasant desktop client has additional timeout duration options:

  • Adjust the settings in: Tools -> Options -> Security tab
    • "Lock workspace after KeePass inactivity (seconds)",
    • "Lock workspace after global user inactivity (seconds)"
    • (as well as additional Lock workspace options below)...
  • Apply the setting to multiple users/roles by:
    • Make the changes in KeePass
    • Uploading the KeePass config file, in: Advanced -> Client Configuration.

Open Entries Will Remain Visible

Entries kept open when a Timeout occurs will remain visible:

  • In KeePass, when a vault entry remains open, the timeout is disabled. This is by design and explained here: KeePass.info - NoAutoLock

  • In Web client, a vault entry remains open and visible, but will lock and disable further changes. Users can still see & copy out their changes, but will be unable to save, or open other entries, etc.

Two-Factor Policy and Configuration

  • See Two-Factor Authentication (2FA) for more information

  • Two-Factor Authentication (2FA) 
    • Status may be disabled, enabled, or required.

      • Note: marking 'Required' will lock-out unenrolled users

    • Requiring Two-Factor: Only set this after a Provider and Policy users have been configured.

      • This can be set on the Policy or on a Provider. This restricts users from disabling their 2FA.

  • Bulk Enabling Users:

    • Enabling Self-Enrollment allows bulk configuration for all policy users, rather than configuring per-user.

  • Two-Factor Providers:
    • Status:  Enabled/Disabled
    • Allow/Disallow the user from changing the Provider's enabled/disabled state
      • Can be used to force users to use a form of Two-Factor
    • Allow/Disallow the user from resetting/modifying their Two-Factor Secret information
    • Can be used to prevent users from changing their Two-Factor Configurations (full admin control)

      • Other, provider specific, information and configuration

  • Browser Bypass: The user may be allowed to set a cookie to bypass Two-Factor for future logins from the same browser (for a 2-week period)

IP Filter Policy

Manage Account Policy

  • Modify Display Name
    • When enabled, allows a user to change their own Display Name
  • Modify Email Address
    • When enabled, allows a user to change their own Email
  • Modify Phone Number
    • When enabled, allows a user to change their own Phone Number
  • Users with the 'Administer Users' permission can always edit these values for any user.

Policy Membership

Here is how Policies affect user memberships:

  1. Default Policy
    • One Default Policy may be set
    • The Default Policy is applied if no direct or Role Policies are found
  2. Users may be Assigned a Policy directly
    • To assign a Policy to a user go to:
      • Users & Roles > Manage Users and click the [Edit] link beside the name of the user you wish to assign the Policy to. 
      • There will be Policy dropdown box where you can select whether the user inherits Policies or assign a specific one.
        • A Policy assigned directly to a user will override Policies inherited from roles
  3. A Policy may be Inherited from a Role
    • To assign a Policy to a role go to:
      • Users & Roles > Manage Policies and scroll down to the "Role Policies" grid. 
      • Click the "Set Role Policy" button and a dialog will appear to select the Role and the Policy you would like to assign, as well as the priority for that Policy.
        • Each Role may only have one policy and one Policy priority
        • All of the User's Roles are checked for Policies
        • The Role Policies are ordered by the Policy Priority value (lowest value first).  If a user has multiple Roles, the one with the lowest priority value is applied.
        • Role policies can be used to more dynamically apply Security, based on the Role(s) a User has