Account Lockout feature

Discussion created by heather.crites on Oct 16, 2019
Latest reply on Oct 29, 2019 by shawn.brewer

Good morning!


I did a little testing on the new Account Lockout feature in 3700.14.0 this morning and thought I would share my findings. Please add with your own findings.  We are internally debating whether to enable this feature.





Introduced in 3700.14.0, by default Learn will lock user accounts after 5 failed login attempts. Administrators can disable the feature or edit its limits by selecting Account Lock Settings in the Administrator panel. Administrators can decide the maximum failed attempts allowed within a specified period. They can also choose how long accounts remain locked and whether accounts unlock automatically if users reset their passwords.


Administrative Configuration

Go to Sys Admin > Security > Account Lock Settings





Lock accounts after failed logins

Enable or Disable the feature

Enable / Disable


Maximum Login Attempts

Maximum number of incorrect login attempts allowed before an account is locked. The maximum login attempts reset after your chosen lock period expires.



Login Period

Number of seconds in which a user can submit multiple login attempts. If the user doesn't successfully login within this time, the account is locked.



Account Lock Period

Number of minutes a user's account is locked if they don't successfully login using the attempts allowed. After this period expires, the account unlocks automatically. Enter zero (0) to permanently lock these accounts.



System Role Privileges

Currently, access to Unlock users via the contextual menu appears to be tied to the Administrator Panel (Users) > Users privileges.  Access to checkboxes and the Unlock button are tied to the Administrator Panel (Users) > Users > Available/Unavailable or Administrator Panel (Users) > Users > Delete Users privilege.


I opened case 04290754 with Bb Support to validate the lack of a specific privilege.  If there is to be no specific privilege for this functionality, I will probably end up writing a jsHack to eliminate it from the system accounts who should not be able to perform this function.



Scope of Users:

Only enabled, available accounts can be locked.  If the user account is not in Bb, is unavailable, or is disabled, then it cannot be locked.  User accounts authenticating through both the Default authentication provider and our LDAP auth provider were handled by the lockout mechanism.


End User View:

After X number of attempts, the user will see the message: This user account is locked. Please try again later. on the login page:

This message cannot be modified via the GUI.  We may be able to edit it via a custom language pack (have not yet tried).


System Administrator View:

When a user is locked, the admin can see a Message in the Authentication logs:

Additionally, when the user is locked, a new status icon appears beside the username under Sys Admin > Users

status icon


To unlock the account:

1. Look up user under System Admin > Users

2. Select the checkbox for the user

3. Click on the Unlock button at the top or bottom of the list of users


2. Open contextual menu for the user

3. Click on Unlock User
contextual menu

4. Success message displays:
users unlocked

5. A Message will appear for the user in the authentication logs: