Password rules¶
Retrieve password rules¶
-
GET/api/v1/tenants/(string: tenant_id)/password_rules/¶ Retrieve all the security rules that a password should follow inside this Tenant.
These rules can be enforced for Group Admins and End Users or only Group Admin. Tenant Admin rules are defined at System level.
Authorization Right:minimum End User.
Example request:
GET /api/v1/api/v1/tenants/fooTenant/password_rules/ HTTP/1.1 Host: example.com {}
Example response:
HTTP/1.1 200 OK Content-Type: "application/json" { "rulesApplyTo": "Administrator and User", "allowWebAddExternalAuthenticationUsers": true, "disallowUserId": true, "disallowOldPassword": true, "disallowReversedOldPassword": true, "restrictMinDigits": true, "minDigits": 3, "restrictMinUpperCaseLetters": true, "minUpperCaseLetters": 2, "restrictMinLowerCaseLetters": true, "minLowerCaseLetters": 4, "restrictMinNonAlphanumericCharacters": true, "minNonAlphanumericCharacters": 4, "minLength": 15, "maxFailedLoginAttempts": 2, "passwordExpiresDays": 99, "sendLoginDisabledNotifyEmail": true, "disallowRulesModification": true, "disallowPreviousPasswords": true, "numberOfPreviousPasswords": 7 }
- Request JSON Object:
rulesApplyTo (string) – the levels where the rules will be applied to. See Tenant rules apply to attribute.
allowWebAddExternalAuthenticationUsers (boolean) – Allow to create users without password in the AS because it will be validated by an external portal.
disallowUserId (boolean) – It is not allowed to have the user if in the password.
disallowOldPassword (boolean) – It is not allowed to reuse the current password as new one.
disallowReversedOldPassword (boolean) – It is not allowed to reuse the current password in reverse order as new one.
restrictMinDigits (boolean) – Restriction on minimum number of Digits enabled.
minDigits (integer) – Minimum number of Digits (if enable).
restrictMinUpperCaseLetters (boolean) – Restriction on minimum number of Upper Case letters enabled.
minUpperCaseLetters (integer) – Minimum number of Upper Case (if enable).
restrictMinLowerCaseLetters (boolean) – Restriction on minimum number of Lower Case letters enabled.
minLowerCaseLetters (integer) – Minimum number of Lower Case (if enable).
restrictMinNonAlphanumericCharacters (boolean) – Restriction on minimum number of Non AlphaNumeric characters enabled.
minNonAlphanumericCharacters (integer) – Minimum number of Non AlphaNumeric characters (if enable).
minLength (integer) – Minimum length of the password.
maxFailedLoginAttempts (integer) – Disable the credentials of the user after X consecutive failed login (0 means never).
sendLoginDisabledNotifyEmail (boolean) – Send an email to an admin when a login is disabled.
loginDisabledNotifyEmailAddress (string) – email address for the disabled login notification (if enable).
passwordExpiresDays (integer) – The password expired after X days (0 means never).
disallowPreviousPasswords (boolean) – It is not allowed to reuse the last X old passwords as new one.
numberOfPreviousPasswords (integer) – Number of old passwords checked (if enable).
disallowRulesModification (boolean) – Indicate if a Group Admin is allowed to modify the rules.
- Status Codes:
200 OK – no error
Update password rules¶
-
PUT/api/v1/tenants/(string: tenant_id)/password_rules/¶ Update the security rules that a password should follow in this Tenant.
These rules can be enforced for Group Admins and End Users or only Group Admin. Tenant Admin rules are defined at System level.
Authorization Right:minimum Tenant Admin.
