Domain-specific properties

This section describes properties that can be configured for each security domain. These properties define the rules for managing security issues, such as auditing and password expiration. The default property values define the initial rules that apply to the default domain. You can modify the rules for a domain by configuring these domain-specific properties using either Enterprise Security Manager or SMAPI. For more information, see Chapter 5, “Delegated Administration.”

The property in Table 15-9 defines how often the domain-specific properties are refreshed.

**Table 15-9: Refresh interval property**
Property name	Default value	Description
propertyRefreshTimeInterval	60 (seconds)	Defines how often the properties for this domain are refreshed.

Table 15-10 describes the domain-specific account expiration properties.

**Table 15-10: Account expiration properties**
Property name	Default value	Description
defaultAccountExpirationDuration	0	The number of days any account (active or inactive) remains valid. If set to 0, accounts remain valid indefinitely.
inactivityExpirationDuration	0	The number of days an inactive account remains valid. If set to 0, inactive accounts remain valid indefinitely.

Table 15-11 describes the domain-specific account lock properties.

**Table 15-11: Account lock properties**
Property name	Default value	Description
allowedInvalidLoginAttempts	3	The number of invalid login attempts users are allowed before their account is locked.
allowedInvalidAccessAttempts	5	The number of invalid access attempts users are allowed before their account authorization is locked.
authCountTimeSpan	1440 (minutes)	The number of minutes during which unauthorized attempts to access security objects are counted.
authLockEnable	true	Set to true to enable the system to lock out users after a specified number of attempts to access a security object that they do not have permission to access.
authLockPeriod	-1	The duration of an authorization lockout.
closeSessionOnAuthLock	true	Set to true to terminate users’ sessions when their authorization is locked.
loginClearHistory	true	Set to true to delete information about invalid log-in attempts when users successfully log in.
loginCountTimeSpan	60	The number of minutes during which the number of invalid login attempts are counted.
loginLockEnable	true	Set to true to enable the system to lock out users after a specified number of invalid log-in attempts.
loginLockOnAuthLock	true	Set to true to prevent users from logging in when their authorization is locked.
loginLockPeriod	-1	The duration of a lockout. Specify one of: -1 to lock the account until an administrator specifically unlocks it. The number of minutes to keep the account locked.

Table 15-12 describes the domain-specific auditing properties. For more information about auditing, see Chapter 6, “Auditing.”

**Table 15-12: Auditing properties**
Property name	Default value	Description
auditEnable	false	Specifies whether auditing is enabled for this domain.
auditExcludeFilter		Specifies which events to exclude from auditing; applied after auditIncludeFilter.
auditIncludeFilter	(ResourceClass= SYSTEM.*)	Specifies which events to audit.
auditJMSEnable	false.	Specifies whether to send audit records to a JMS topic, in addition to the primary logging location defined by auditSPI.
auditSubjectDNEnable	false	Specifies whether to include the subject DN in auditing records. If set to true, the subject DN is added to the XML audit record column, and is available to insert in the Subject DN column—see Table 6-12. If set to true, performance may be slower.
auditSuspendOnFailure	false	Specifies whether to suspend auditing when errors occur writing an audit record.

Table 15-13 describes the domain-specific password properties.

**Table 15-13: Password properties**
Property name	Default value	Description
passwordDuration	0	Specifies how many days a password remains valid after it is set. This value affects all users, except those explicitly excluded from this policy. You can also specify the password duration in months or years; for example: 3m = three months. 1y = one year.
expiredPasswordChangeWindow	0	The number of days after a password expires that users are allowed to change their password.
passwordStrengthVerification	(String)null	The name of the password-strength verification component. See “Configuring the sample password-strength verification component”.