/
Authorization Parameters

Authorization Parameters



AUTH_ADAPTER

(DbTable, ActiveDirectory, Ldap, Shibboleth)

This parameter specifies which of the predefined Authentication Adapters is being used. The default is "Native" (which is the native database for PCR-360).

API_RATE_LIMIT_RESET

(seconds)

This parameter controls when the API rate limit will be reset.  The default is 60.

SERVICE_HOSTS_ALLOW_SELF_SIGNED_CERTS

This parameter when true will allow connections to servers using self-signed certificate constants. The default is false.

AUTH_LOGOUT_URL

(URL)

This parameter defines the URL that should be redirected to when logging out of PCR-360. Shibboleth usually has a specific URL to complete the logout. The default is "/core/auth/".

AUTH_DEFAULT_ALLOWED

(true or false)

This parameter controls how the system will treat non-permissioned resources. If a specific resource (a link, page or menu item) is not specifically permissioned to Allow or Deny should the system use Allow by default. The default is true.

AUTH_SESSION_ACTIVITY_SECONDS

(seconds)

This parameter controls the web server session timeout. If no activity is logged in this amount of time then the session will expire. This expiration may or may not affect Single Sign On systems. The default is 5400.

AUTH_SESSION_LIFETIME_SECONDS

(seconds)

This parameter controls the session cookie timeout. It specifies the number of seconds that the cookie will exist after the browser is closed, setting this to zero will expire the cookie as soon as the browser closes. The JITC parameter overrides this setting with 0. The default is 0.

AUTH_IDENTITY

(attribute key)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies the bit in the authentication attributes that is the identity of the user. If this bit is missing then the login will fail. The default is "username".

AUTH_CREATE_USERS

(true or false)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies whether or not to create unknown users that successfully login. It requires that the AUTH_ATTRMAP_ config attributes be present in the authentication attributes. If set to true, new users and contacts will be created as they login. The default is true.

AUTH_UPDATE_USERS

(true or false)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies whether or not to update users and their contact records when they login. It requires that the AUTH_ATTRMAP_ config attributes be present in the authentication attributes. If set to true, existing users and contacts will be updated with new/changing information from the AUTH_ATTRMAP_config attributes when they login. The default is true.

AUTH_ROLEMAPPING

(true or false)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies whether or not the system should try to map roles from the AUTH_ATTRMAP config attributes. It requires that the AUTH_ATTRMAP_GROUPS config attribute be present in the authentication attributes. If set to true, the system will associate the user with any roles that match the mapped groups when they login. This also controls the Authentication Mapping field that appears on the Role screen. This field is not displayed when this parameter is set to false. The default is false.

Mapped group names can be no longer than 300 characters long.

AUTH_DEFAULT_ROLE

(role name)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies what the default Role should be when creating users from Ldap or Shibboleth whenever a role is not mapped from AUTH_ROLEMAPPING and AUTH_ATTRMAP_GROUPS. The default is “SysAdmin”.

AUTH_ATTRMAP_USERID

(attribute key)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies what key or index in the authentication attributes that map to the userid when creating a user. The default is “uid”.

AUTH_ATTRMAP_FIRSTNAME

(attribute key)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies what key or index in the authentication attributes that map to the first name when creating a user. The default is "givenname".

AUTH_ATTRMAP_LASTNAME

(attribute key)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies what key or index in the authentication attributes that maps to the last name when creating a user. The default is "surname".

AUTH_ATTRMAP_EMAIL

(attribute key)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies what key or index in the authentication attributes that map to the email when creating a user. The default is "email".  

AUTH_ATTRMAP_PHONE

(attribute key)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies what key or index in the authentication attributes that map to the phone number when creating a user. The default is " telephonenumber".

AUTH_ATTRMAP_GROUPS

(attribute key)

This parameter is used with ActiveDirectory, Ldap or Shibboleth Authentication Adapters. It specifies what key or index in the authentication attributes that map to the Authentication Mapping field on Roles when creating a user. The default is "memberOf".

