Password rules

Retrieve password rules

GET /api/v1/tenants/(string: tenant_id)/groups/(string: group_id)/password_rules/

Retrieve all the security rules that a password should follow for the users in a Group.

Authorization rights: minimum End User.

Example request:

GET /api/v1/api/v1/tenants/fooTenant/groups/fooGroup/password_rules/ HTTP/1.1
Host: example.com

{}

Example response:

HTTP/1.1 200 OK
Content-Type: "application/json"

{
   "disallowUserId": false,
   "disallowOldPassword": false,
   "disallowReversedOldPassword": false,
   "restrictMinDigits": false,
   "minDigits": 1,
   "restrictMinUpperCaseLetters": false,
   "minUpperCaseLetters": 1,
   "restrictMinLowerCaseLetters": false,
   "minLowerCaseLetters": 1,
   "restrictMinNonAlphanumericCharacters": false,
   "minNonAlphanumericCharacters": 1,
   "minLength": 6,
   "maxFailedLoginAttempts": 0,
   "passwordExpiresDays": 0,
   "sendLoginDisabledNotifyEmail": false,
   "disallowRulesModification": false,
   "disallowPreviousPasswords": false,
   "numberOfPreviousPasswords": 1,
   "forcePasswordChangeAfterReset": false
}

Response JSON Object:

• disallowUserId (boolean) – It is not allowed to have the user if in the password.

• disallowOldPassword (boolean) – It is not allowed to reuse the current password as new one.

• disallowReversedOldPassword (boolean) – It is not allowed to reuse the current password in reverse order as new one.

• restrictMinDigits (boolean) – Restriction on minimum number of Digits enabled.

• minDigits (integer) – Minimum number of Digits (if enable).

• restrictMinUpperCaseLetters (boolean) – Restriction on minimum number of Upper Case letters enabled.

• minUpperCaseLetters (integer) – Minimum number of Upper Case (if enable).

• restrictMinLowerCaseLetters (boolean) – Restriction on minimum number of Lower Case letters enabled.

• minLowerCaseLetters (integer) – Minimum number of Lower Case (if enable).

• restrictMinNonAlphanumericCharacters (boolean) – Restriction on minimum number of Non AlphaNumeric characters enabled.

• minNonAlphanumericCharacters (integer) – Minimum number of Non AlphaNumeric characters (if enable).

• minLength (integer) – Minimum length of the password.

• maxFailedLoginAttempts (integer) – Disable the credentials of the user after X consecutive failed login (0 means never).

• sendLoginDisabledNotifyEmail (boolean) – Send an email to an admin when a login is disabled.

• loginDisabledNotifyEmailAddress (string) – email address for the disabled login notification

• passwordExpiresDays (integer) – The password expired after X days (0 means never).

• disallowPreviousPasswords (boolean) – It is not allowed to reuse the last X old passwords as new one.

• numberOfPreviousPasswords (integer) – Number of old passwords checked.

• disallowRulesModification (boolean) – Indicates if it is not allowed to specify the rules at Group level (meaning they are defined at an upper level and the same for all Groups).

• forcePasswordChangeAfterReset (boolean) – Forces a password change after reset (only from OCI Rel 22).

Status Codes:

• 200 OK – no error

Update password rules

PUT /api/v1/tenants/(string: tenant_id)/groups/(string: group_id)/password_rules/

Update all the security rules that a password should follow for the users in a Group.

Authorization rights: minimum Group Admin.

Template Actions: this end point is available as template action under the name group_password_rules

Example request:

PUT /api/v1/tenants/foo/groups/foogroup/password_rules/ HTTP/1.1
Host: example.com
Content-Type: "application/json"

{
   "disallowOldPassword": false,
   "restrictMinDigits": true,
   "minDigits": 3,
   "restrictMinUpperCaseLetters": true,
   "minUpperCaseLetters": 2,
   "minLength": 12,
   "passwordExpiresDays": 60
}

Request JSON Object:

• disallowUserId (boolean) – It is not allowed to have the user if in the password.

• disallowOldPassword (boolean) – It is not allowed to reuse the current password as new one.

• disallowReversedOldPassword (boolean) – It is not allowed to reuse the current password in reverse order as new one.

• restrictMinDigits (boolean) – Restriction on minimum number of Digits enabled.

• minDigits (integer) – Minimum number of Digits (if enable).

• restrictMinUpperCaseLetters (boolean) – Restriction on minimum number of Upper Case letters enabled.

• minUpperCaseLetters (integer) – Minimum number of Upper Case (if enable).

• restrictMinLowerCaseLetters (boolean) – Restriction on minimum number of Lower Case letters enabled.

• minLowerCaseLetters (integer) – Minimum number of Lower Case (if enable).

• restrictMinNonAlphanumericCharacters (boolean) – Restriction on minimum number of Non AlphaNumeric characters enabled.

• minNonAlphanumericCharacters (integer) – Minimum number of Non AlphaNumeric characters (if enable).

