User Policies

See why customers choose Pleasant Password Server with a KeePass client

User Policies allow administrators to manage the security configurations of their "User Accounts".

To edit a User Policy, navigate to the Web browser menu:

  • Users and Roles -> Manage Policies -> Actions -> Edit

Policy Setup - Best Practices

Use the following steps to setup a series of User Policies for your company:

  1. Start by setting the Default Policy to be the minimum requirements for Password and Lockout
  2. Create additional Policies for more Levels of Access
    • Stricter password requirements
    • Fewer attempts before lockout
    • Longer lockout time or disable user to force manual re-enable
    • Require Two-Factor Authentication
      • Usually when requiring Two-Factor Authentication the user's configurations will usually be managed by an administrator directly
      • Self-managed YubiKeys, for example
  3. Apply stricter Policies to the appropriate Roles or Users
    • Policies may be reused for multiple roles and/or users
  4. Consider enabling Two Factor Providers for additional security, that the user can easily self configure and use if they wish:
    • Authenticator
    • YubiKey

Password Policy

  • Applies only to the user when they are setting their own password for accessing the password server.
    • Users with the Administer Users permission can set other user's passwords directly without having to obey the policy
  • Minimum Length: (required)
  • Maximum Length: (not required, can be blank)
  • Minimum Characters of each type: (uppercase, lowercase, digit, special)
  • Minimum Varieties: specify minimum number of types, (1 - 4)
    • Can be used instead of setting a minimum per type

Lockout Policy

(Not applicable to Reset users)

Enabling a Lockout Policy will lock users out of the application, after a set number of consecutive failed sign-in attempts. Lockouts can be a temporary duration, or require an Administrative reset.

A user with the Administer Users permission can re-enable users or reset the lockouts early.

  • Status: enable or disable Lockout
  • Maximum Consecutive Failures: an account can be locked or disabled, after a number of consecutive failed attempts
  • Duration Until Reset:
    • Setting this option to blank will disable the user instead of locking them out
    • The admin user will not be disabled, but will instead be locked out for a short time
  • Alerts: can be enabled for administrators or users

Timeout Policy

The following settings apply to regular users of the applications, but does not apply to Reset users.

  • Web Client Timeout

    • Applies to: Web application client
    • The duration of browser inactivity before the User is signed out or the remembered login expires.
    • This setting will only take effect after the user logs in again.
  • Application Authentication Timeout

    • Applies to: KeePass, Mobile, and Browser Plugin application clients, and to RESTful API calls
    • The fixed amount of time an authentication token (OAuth) remains valid. This determines how long access is permitted before having to re-verify.
    • Mobile clients:
      • The workspace locks and requires re-authentication.
    • KeePass clients
      • NOTE: The KeePass workspace will remain unlocked unless KeePass locking options are set / enforced (next section).
      • Authentication tokens are requested from the server at this time.
      • However, users will be not be required to re-authenticate, unless using Two-Factor Authentication.

KeePass Inactivity Timeouts

The KeePass for Pleasant desktop client has additional timeout duration options:

  • Adjust the settings in: Tools -> Options -> Security tab, either

    • "Lock workspace after KeePass inactivity (seconds)", OR,
    • "Lock workspace after global user inactivity (seconds)"
    • (optionally, include other Lock workspace options below)
    • Then exit KeePass for Pleasant, and restart it
  • Enforce the client settings for multiple users/roles by:

    • Make the changes in KeePass
    • Uploading the KeePass config file, in: Advanced -> Client Configuration

Open Entries Will Remain Visible

Entries kept open when a Timeout occurs will remain visible:

  • In KeePass, when a vault entry remains open, the timeout is disabled. This is by design and explained here: - NoAutoLock
  • In Web client, a vault entry remains open and visible, but will lock and disable further changes. Users can still see & copy out their changes, but will be unable to save, or open other entries, etc.

Two-Factor Policy and Configuration

  • See Two-Factor Authentication (2FA) for more information

  • Two-Factor Authentication (2FA) 

    • Status may be disabled, enabled, or required.
      • Note: marking 'Required' will lock-out unenrolled users

    • Requiring Two-Factor: Only set this after a Provider and Policy users have been configured.
      • This can be set on the Policy or on a Provider. This restricts users from disabling their 2FA.

  • Bulk Enabling Users:
    • Enabling Self-Enrollment allows bulk configuration for all policy users, rather than configuring per-user.

  • Two-Factor Providers:

    • Status:  Enabled/Disabled
    • Allow/Disallow the user from changing the Provider's enabled/disabled state
      • Can be used to force users to use a form of Two-Factor
    • Allow/Disallow the user from resetting/modifying their Two-Factor Secret information
    • Can be used to prevent users from changing their Two-Factor Configurations (full admin control)
      • Other, provider specific, information and configuration

  • Browser Bypass: The user may be allowed to set a cookie to bypass Two-Factor for future logins from the same browser (for a 2-week period)

IP Filter Policy

Manage Account Policy

  • Modify Display Name
    • When enabled, allows a user to change their own Display Name
  • Modify Email Address
    • When enabled, allows a user to change their own Email
  • Modify Phone Number
    • When enabled, allows a user to change their own Phone Number
  • Users with the 'Administer Users' permission can always edit these values for any user.

Policy Membership

Here is how Policies affect user memberships:

  1. Default Policy

    • One Default Policy may be set
    • The Default Policy is applied if no direct or Role Policies are found
  2. Users may be Assigned a Policy directly

    • To assign a Policy to a user go to:
      • Users & Roles > Manage Users and click the [Edit] link beside the name of the user you wish to assign the Policy to. 
      • There will be Policy dropdown box where you can select whether the user inherits Policies or assign a specific one.
        • A Policy assigned directly to a user will override Policies inherited from roles
  3. A Policy may be Inherited from a Role

    • To assign a Policy to a role go to:
      • Users & Roles > Manage Policies and scroll down to the "Role Policies" grid. 
      • Click the "Set Role Policy" button and a dialog will appear to select the Role and the Policy you would like to assign, as well as the priority for that Policy.
        • Each Role may only have one policy and one Policy priority
        • All of the User's Roles are checked for Policies
        • The Role Policies are ordered by the Policy Priority value (lowest value first).  If a user has multiple Roles, the one with the lowest priority value is applied.
        • Role policies can be used to more dynamically apply Security, based on the Role(s) a User has