Users

The POLICIES > Users tab shows the user settings for this policy.

Table: POLICIES – User tab
Field name	Description
Dynamic User Registration	Specifies whether the Dynamic User Registration (DUR) feature is enabled for the policy. If this feature is used, it will automatically create a user account, if OneSpan Authentication Server receives an authentication request for a user for the first time, and if back-end authentication is successful. If DUR is used together with auto-assignment, an authenticator will be assigned to the new user account immediately. This setting also determines whether the provisioning registration process is allowed to perform DUR or not.
User Info Synchronization	Specifies whether to set user information when a user account is created using Dynamic User Registration (DUR) with an LDAP back-end server. In that case, the data from the LDAP back-end server is synchronized to the respective user account data fields (user information synchronization). Possible values: Default. Use the setting of the parent policy. No. Do not synchronize user information from the LDAP back-end server. Yes. Synchronize user information from the LDAP back-end server. For more information about user information synchronization, refer to the OneSpan Authentication Server Product Guide.
Password Autolearn	Specifies whether the password autolearn feature is allowed by the policy. This feature enables OneSpan Authentication Server to update the password stored in the user account when back-end authentication is successful. This setting also determines whether the provisioning registration process will update the password after successful back-end authentication or not.
Stored Password Proxy	Specifies whether the stored password proxy feature is enabled for the policy. This feature can be used together with the back-end authentication setting and the password autolearn feature. With this combination, even though a back-end authentication check is done during every logon, it is done using the password stored in the user account. Therefore the user does not have to enter it during the logon, unless it has changed in the back-end system. This mode of operation is referred to as password replacement. To enforce static password verification during offline authentications via Digipass Authentication for Windows Logon, you need to disable Stored Password Proxy and set Back-End Authentication to Always.
Use Generic Authentication Status Codes	This setting specifies whether certain status codes and messages should be mapped to generic status information in server responses, to prevent user account disclosure in authentication and provisioning scenarios. The real status code and message will still be visible in the audit and trace messages.
Account Lockout
User Lock Threshold	Specifies the number of invalid logon attempts that are allowed before a user account is locked. For example, if User Lock Threshold is 3, the account will become locked on the third failed logon attempt. Unlocking the account requires administrator action or user auto-unlock enabled. Note that not all types of logon failure will result in locking. For example, if the user ID is incorrect or the account is disabled, the failure would not count for the lock threshold. Locking is used mainly for incorrect OTPs and static passwords. The locking mechanism is also used for provisioning and signature validation.
Minimum Lock Duration	The time span a locked user account remains locked before the user can try to authenticate again and unlock it using user auto-unlock. The value is given in minutes. Applies only if user auto-unlock is enabled, effectively by setting Maximum Unlock Tries. Possible values: 0–99999
Lock Duration Multiplier	The multiplier factor to increase the lock duration after each unsuccessful authentication. The initial value is specified by Minimum Lock Duration. The multiplier value is given in percent. For example, a value of 200 effectively doubles the lock duration after each unsuccessful authentication. Applies only if user auto-unlock is enabled, effectively by setting Maximum Unlock Tries. Possible values: 100–500
Maximum Unlock Tries	The maximum number of attempts to unlock a locked user account during authentication (user auto-unlock) before it is permanently locked. A locked user account with no unlock attempts left, can only be unlocked manually by an administrator. Setting this value to 0 effectively disables user auto-unlock. Possible values: 0–999 For more information about user auto-unlock, refer to the OneSpan Authentication Server Product Guide.
Max Days Between Authentications	This setting specifies the number of days a user account can remain inactive before it is suspended. If the account has been suspended the user will not be able to log on. The user will be notified during authentication that the user account has been suspended. By default, a user account expires when no operations have been performed during the last 90 days. You can reactivate a suspended user account with the Reset Last Authentication Time action in the USERS > User Account tab. Setting this value to 0 effectively disables this feature. User accounts that are suspended at the time the feature is being disabled will become active again with the next successful user authentication.
Account Constraints
Default Domain	The default domain in which OneSpan Authentication Server should look for and create a new user account if no domain is specified by the user credentials. For more information about user ID and domain name resolution, refer to the OneSpan Authentication Server Product Guide, Section "User ID and domain resolution".
Accepted Domain	Only users from this domain will be accepted. All others will be refused.
Local Admin Users	This setting specifies the type of access to non-administrative tasks for a user who has administrative privileges. Possible values: Default. Use the setting of the parent policy. Accept. Allow this user to proceed through the transaction Reject. Do not allow this user to proceed through the transaction Required. This user must have administrative privileges to proceed with processing.