Template Actions: this end point is available as template action under the name tenant_password_rules
Example request:
PUT /api/v1/api/v1/tenants/fooTenant/password_rules/ HTTP/1.1 Host: example.com Content-Type: "application/json" { "rulesApplyTo": "Administrator and User", "allowWebAddExternalAuthenticationUsers": true, "disallowUserId": true, "disallowOldPassword": true, "disallowReversedOldPassword": true, "restrictMinDigits": true, "minDigits": 3, "restrictMinUpperCaseLetters": true, "minUpperCaseLetters": 2, "restrictMinLowerCaseLetters": true, "minLowerCaseLetters": 4, "restrictMinNonAlphanumericCharacters": true, "minNonAlphanumericCharacters": 4, "minLength": 15, "maxFailedLoginAttempts": 2, "passwordExpiresDays": 99, "sendLoginDisabledNotifyEmail": true, "disallowPreviousPasswords": true, "numberOfPreviousPasswords": 7 }
Example response:
HTTP/1.1 200 OK Content-Type: "application/json" { "rulesApplyTo": "Administrator and User", "allowWebAddExternalAuthenticationUsers": true, "disallowUserId": true, "disallowOldPassword": true, "disallowReversedOldPassword": true, "restrictMinDigits": true, "minDigits": 3, "restrictMinUpperCaseLetters": true, "minUpperCaseLetters": 2, "restrictMinLowerCaseLetters": true, "minLowerCaseLetters": 4, "restrictMinNonAlphanumericCharacters": true, "minNonAlphanumericCharacters": 4, "minLength": 15, "maxFailedLoginAttempts": 2, "passwordExpiresDays": 99, "sendLoginDisabledNotifyEmail": true, "disallowPreviousPasswords": true, "numberOfPreviousPasswords": 7 }
- Response JSON Object:
rulesApplyTo (string) – the levels where the rules will be applied to. See Tenant rules apply to attribute.
allowWebAddExternalAuthenticationUsers (boolean) – Allow to create users without password in the AS because it will be validated by an external portal.
disallowUserId (boolean) – It is not allowed to have the user if in the password.
disallowOldPassword (boolean) – It is not allowed to reuse the current password as new one.
disallowReversedOldPassword (boolean) – It is not allowed to reuse the current password in reverse order as new one.
restrictMinDigits (boolean) – Restriction on minimum number of Digits enabled.
minDigits (integer) – Minimum number of Digits (if enable).
restrictMinUpperCaseLetters (boolean) – Restriction on minimum number of Upper Case letters enabled.
minUpperCaseLetters (integer) – Minimum number of Upper Case (if enable).
restrictMinLowerCaseLetters (boolean) – Restriction on minimum number of Lower Case letters enabled.
minLowerCaseLetters (integer) – Minimum number of Lower Case (if enable).
restrictMinNonAlphanumericCharacters (boolean) – Restriction on minimum number of Non AlphaNumeric characters enabled.
minNonAlphanumericCharacters (integer) – Minimum number of Non AlphaNumeric characters (if enable).
minLength (integer) – Minimum length of the password.
maxFailedLoginAttempts (integer) – Disable the credentials of the user after X consecutive failed login (0 means never).
sendLoginDisabledNotifyEmail (boolean) – Send an email to an admin when a login is disabled.
loginDisabledNotifyEmailAddress (string) – email address for the disabled login notification (if enable).
passwordExpiresDays (integer) – The password expired after X days (0 means never).
disallowPreviousPasswords (boolean) – It is not allowed to reuse the last X old passwords as new one.
numberOfPreviousPasswords (integer) – Number of old passwords checked (if enable).
- Status Codes:
200 OK – no error
400 Bad Request – error in the input data, most probably due to incorrect values.
Retrieve password rules of the Tenant Admins¶
-
GET/api/v1/tenants/(string: tenant_id)/password_rules/tenant_admins/¶ - Retrieve all the active security rules that a password should follow for the admins of a Tenant.The rules of the passwords are set at System level.
Authorization Right:minimum Tenant Admin.
Example request:
GET /api/v1/api/v1/tenants/fooTenant/password_rules/tenant_admins/ HTTP/1.1 Host: example.com {}
Example response:
HTTP/1.1 200 OK Content-Type: "application/json" { "allowWebAddExternalAuthenticationUsers": true, "disallowUserId": true, "disallowOldPassword": true, "disallowReversedOldPassword": true, "restrictMinDigits": true, "minDigits": 2, "restrictMinUpperCaseLetters": true, "minUpperCaseLetters": 2, "restrictMinLowerCaseLetters": true, "minLowerCaseLetters": 3, "restrictMinNonAlphanumericCharacters": true, "minNonAlphanumericCharacters": 3, "minLength": 14, "maxFailedLoginAttempts": 2, "passwordExpiresDays": 50, "sendLoginDisabledNotifyEmail": true, "disallowRulesModification": true, "disallowPreviousPasswords": true, "numberOfPreviousPasswords": 7 }
- Request JSON Object:
allowWebAddExternalAuthenticationUsers (boolean) – Allow to create users without password in the AS because it will be validated by an external portal.
disallowUserId (boolean) – It is not allowed to have the user if in the password.
disallowOldPassword (boolean) – It is not allowed to reuse the current password as new one.
disallowReversedOldPassword (boolean) – It is not allowed to reuse the current password in reverse order as new one.
