heather.crites

Account Lockout feature

Discussion created by heather.crites on Oct 16, 2019
Latest reply on Oct 29, 2019 by shawn.brewer

Good morning!

 

I did a little testing on the new Account Lockout feature in 3700.14.0 this morning and thought I would share my findings. Please add with your own findings.  We are internally debating whether to enable this feature.

 

Thanks!
Heather

 

Overview

Introduced in 3700.14.0, by default Learn will lock user accounts after 5 failed login attempts. Administrators can disable the feature or edit its limits by selecting Account Lock Settings in the Administrator panel. Administrators can decide the maximum failed attempts allowed within a specified period. They can also choose how long accounts remain locked and whether accounts unlock automatically if users reset their passwords.

 

Administrative Configuration

Go to Sys Admin > Security > Account Lock Settings

Setting

Description

Options

Default

Lock accounts after failed logins

Enable or Disable the feature

Enable / Disable

Enable

Maximum Login Attempts

Maximum number of incorrect login attempts allowed before an account is locked. The maximum login attempts reset after your chosen lock period expires.

Numeric

5

Login Period

Number of seconds in which a user can submit multiple login attempts. If the user doesn't successfully login within this time, the account is locked.

Numeric

300

Account Lock Period

Number of minutes a user's account is locked if they don't successfully login using the attempts allowed. After this period expires, the account unlocks automatically. Enter zero (0) to permanently lock these accounts.

Numeric

360


System Role Privileges

Currently, access to Unlock users via the contextual menu appears to be tied to the Administrator Panel (Users) > Users privileges.  Access to checkboxes and the Unlock button are tied to the Administrator Panel (Users) > Users > Available/Unavailable or Administrator Panel (Users) > Users > Delete Users privilege.

 

I opened case 04290754 with Bb Support to validate the lack of a specific privilege.  If there is to be no specific privilege for this functionality, I will probably end up writing a jsHack to eliminate it from the system accounts who should not be able to perform this function.

 

Functionality

Scope of Users:

Only enabled, available accounts can be locked.  If the user account is not in Bb, is unavailable, or is disabled, then it cannot be locked.  User accounts authenticating through both the Default authentication provider and our LDAP auth provider were handled by the lockout mechanism.

 

End User View:

After X number of attempts, the user will see the message: This user account is locked. Please try again later. on the login page:

This message cannot be modified via the GUI.  We may be able to edit it via a custom language pack (have not yet tried).

 

System Administrator View:

When a user is locked, the admin can see a Message in the Authentication logs:

Additionally, when the user is locked, a new status icon appears beside the username under Sys Admin > Users

status icon

 

To unlock the account:

1. Look up user under System Admin > Users

2. Select the checkbox for the user

3. Click on the Unlock button at the top or bottom of the list of users

    Or

2. Open contextual menu for the user

3. Click on Unlock User
contextual menu

4. Success message displays:
users unlocked

5. A Message will appear for the user in the authentication logs:
message

Outcomes