Define system-wide security policies.

ReferenceModules SecurityUIRuntimeUsers | Users | Permissions | Policies | Secrets | Monitor

Security Policies (Reference) enforce password requirements, electronic signatures, and session management rules for regulatory compliance and security best practices. 

ecurity Policies provide:

  • Password complexity requirements
  • Electronic signature validation
  • Session timeout management
  • Account lockout rules
  • Password aging controls

Policies enable FDA 21 CFR Part 11 compliance and other regulatory requirements.

Pre-Defined Policies

Three standard policies are configured:

PolicyUse CaseTypical Settings
DefaultStandard operationsBasic password, no timeout
EnhancedElevated securityComplex password, session timeout
CriticalRegulatory complianceStrong password, e-signature, strict timeout

Configuration Properties

PropertyDescriptionRequired
NameUnique policy identifierYes
IdentificationPassword and account rulesYes
ESignElectronic signature settingsNo
SessionTimeout and auto-logoffNo
DescriptionDocumentation textNo

Identification Settings

Password and account management rules:

Password Requirements

PropertyDescriptionRangeDefault
PasswordMinLengthMinimum characters0-1280 (no limit)
PasswordHistoryPrevious passwords to remember0-50
MinPasswordAgeHours before change allowed0+0
MaxPasswordAgeHours until expiration0+0 (never)

Account Security

PropertyDescriptionRangeDefault
UserNameMinLengthMinimum username length0-1280
BlockOnInvalidAttemptsFailed logins before lockout0+0 (no limit)
BlockAgingHours until auto-unlock0+0 (manual)
AllowPasswordChangeUsers can change own passwordYes/NoYes
AllowShareUserMultiple concurrent sessionsYes/NoYes

E-Signature Settings

Electronic signature requirements for critical actions:

PropertyDescriptionUse Case
EnabledRequire e-signatureFDA compliance
TimeoutMinutesSignature validity periodRe-authentication frequency

Configuring E-Signature

  1. Enable in policy settings
  2. Set timeout (e.g., 60 minutes)
  3. Assign policy to users
  4. Enable on controls requiring signature

Example:

csharp

// Check if e-signature required
if (@Security.Policy.ESign.Enabled)
{
    // Prompt for password
    if (!@Security.ValidateESignature())
    {
        return; // Action cancelled
    }
}

Session Management

Automatic logoff configuration:

PropertyDescriptionOptions
AutoLogOffLogoff triggerNone, Inactivity, Duration, Both
InactivityMinutesIdle time before logoff1-9999
DurationHoursMaximum session length1-9999

AutoLogOff Modes

ModeBehaviorUse Case
NoneNo automatic logoffDedicated stations
InactivityLogoff after idle timeShared workstations
DurationLogoff after time limitShift changes
BothEither condition triggersMaximum security

Applying Policies

Assign to Users

  1. Navigate to Security → Users
  2. Select user row
  3. Set Policy column
  4. User inherits all policy settings

Runtime Behavior

csharp

// Get current user's policy
string policyName = @Security.CurrentUser.Policy;

// Check policy settings
var policy = @Security.Policies[policyName];
bool requiresESign = policy.ESign.Enabled;
int passwordMinLength = policy.Identification.PasswordMinLength;

Compliance Scenarios

FDA 21 CFR Part 11

Policy: Critical
Identification:
  - PasswordMinLength: 8
  - PasswordHistory: 5
  - MaxPasswordAge: 2160 (90 days)
  - BlockOnInvalidAttempts: 3
ESign:
  - Enabled: True
  - TimeoutMinutes: 30
Session:
  - AutoLogOff: Both
  - InactivityMinutes: 15
  - DurationHours: 12

High Security Environment

Policy: Enhanced
Identification:
  - PasswordMinLength: 12
  - AllowShareUser: False
  - BlockOnInvalidAttempts: 5
  - BlockAging: 24
Session:
  - AutoLogOff: Inactivity
  - InactivityMinutes: 10

Best Practices

  1. Start with pre-defined - Modify existing policies
  2. Document requirements - Clear compliance needs
  3. Test thoroughly - Verify all settings work
  4. Train users - Explain policy changes
  5. Regular reviews - Update as needed
  6. Gradual implementation - Phase in restrictions
  7. Monitor compliance - Track violations

Troubleshooting

Account locked:

  • Check BlockOnInvalidAttempts
  • Verify BlockAging timeout
  • Administrator unlock required
  • Review failed login attempts

Password rejected:

  • Check PasswordMinLength
  • Verify against PasswordHistory
  • Confirm MinPasswordAge not violated
  • Review complexity requirements

Unexpected logoff:

  • Check Session settings
  • Verify InactivityMinutes
  • Review DurationHours
  • Check client activity detection

E-signature issues:

  • Verify policy enabled
  • Check timeout not expired
  • Confirm user has password
  • Test signature validation

In this section...