AUTH_PWD_HISTORY_LENGTH

(integer)

This parameter is used to determine how many passwords we want to keep track of. When set, the user will not be able to reuse a password as long as it is logged; after the limit is reached the oldest password is cleared from the list. The default is 10, to disable this functionality, set this parameter to 0.

AUTH_MIN_PWD_LENGTH

(integer)

This parameter is used to let you decide how long a password must be. The default is 8, to disable this functionality, set this parameter to 0.

AUTH_PWD_EXPIRE

(days)

This parameter is used to let you set how long a password should be valid for. The default value is 60, to disable this functionality, set this parameter to 0.

AUTH_PWD_CHANGE_LIMIT

(days)

This parameter is used to determine how many days a user must wait before they can change their password. The default is 1, to disable this functionality, set to 0.

PWD_DICTIONARY_CHECK

(true or false)

This parameter determines if you wish to check a password against a list of words found on a dictionary file. The default is false.

DICTIONARY_FILE_PATH

(string)

This is the path to the dictionary file we wish to check against. The default is '/usr/share/dict/words'. Be sure to consult with the documentation for your version of Linux to see where their dictionary file is located. You can also use your own dictionary file if you so desire or in case a dictionary file is not bundled with your version of Linux.

PWD_DIFF_THRESHOLD

(integer)

This parameter determines how many characters must be different from the current password when creating a new password. The default is 4, to disable this functionality, set to 0.

AUTH_PWD_REQ_LALPHA

(true or false)

This parameter determines if a password has to contain a lower case letter. If any other password format rule is enabled, it will append to the enabled rules. The default is false.

AUTH_PWD_REQ_UALPHA

(true or false)

This parameter determines if a password has to contain an upper case letter. If any other password format rule is enabled, it will append to the enabled rules. The default is false.

AUTH_PWD_REQ_NUMBER

(true or false)

This parameter determines if a password has to contain a number. If any other password format rule is enabled, it will append to the enabled rules. The default is false.

AUTH_PWD_REQ_SPECIAL_CHAR

(true or false)

This parameter determines if a password has to contain a special character. If any other password format rule is enabled, it will append to the enabled rules. The default is false.

AUTH_THRESHOLD_BADPASSWORD

(count)

This parameter determines the number of failed login attempts with in a specific time frame before accounts are disabled. Set to false to disable this threshold. The default is 5.

AUTH_BADPASSWORD_TIMEFRAME

(seconds)

This parameter determines the time frame between bad password attempts required to disable the account. The default is 3600 (1 hour).

MAX_USER_SESSIONS

(integer)

This parameter is used to determine how many sessions one user can have open at any given time. The default value is 3, to allow an unlimited number of user sessions set this parameter to BOOLEAN_FALSE

MAX_TOTAL_SESSIONS

(integer)

This parameter is used to determine how sessions can be open in the application at any given time. The default value is BOOLEAN_FALSE which allows an unlimited number of sessions. Set this value to an integer to limit the total number of sessions

AUTH_THRESHOLD_LOGINFAILED

(count)

This parameter controls the number of login attempts from the same IP address that will trigger a block on that IP address, set to false to disable this check. The default is 100.

AUTH_ACCOUNT_EXPIRE_SECONDS

(seconds)

This parameter defines the number of seconds after creation/reactivation when accounts expire, expired accounts are set to inactive, if expired, activating an account will restart the expiration date, false for no account expiration. The default is false.

AUTH_API_EXPIRATION

(seconds)

This parameter defines the API session inactivity timeout period. When the session expires do to inactivity, the User will need to re-authenticate.

Default is set to 14400

AUTH_API_LIFETIME

(seconds)

This parameter defines the API session timeout regardless of activity, when set to 0 tokens timeout immediately. When the session expires, the User will need to re-authenticate.

Default is set to 86400