• minLength (integer) – Minimum length of the password.

• maxFailedLoginAttempts (integer) – Disable the credentials of the user after X consecutive failed login (0 means never).

• sendLoginDisabledNotifyEmail (boolean) – Send an email to an admin when a login is disabled.

• loginDisabledNotifyEmailAddress (string) – email address for the disabled login notification

• passwordExpiresDays (integer) – The password expired after X days (0 means never).

• disallowPreviousPasswords (boolean) – It is not allowed to reuse the last X old passwords as new one.

• numberOfPreviousPasswords (integer) – Number of old passwords checked.

• forcePasswordChangeAfterReset (boolean) – Forces a password change after reset (only from OCI Rel 22).

Example response:

Response:

Similar to GET instance method response.

Status Codes:

• 200 OK – no error

• 400 Bad Request –

  error in the input data, most probably due to incorrect values, possible sub-error codes:

  • 2: INVALID_PARAMETERS, “Password length should not be less than the sum of all the required numbers, uppercase, lowercase and non-alphanumeric characters”

Retrieve password rules of the Group Admins

GET /api/v1/tenants/(string: tenant_id)/groups/(string: group_id)/password_rules/group_admins/

Retrieve all the active security rules that a password should follow only for the admins of a Group.

The rules of the passwords may be set at Tenant level or at System level.

Authorization rights: minimum Group Admin.

Example request:

GET /api/v1/api/v1/tenants/fooTenant/groups/fooGroup/password_rules/group_admins/ HTTP/1.1
Host: example.com

{}

Example response:

HTTP/1.1 200 OK
Content-Type: "application/json"

{
   "allowWebAddExternalAuthenticationUsers": true,
   "disallowUserId": false,
   "disallowOldPassword": false,
   "disallowReversedOldPassword": false,
   "restrictMinDigits": false,
   "minDigits": 1,
   "restrictMinUpperCaseLetters": false,
   "minUpperCaseLetters": 1,
   "restrictMinLowerCaseLetters": false,
   "minLowerCaseLetters": 1,
   "restrictMinNonAlphanumericCharacters": false,
   "minNonAlphanumericCharacters": 1,
   "minLength": 6,
   "maxFailedLoginAttempts": 0,
   "passwordExpiresDays": 0,
   "sendLoginDisabledNotifyEmail": false,
   "disallowPreviousPasswords": false,
   "numberOfPreviousPasswords": 1,
   "forcePasswordChangeAfterReset": false
}

Request JSON Object:

• allowWebAddExternalAuthenticationUsers (boolean) – Allow to create users without password in the AS because it will be validated by an external portal.

• disallowUserId (boolean) – It is not allowed to have the user if in the password.

• disallowOldPassword (boolean) – It is not allowed to reuse the current password as new one.

• disallowReversedOldPassword (boolean) – It is not allowed to reuse the current password in reverse order as new one.

• restrictMinDigits (boolean) – Restriction on minimum number of Digits enabled.

• minDigits (integer) – Minimum number of Digits (if enable).

• restrictMinUpperCaseLetters (boolean) – Restriction on minimum number of Upper Case letters enabled.

• minUpperCaseLetters (integer) – Minimum number of Upper Case (if enable).

• restrictMinLowerCaseLetters (boolean) – Restriction on minimum number of Lower Case letters enabled.

• minLowerCaseLetters (integer) – Minimum number of Lower Case (if enable).

• restrictMinNonAlphanumericCharacters (boolean) – Restriction on minimum number of Non AlphaNumeric characters enabled.

• minNonAlphanumericCharacters (integer) – Minimum number of Non AlphaNumeric characters (if enable).

• minLength (integer) – Minimum length of the password.

• maxFailedLoginAttempts (integer) – Disable the credentials of the user after X consecutive failed login (0 means never).

• sendLoginDisabledNotifyEmail (boolean) – Send an email to an admin when a login is disabled.

• loginDisabledNotifyEmailAddress (string) – email address for the disabled login notification (if enable).

• passwordExpiresDays (integer) – The password expired after X days (0 means never).

• disallowPreviousPasswords (boolean) – It is not allowed to reuse the last X old passwords as new one.

• numberOfPreviousPasswords (integer) – Number of old passwords checked (if enable).

Status Codes:

• 200 OK – no error

Configuration Information for the Group Admin Password Rules

Since 1.11.0, iff the APIO is configured to validate password rules locally and to use also minimal rules then the password rules that will be returned will the merge of the rules read from the AS and of the minimum rules

The APIO behaviour for the validation of the passwords is controlled by the following setting:

"VALIDATE_PASSWORD_LOCALLY": true
"MINIMUM_PASSWORD_RULES": {
     "ADMIN" : {
         "PASSWORD_MIN_SPECIAL_CHARACTERS": 1,
         "PASSWORD_MIN_UPPERCASE_LETTERS": 1,
         "PASSWORD_MIN_LOWERCASE_LETTERS": 1,
         "PASSWORD_MIN_DIGITS": 1,
         "PASSWORD_MIN_LENGTH": 8
     }
},

Settings description:

• VALIDATE_PASSWORD_LOCALLY: APIO will check the password provided in the API based on the user level rules from the network element. Default is false.