restrictMinDigits (boolean) – Restriction on minimum number of Digits enabled.
minDigits (integer) – Minimum number of Digits (if enable).
restrictMinUpperCaseLetters (boolean) – Restriction on minimum number of Upper Case letters enabled.
minUpperCaseLetters (integer) – Minimum number of Upper Case (if enable).
restrictMinLowerCaseLetters (boolean) – Restriction on minimum number of Lower Case letters enabled.
minLowerCaseLetters (integer) – Minimum number of Lower Case (if enable).
restrictMinNonAlphanumericCharacters (boolean) – Restriction on minimum number of Non AlphaNumeric characters enabled.
minNonAlphanumericCharacters (integer) – Minimum number of Non AlphaNumeric characters (if enable).
minLength (integer) – Minimum length of the password.
maxFailedLoginAttempts (integer) – Disable the credentials of the user after X consecutive failed login (0 means never).
sendLoginDisabledNotifyEmail (boolean) – Send an email to an admin when a login is disabled.
loginDisabledNotifyEmailAddress (string) – email address for the disabled login notification (if enable).
passwordExpiresDays (integer) – The password expired after X days (0 means never).
disallowPreviousPasswords (boolean) – It is not allowed to reuse the last X old passwords as new one.
numberOfPreviousPasswords (integer) – Number of old passwords checked (if enable).
disallowRulesModification (boolean) – Indicate if a Group Admin is allowed to modify the rules.
- Status Codes:
200 OK – no error
Configuration Information for the Tenant Admin Password Rules¶
Since 1.11.0, iff the APIO is configured to validate password rules locally and to use also minimal rules then the password rules that will be returned will the merge of the rules read from the AS and of the minimum rules
The APIO behaviour for the validation of the passwords is controlled by the following setting:
"VALIDATE_PASSWORD_LOCALLY": true
"MINIMUM_PASSWORD_RULES": {
"ADMIN" : {
"PASSWORD_MIN_SPECIAL_CHARACTERS": 1,
"PASSWORD_MIN_UPPERCASE_LETTERS": 1,
"PASSWORD_MIN_LOWERCASE_LETTERS": 1,
"PASSWORD_MIN_DIGITS": 1,
"PASSWORD_MIN_LENGTH": 8
}
},
- Settings description:
VALIDATE_PASSWORD_LOCALLY: APIO will check the password provided in the API based on the user level rules from the network element. Default is false.
MINIMUM_PASSWORD_RULES.**ADMIN**: (from 1.11.0) minium password rules for the Admins. Default are the ones in the example.
Retrieve password rules of End Users¶
-
GET/api/v1/tenants/(string: tenant_id)/password_rules/end_users/¶ - Retrieve all the active security rules that a password should follow only for the new users when a new user and a new Group are created at the same time in a Tenant.The rules of the passwords may be set at Group level (from default values defined in a configuration setting), at Tenant level or at System level.More precisely when a client wants to create an end user and a group at the same time, the group is not yet created, so it is not possible to use the end point Retrieve password rules of End Users to get the rules to apply to the password of the user.This API tries to overcome this issue by providing an analysis of the level where the rules are defined (System, Tenant or Group) and return the relevant rules.However if it is at Group level, as the Group does not exist yet, the APIO can not retrieve them and therefore uses a Configuration Settings that provide them.As the rules can be the default ones from the AS or the ones defined in the Group creation template, it is the responsibility of the people configuring the APIO to ensure these settings cover the most restrictive case. And of course it is the responsibility of the people configuring the default values at AS side or the templates to inform inform the people configuring the APIO if any change at their side.
Authorization Right:minimum Tenant Admin.
Example request:
GET /api/v1/api/v1/tenants/fooTenant/password_rules/end_users/ HTTP/1.1 Host: example.com {}
Example response:
HTTP/1.1 200 OK Content-Type: "application/json" { "allowWebAddExternalAuthenticationUsers": true, "disallowUserId": true, "disallowOldPassword": true, "disallowReversedOldPassword": true, "restrictMinDigits": true, "minDigits": 3, "restrictMinUpperCaseLetters": true, "minUpperCaseLetters": 2, "restrictMinLowerCaseLetters": true, "minLowerCaseLetters": 2, "restrictMinNonAlphanumericCharacters": true, "minNonAlphanumericCharacters": 3, "minLength": 12, "maxFailedLoginAttempts": 3, "passwordExpiresDays": 40, "sendLoginDisabledNotifyEmail": true, "disallowRulesModification": true, "disallowPreviousPasswords": true, "numberOfPreviousPasswords": 7 }
- Request JSON Object:
allowWebAddExternalAuthenticationUsers (boolean) – Allow to create users without password in the AS because it will be validated by an external portal.
