This page allows you to set up an account lockout policy for different user roles within WebSphere Commerce. It lists all existing account lockout policies including any predefined ones supplied with WebSphere Commerce by default. An account lockout policy disables a user account if malicious actions are launched against that account in order to reduce the chances that the actions compromise the account.
The account lockout policy enforces the following items:
- The account lockout threshold. This is the number of invalid logon attempts before the account is disabled.
- Consecutive unsuccessful login delay. It is the time period for which the user is not allowed to login, after two failed attempts to login. The delay gets incremented by the configured time delay value (for example, 10 seconds) with every consecutive login failure.
The Account Lockout Policy page lists all existing account lockout policies. On this page:
- You can create a new policy by clicking New.
- You can change the characteristics an existing policy by selecting the policy in the list and clicking Change.
- You can delete an existing policy by selecting the policy in the list and clicking Delete.
When you are creating a new account lockout policy, complete the following fields:
- Name
- The name of your account lockout policy (for example, my_policy).
- Account lockout threshold
- The number of unsuccessful attempts to log onto to the account after which the account is locked out. For example, enter 6 (for 6 attempts).
- Wait time
- The consecutive unsuccessful login delay in seconds. For example, enter 10 (for 10 seconds).
To complete the account lockout policy, click OK.
Notes:
- You cannot delete an account lockout policy if it is in use (that is, a user is assigned to the account lockout policy).
- Account lockout policies are enforced only if users are authenticated against the WebSphere Commerce database.
For more information, see the section on authentication in the WebSphere Commerce Security Guide.