Security Preferences configure security-related features of Order Management. The following subsections are included:
- Password Policy – Configure user password requirements
- Forgotten Password - Forgotten password
- Account Manager - Set the default role for accounts created in Account Manager
- Addresses – Use Internet address groups
Password Policy
By default, the password policies are set to Salesforce minimums for new user accounts and existing user accounts where the policy has not been set. An Administrator can also set a minimum password policy requirement by following the PCI rules. This page lets you configure user password requirements.
You can't change the following security requirements.
- User accounts not used for 90 days are deactivated. Upon account deactivation, Order
Management sends an email notification to the user. Reactivation can require a password
reset by an administrator. Note: The Administrator can select the Active checkbox on the User Detail page in Administration: Security > Users to reactivate the account.
- User accounts not used for 180 days are deleted. Upon account deletion, Order Management sends an email notification to the user. The user account must be re-created.
Accounts that have both the Administrator or General and the Report Author roles are subject to the more restrictive of the policies.
Three policies exist:
- General Roles: Applies to all user accounts that do not have the Administrator or Report Author roles.
- Administrator Role: Applies to all user accounts that have the Administrator role.
- Report Author: Applies to all user accounts that have the Report Author role. This policy is subject to PCI requirements and can't be edited.
| Fields and buttons | Description |
|---|---|
| Password Policies dropdown | Select the policy to edit. |
| Minimum Password Length | Enter a number in the text field. Passwords must contain at least this many characters. |
| Require Mixed Case checkbox | Passwords must contain both uppercase and lowercase letters, so this box can't
be unchecked. Two numeric text fields are also available:
|
| Enforce Expiration checkbox | This box can't be unchecked. The Password Expiration Frequency (days) text field defines the number of days after a password is changed when it expires and must be changed again. |
| Restrict Password Re-use checkbox | This box can't be unchecked. The Number of Previous Passwords to Restrict text field defines the number of most recent passwords that can't be reused when a password is changed. |
| Enforce Minimum Time Before Password Activates checkbox | If this box is checked, then the Password Minimum Life (seconds) text field becomes available. The number in this field defines the number of seconds that must elapse after a password is set or changed before it can be changed again. This delay allows time for administrative functions for new accounts, and provides security against potential automated attacks. |
| Require Confirmation on New Password check box | If this box is checked, then when changing a password, users must enter the new password twice for verification. If it isn't checked, then users only type a new password once. |
| Save Password Policy | Saves changes to the selected password policy. |
Password Requirements
The default Salesforce password policies are as follows:
- Minimum Password Length: 12 characters
- Require Mixed Case:
- At least one lowercase character
- At least one uppercase character
- At least one numeric character
- At least one special character
- Enforce Expiration: 90 days
- Restrict Password Re-Use: eight passwords
- Require Confirmation on New Password: On
Minimum password policy requirements follow PCI rules, as follows:
- Don't use group, shared, or generic accounts and passwords. Give each user an explicit account.
- Ensure that a policy is set for both General and Administrator roles.
- Minimum Password Length: eight characters
- Require Mixed Case:
- At least one lowercase character
- At least one uppercase character
- At least one numeric character
- At least one special character
- Enforce Expiration: 90 days
- Restrict Password Re-Use: eight passwords
- Require Confirmation on New Password: On
- When creating an account, require the user to change the password upon logging in for the first time. (Set this requirement on the user account, not the password policy.)
- Don't write down or store a password where an unauthorized person could gain access to it.
Forgotten Password
When a user forgets the password to any of the Order Management modules, they can request a password reset link to reset it as follows:
- Select the Forgot Password link on an Order Management module login page.
- From the Send Email popup window, enter a username, then click Send
Email to receive the password reset link. If a valid email address exists,
an email is sent with a password reset link. If the user account has no verified email
address, an Administrator must reset the password on the User Detail page in
Administration: Security > Users. Note: The password reset link expires after 24 hours. If the availability of the password reset link has expired, the message, “The reset password link is invalid or has expired" appears.
The Email User Password Reset template can be customized for the password reset.
Account Manager
This page is only available if you are using Account Manager to manage Order Management accounts. It lets you select the Order Management role that is automatically assigned to normal user accounts when they are given the Order Management User role in Account Manager. (Administrator accounts are automatically assigned the Administrator role.) Select one from the dropdown list and click Update.
Addresses (Not Used)
This page lets you create internet address groups and add internet addresses into that group. This functionality is not used.
To add an internet address group, do as follows:
- In Order Management Administration: click Settings > Preferences.
- Click the Security tab.
- Click Addresses.
- From the Internal Address Groups page, click Add Group and add an internet address group. The page refreshes with a New Group link.
- Assign a name to the group. Click Edit and assign a Label, Short Label, and Description for this group.
- To accept the new address group, click Update. To discard it,
click Cancel . To delete the group, click the trash can icon
(
). - Click the new group’s link. The Edit Addresses page appears. Enter the Internet Address and the Mask Address and click Add. A new internet address item is listed. You can add multiple addresses to this group.
- To change the internet address, click Edit. To return to the
Internet Address Groups page without saving the address, click Cancel
. To discard this internet address, click the trash can icon ().