disallowUserId (boolean) – It is not allowed to have the user if in the password.
disallowOldPassword (boolean) – It is not allowed to reuse the current password as new one.
disallowReversedOldPassword (boolean) – It is not allowed to reuse the current password in reverse order as new one.
restrictMinDigits (boolean) – Restriction on minimum number of Digits enabled.
minDigits (integer) – Minimum number of Digits (if enable).
restrictMinUpperCaseLetters (boolean) – Restriction on minimum number of Upper Case letters enabled.
minUpperCaseLetters (integer) – Minimum number of Upper Case (if enable).
restrictMinLowerCaseLetters (boolean) – Restriction on minimum number of Lower Case letters enabled.
minLowerCaseLetters (integer) – Minimum number of Lower Case (if enable).
restrictMinNonAlphanumericCharacters (boolean) – Restriction on minimum number of Non AlphaNumeric characters enabled.
minNonAlphanumericCharacters (integer) – Minimum number of Non AlphaNumeric characters (if enable).
minLength (integer) – Minimum length of the password.
maxFailedLoginAttempts (integer) – Disable the credentials of the user after X consecutive failed login (0 means never).
sendLoginDisabledNotifyEmail (boolean) – Send an email to an admin when a login is disabled.
loginDisabledNotifyEmailAddress (string) – email address for the disabled login notification (if enable).
passwordExpiresDays (integer) – The password expired after X days (0 means never).
disallowPreviousPasswords (boolean) – It is not allowed to reuse the last X old passwords as new one.
numberOfPreviousPasswords (integer) – Number of old passwords checked (if enable).
disallowRulesModification (boolean) – Indicate if a Group Admin is allowed to modify the rules.
- Response JSON Object:
forcePasswordChangeAfterReset (boolean) – Forces a password change after reset (only from OCI Rel 22).
- Status Codes:
200 OK – no error
Configuration Settings¶
The default Group password rules for the new End Users logic described upper is controlled by the following Configuration Settings (the value presented are the default ones):
"DEFAULT_GROUP_PASSWORD_RULES": {
"disallowUserId": false,
"disallowOldPassword": false,
"disallowReversedOldPassword": false,
"restrictMinDigits": false,
"minDigits": 1,
"restrictMinUpperCaseLetters": false,
"minUpperCaseLetters": 1,
"restrictMinLowerCaseLetters": false,
"minLowerCaseLetters": 1,
"restrictMinNonAlphanumericCharacters": false,
"minNonAlphanumericCharacters": 1,
"minLength": 6,
"maxFailedLoginAttempts": 5,
"passwordExpiresDays": 30,
"sendLoginDisabledNotifyEmail": false,
"loginDisabledNotifyEmailAddress": "",
"disallowRulesModification": false,
"disallowPreviousPasswords": false,
"numberOfPreviousPasswords": 1,
"forcePasswordChangeAfterReset": false
}
- Explanation of the parameters:
DEFAULT_GROUP_PASSWORD_RULES: all the security rules that a password should follow for the users in this Group.
It must be noted that APIO will not enforce these rules at Group level. This is done either via a default configuration in the AS, or using a template action at Group creation.
Since 1.11.0, if the APIO is configured to validate password rules locally and to use also minimal rules then the password rules that will be returned will the merge of the rules defined upper (or the ones from the AS depending on config) and of the minimum rules
The APIO behaviour for the validation of the passwords is controlled by the following setting:
"VALIDATE_PASSWORD_LOCALLY": true
"MINIMUM_PASSWORD_RULES": {
"END_USER" : {
"PASSWORD_MIN_SPECIAL_CHARACTERS": 1,
"PASSWORD_MIN_UPPERCASE_LETTERS": 1,
"PASSWORD_MIN_LOWERCASE_LETTERS": 1,
"PASSWORD_MIN_DIGITS": 1,
"PASSWORD_MIN_LENGTH": 8
}
},
- Settings description:
VALIDATE_PASSWORD_LOCALLY: APIO will check the password provided in the API based on the user level rules from the network element. Default is false.
MINIMUM_PASSWORD_RULES.**END_USER**: minium password rules for End Users. Default are the ones in the example. Please note that this settings will also be used when creating hidden users for APIO features.