Go to Admin > Settings > Security Policies to create and manage password policies for users. These settings control password requirements, expiration period, reuse policy, security question policy, and delegated authentication via salesforce.com.
The System Managed security policy does not appear on the Security Policies page, and you cannot edit it, delete it, or assign it to a user.
Note: Security policies apply across all Vaults in a multi-Vault domain. You must be a Domain Admin to modify these settings.
How to Create and Edit Policies
- If creating a new policy, click Create. If editing an existing policy, click on the policy from the list and then click Edit.
- Select Password as the authentication type. Make selections for the password policy:
- Password Requirements: Set the checkboxes to indicate which characters users must include in their passwords: number, upper-case letter, non-alphanumeric character (symbol).
- Minimum Password Length: Select the minimum number of characters that users must include in their passwords.
- Password Expiration: Choose how often user passwords should expire. When a user’s password expires, Vault prompts the user to create a new password.
- Password History Reuse: Choose whether Vault should prevent a user from reusing the same password, and whether to store the past three or five passwords.
- Require security question on password reset: Set the checkbox to require that users create a security questions and answer the question when resetting their passwords. After enabling this setting, Vault will prompt all users to create the security question the next time they log in. Answers are not case-sensitive.
- Allow browsers to save and autofill password field on the login form: When this setting is on, users can choose to save passwords to a password manager or to their browser. When the setting is off, Vault prevents this.
- Allow device-enforced access: Enable this setting to allow users to use their device authentication (biometrics or passcode) to refresh their Vault authentication in the mobile app up to the configured duration (4 weeks by default). After that duration has passed, users are required to manually re-enter their credentials to re-authenticate. This setting is only available for Password security policies or SSO security policies that do not have an associated OAuth profile with vaultmobile in the Client Application mapping table because OAuth configurations can leverage the IDP’s refresh token. It is best practice when inactivating a user’s IDP access to also immediately inactivate their Vault access to prevent any extended access from their browser or mobile app sessions.
- Allow login via salesforce.com: Select the checkbox to allow users who are logged into Salesforce.com or Veeva CRM to access Vault without logging in again. When this checkbox is selected, you must specify your company’s salesforce.com Organization ID .
- Click Save.
If using SSO, see Configuring Single Sign-on for more information.
How to Delete or Inactivate a Security Policy
To delete a security policy:
- From the Security Policies page, select the policy you want to delete.
- Click Actions > Delete.
- Click Continue.
You can only delete security policies that are not assigned to any users. This includes inactive users.
To inactivate a security policy:
- From the Security Policies page, select the policy you want to inactivate.
- Click Edit.
- In the Status field, select Inactive.
- Click Save.
Once a security policy is inactive, it does not appear as an available option when creating or editing users.
Security Policy Fields
For each security policy, you can set the following fields. Regardless of how you configure these fields, users are always able to unlock their accounts by resetting their passwords.
Field | Explanation |
---|---|
Password Requirements | Set the checkboxes to indicate which characters users must include in their passwords: number, upper-case letter, non-alphanumeric character (symbol). |
Minimum Password Length | Select the minimum number of characters that users must include in their passwords. You can choose a number between 7 and 40. The default value is 8. |
Password Expiration | Choose how often user passwords should expire. When a user’s password expires, Vault prompts the user to create a new password. Choose No expiration (default) or Expire in… You can set the expiration to a value between 30 and 720 days. The default value for the expiration date is 90 days. |
Password History Reuse | Choose whether Vault should prevent a user from reusing the same password, and how many previous passwords to track and prevent reuse. You can select No password history tracking (default) or Prevent the reuse of the last… You can set the number of passwords to track to any number from 1 to 20. The default value is 5. |
Password Reset Daily Limit | Choose whether Vault should enforce a daily password reset limit and, if so, how long it should be. You can select Unlimited (default) or Limited to… You can set the reset limit to any number from 1 to 10. The default value is 10. This applies to password resets from the login page by unauthenticated users. Password resets performed by an administrator or from the user’s profile page do not count against the daily reset limit. |
Require security question on password reset | Set the checkbox to require that users create a security question and answer the question when resetting their passwords. After enabling this setting, Vault will prompt all users to create the security question the next time they log in. Answers are not case-sensitive. |
Allow browsers to save and autofill password field on the login form | When this setting is on, users can choose to save passwords to a password manager or to their browser. When the setting is off, Vault prevents this. |
Allow login via salesforce.com | Select the checkbox to allow users who are logged into Salesforce.com or Veeva CRM to access Vault without logging in again. When this checkbox is selected, you must specify your company’s Salesforce.com Organization ID. |
Account lockout duration | Choose how long users will be locked out of their account after 5 consecutive instances of entering the incorrect password. You can set this to Permanent (default), 5 minutes, 10 minutes, 30 minutes, or 60 minutes. |
Status | Active or Inactive. Only Active security policies are available for selection in the Vault Users UI. |
How to Reset All Passwords
Resetting all passwords can help you enforce a new password security policy. For example, if you change the minimum length, resetting all passwords forces users to create passwords that comply with the new minimum length requirement. From the Security Policies page, click Reset All Passwords.
Note: This action does not affect users with Single Sign-on (SSO) accounts. You can only reset passwords for these users through your organization’s Identity Provider (IdP).
User Account Lockout
Vault locks user accounts after five (5) continuous unsuccessful login attempts over any period of time. Vault does not notify users that they are locked out on the login screen, however, Admins can view a record of lockouts in the Login Audit History. User accounts remain locked out until either the user or an Admin requests a password reset.
Note: This setting affects all accounts and is not configurable.