• MINIMUM_PASSWORD_RULES.**ADMIN**: (from 1.11.0) minium password rules for the Admins. Default are the ones in the example.

Retrieve password rules of End Users

GET /api/v1/tenants/(string: tenant_id)/groups/(string: group_id)/password_rules/end_users/

Retrieve all the active security rules that a password should follow for new or existing users of a Group.

The rules of the passwords may be set at Group level, at Tenant level or at System level.

Authorization rights: minimum EndUser.

Example request:

GET /api/v1/api/v1/tenants/fooTenant/groups/fooGroup/password_rules/end_users/ HTTP/1.1
Host: example.com

{}

Example response:

HTTP/1.1 200 OK
Content-Type: "application/json"

{
   "disallowUserId": false,
   "disallowOldPassword": false,
   "disallowReversedOldPassword": false,
   "restrictMinDigits": false,
   "minDigits": 1,
   "restrictMinUpperCaseLetters": false,
   "minUpperCaseLetters": 1,
   "restrictMinLowerCaseLetters": false,
   "minLowerCaseLetters": 1,
   "restrictMinNonAlphanumericCharacters": false,
   "minNonAlphanumericCharacters": 1,
   "minLength": 6,
   "maxFailedLoginAttempts": 0,
   "passwordExpiresDays": 0,
   "sendLoginDisabledNotifyEmail": false,
   "disallowPreviousPasswords": false,
   "numberOfPreviousPasswords": 1,
   "forcePasswordChangeAfterReset": false
}

Request JSON Object:

• allowWebAddExternalAuthenticationUsers (boolean) – Allow to create users without password in the AS because it will be validated by an external portal.

• disallowUserId (boolean) – It is not allowed to have the user if in the password.

• disallowOldPassword (boolean) – It is not allowed to reuse the current password as new one.

• disallowReversedOldPassword (boolean) – It is not allowed to reuse the current password in reverse order as new one.

• restrictMinDigits (boolean) – Restriction on minimum number of Digits enabled.

• minDigits (integer) – Minimum number of Digits (if enable).

• restrictMinUpperCaseLetters (boolean) – Restriction on minimum number of Upper Case letters enabled.

• minUpperCaseLetters (integer) – Minimum number of Upper Case (if enable).

• restrictMinLowerCaseLetters (boolean) – Restriction on minimum number of Lower Case letters enabled.

• minLowerCaseLetters (integer) – Minimum number of Lower Case (if enable).

• restrictMinNonAlphanumericCharacters (boolean) – Restriction on minimum number of Non AlphaNumeric characters enabled.

• minNonAlphanumericCharacters (integer) – Minimum number of Non AlphaNumeric characters (if enable).

• minLength (integer) – Minimum length of the password.

• maxFailedLoginAttempts (integer) – Disable the credentials of the user after X consecutive failed login (0 means never).

• sendLoginDisabledNotifyEmail (boolean) – Send an email to an admin when a login is disabled.

• loginDisabledNotifyEmailAddress (string) – email address for the disabled login notification (if enable).

• passwordExpiresDays (integer) – The password expired after X days (0 means never).

• disallowPreviousPasswords (boolean) – It is not allowed to reuse the last X old passwords as new one.

• numberOfPreviousPasswords (integer) – Number of old passwords checked (if enable).

Response JSON Object:

• forcePasswordChangeAfterReset (boolean) – Forces a password change after reset (only from OCI Rel 22).

Status Codes:

• 200 OK – no error

Configuration Information for the End User Password Rules

Since 1.11.0, if the APIO is configured to validate password rules locally and to use also minimal rules then the password rules that will be returned will the merge of the rules read from the AS and of the minimum rules

The APIO behaviour for the validation of the passwords is controlled by the following setting:

"VALIDATE_PASSWORD_LOCALLY": true
"MINIMUM_PASSWORD_RULES": {
     "END_USER" : {
         "PASSWORD_MIN_SPECIAL_CHARACTERS": 1,
         "PASSWORD_MIN_UPPERCASE_LETTERS": 1,
         "PASSWORD_MIN_LOWERCASE_LETTERS": 1,
         "PASSWORD_MIN_DIGITS": 1,
         "PASSWORD_MIN_LENGTH": 8
     }
},

Settings description:

• VALIDATE_PASSWORD_LOCALLY: APIO will check the password provided in the API based on the user level rules from the network element. Default is false.

• MINIMUM_PASSWORD_RULES.**END_USER**: minium password rules for End Users. Default are the ones in the example. Please note that this settings will also be used when creating hidden users for APIO features.