Windows Group Check	Specifies whether and how to use Windows group check. This feature is typically used for a staged authenticator deployment when auto-assignment is used. It can also be used when only some users are required to use an authenticator or when only some users will be permitted access and they have to use an authenticator. Possible values: Default. Use the setting of the parent policy. No check. Do not use Windows group check. Pass requests for users not in listed groups back to host system. Use Windows group check so that any users who are not in one of the listed groups are ignored by OneSpan Authentication Server. Use of this setting for provisioning or signature validation will have the same effect as Reject requests for users not in listed group. Reject requests for users not in listed group. Use Windows group check so that any users who are not in one of the listed groups are rejected by OneSpan Authentication Server. Use only back-end authentication for users not in listed groups. Use back-end authentication only for any users who are not in one of the listed groups. Use of this setting for provisioning or signature validation will have the same effect as Reject requests for users not in listed group.
Nested Groups	Determines whether nested groups can be used for Windows group check during user authentication. Possible values: Default. Use the setting of the parent policy. No. Nested groups are not used. Yes. Nested groups are used. This implementation changes the behavior of Windows back-end in regards to the following: When upgrading to a later version of OneSpan Authentication Server, the administrator must re-add local domain groups, as the Windows naming conventions have been changed. Local (non-domain) users and groups can no longer be used after upgrading to a later version of OneSpan Authentication Server. For more information about nested groups, refer to the Microsoft documentation.
Windows Group List	This lists the currently selected Windows groups to be checked via Windows group check. Expand the list to search and edit your selection. You can enter a filter value to find the relevant group, or scroll through the list. Edit the selection and add / remove groups by selecting the check boxes of the relevant group and move them to the corresponding list by clicking the double-arrow button. You can also select multiple groups. For groups to appear for an Active Directory backend, the Active Directory backend must exist in OneSpan Authentication Server.
RADIUS Attributes
Reply RADIUS Attributes	Specifies whether to return RADIUS attributes from a user account when it returns an Access-Accept reply. Possible values: Default. Use the setting of the parent policy. No. Do not return RADIUS attributes. Yes. Return the RADIUS attributes in the groups listed below.
RADIUS Attribute Group List	Comma-separated list of RADIUS attribute groups. Only attributes belonging to the listed groups will be returned via this policy.
Static Password
The options in this section allow you to define password complexity and age rules for the local static password of the associated user. The effective password policy settings are based on the server component and depend on the user type. If the password of an administrative user is changed, the effective policy values for password strength rules apply. If the password of a regular user is changed, the values defined in the base policy of the applicable policy apply.
Minimum Password Length	Sets the minimum length required for the static password. Possible values: 0–9999
Minimum # Lowercase Characters	Specifies the minimum number of lowercase characters required in the password. Possible values: 0–9999
Minimum # UPPERCASE Characters	Specifies the minimum number of uppercase characters required in the password. Possible values: 0–9999
Minimum # Numerical Digits	Specifies the minimum number of numerical digits required in the password. Possible values: 0–9999
Minimum # Special Characters	Specifies the minimum number of special characters required in the password. In this context, these are non-alphanumeric characters on the keyboard (excluding numbers or letters of the alphabet). Possible values: 0–9999
Different From Last # Passwords	Specifies how many different passwords must be used before a previously used password can be used again. Possible values: 0–24
Not Based on User ID	Specifies whether the password is allowed to contain all or parts of the user ID. Possible values: Default. Use the setting of the parent policy. No. Disables this option. Yes. Enables this option.
Maximum Age in Days	Specifies the maximum amount of time in days during which a local static password is valid. After this time, the password expires. Applies to the local authentication mode DIGIPASS or Password only. If set to 0, the local static password never expires. You should set this value to disable local static password expiration if you are using back-end authentication, and rather rely on the back-end system to enforce password expiration. Possible values: 0–9999
Minimum Age in Days	Specifies the minimum amount of time in days a static password must be used before it can be changed. Applies to the local authentication mode DIGIPASS or Password only.
Days to Notify before Expiration	The number of days before a static password expires and the end user must be notified to update the static password. Applies to the local authentication mode DIGIPASS or Password only. If applicable, a respective note is displayed on the Administration Web Interface home page. Additionally, if the respective user has the Set User Password privilege, a direct link to set a new password is displayed. If set to 0, users will never be notified. Possible values: 0–9999

Available actions

Edit
Delete

POLICIES – Users (tab)

Available actions

Log in

Two-step verification is required