Creating a Login Policy for a Simplex

Create a login policy to define password and login parameters for users connecting to a simplex database.

Prerequisites

Database Version	Login Policy Privileges
SAP Sybase IQ 15.3 and 15.4	You must have one of: DBA authority USER ADMIN authority
SAP Sybase IQ 16.0	You must have the MANAGE ANY LOGIN POLICY system privilege.

The SAP Sybase IQ resource is authenticated and running.

Task

In the Perspective Resources view, select the resource, and select Resource > Administration Console.
In the left pane, expand IQ Servers > Security, and then select Login Policies.
Click the arrow next to Login Policies and select New.
The Create Login Policy Wizard appears.

On the Login Policy Name page, specify:

Option	Description
Select the server for which the login policy will be created	From the list, select the resource for which the login policy will be created.
What do you want to name the new login policy?	Enter a unique name for the new login policy; maximum 128 characters.
What would you like the comment to be for this login policy.	(Optional) Enter a comment for the login policy.

Click Next.

On the Login Policy Options page, specify:

Note: For each option, if no value is defined in the Value column, the root policy value is used.

Option	Description
Options	Password life time – Number of days the password is valid. The user must reset the password when the lifetime expires. Valid range is 0 - unlimited (default). Password grace time – Number of days before password expiry that users receive warnings that the password is about to expire. Valid range is 0 (default) - unlimited. Password expiry on next login – Whether the user must reset the password at the next login. Valid values are ON and OFF (default). Locked – Whether the user account is locked when maximum number of failed login attempts is exceeded. Valid values are ON and OFF (default). Maximum connections – Number of times the same user can be logged in to the server. Valid range is 0 - unlimited (default). Maximum failed login attempts – Number of failed login attempts before the account is locked. Valid range is 0 - unlimited (default). Maximum days since login – Number of days allowed between logins before the account is locked. Valid range is 0 - unlimited (default). (16.0 only) Auto unlock time – The time period after which locked accounts are automatically unlocked. This option can be defined in any login policy, including the root login policy. Valid range is 0 - unlimited (default). (16.0 only) LDAP primary server – The name of the primary LDAP server configuration object. (16.0 only) LDAP secondary server – The name of the secondary LDAP server configuration object. (16.0 only) LDAP auto failback period – The time period, in minutes, after which automatic failback to the primary server is attempted. Valid range is 0 - unlimited. Default is 15 minutes. (16.0 only) LDAP failover to standard authentication – Permits authentication with standard authentication when authentication with the LDAP server fails due to system resources, network outage, connection timeouts, or similar system failures. However, it does not permit an actual authentication failure returned from an LDAP server to fail over to standard authentication. Valid values are ON (default) and OFF. (16.0 only) Change password dual control – Requires input from two users, each granted the CHANGE PASSWORD system privilege, to change the password of another user. Valid values are ON and OFF (default). (16.0 only) Default logical server – Sets the logical server if the connection string omits a Logical Server parameter. Name of an existing user-defined logical server AUTO – value of the default logical server in the root login policy. COORDINATOR – the current coordinator node NONE – denies access to any multiplex server. OPEN – use alone or with the name of a user-defined logical server. Allows access to all multiplex nodes that are not members of any user-defined logical servers. SERVER – allows access to all of the multiplex nodes, subject to the semantics of the SERVER logical server. (15.3, 15.4 only) DQP Enabled – Enables or disables DQP at the connection level. Default is ON.
Clear All Overridden Values	Clears all override values set.
Restore to IQ Default	Changes all option settings back to default values.

Option

Description

Options

Password life time – Number of days the password is valid. The user must reset the password when the lifetime expires. Valid range is 0 - unlimited (default).

Password grace time – Number of days before password expiry that users receive warnings that the password is about to expire. Valid range is 0 (default) - unlimited.

Password expiry on next login – Whether the user must reset the password at the next login. Valid values are ON and OFF (default).

Locked – Whether the user account is locked when maximum number of failed login attempts is exceeded. Valid values are ON and OFF (default).

Maximum connections – Number of times the same user can be logged in to the server. Valid range is 0 - unlimited (default).

Maximum failed login attempts – Number of failed login attempts before the account is locked. Valid range is 0 - unlimited (default).

Maximum days since login – Number of days allowed between logins before the account is locked. Valid range is 0 - unlimited (default).

(16.0 only) Auto unlock time – The time period after which locked accounts are automatically unlocked. This option can be defined in any login policy, including the root login policy. Valid range is 0 - unlimited (default).

(16.0 only) LDAP primary server – The name of the primary LDAP server configuration object.

(16.0 only) LDAP secondary server – The name of the secondary LDAP server configuration object.

(16.0 only) LDAP auto failback period – The time period, in minutes, after which automatic failback to the primary server is attempted. Valid range is 0 - unlimited. Default is 15 minutes.

(16.0 only) LDAP failover to standard authentication – Permits authentication with standard authentication when authentication with the LDAP server fails due to system resources, network outage, connection timeouts, or similar system failures. However, it does not permit an actual authentication failure returned from an LDAP server to fail over to standard authentication. Valid values are ON (default) and OFF.

(16.0 only) Change password dual control – Requires input from two users, each granted the CHANGE PASSWORD system privilege, to change the password of another user. Valid values are ON and OFF (default).

(16.0 only) Default logical server – Sets the logical server if the connection string omits a Logical Server parameter.

Name of an existing user-defined logical server
AUTO – value of the default logical server in the root login policy.
COORDINATOR – the current coordinator node
NONE – denies access to any multiplex server.
OPEN – use alone or with the name of a user-defined logical server. Allows access to all multiplex nodes that are not members of any user-defined logical servers.
SERVER – allows access to all of the multiplex nodes, subject to the semantics of the SERVER logical server.

(15.3, 15.4 only) DQP Enabled – Enables or disables DQP at the connection level. Default is ON.

Clear All Overridden Values

Clears all override values set.

Restore to IQ Default

Changes all option settings back to default values.

Click Next.

(Optional) (16.0 only) On the LDAP page, specify:

Option	Description
Enable LDAP user authentication	Select to allow configuration of SAP Sybase IQ LDAP server properties in a login policy.
Primary LDAP server	Specify the name of the primary SAP Sybase IQ LDAP serverby name.
Secondary LDAP server	Specify the name of the secondary SAP Sybase IQ LDAP server by name.
Auto failback period	Specify the time period in minutes after which automatic failback to the primary server will be attempted. Valid range is 0 - 2147483647. Default value is 15 minutes.
Failover to standard authentication	Permits authentication with Standard authentication when authentication with the SAP Sybase IQ LDAP server fails due to system resources, network outage, connection timeouts, or similar system failures. However, it does not permit an actual authentication failure returned from an SAP Sybase IQ LDAP server to failover to Standard authentication. Default value is ON.
Record LDAP DN refresh time	At the time this login policy option is created or modified, the current time value is stored with the login policy. This is the timestamp that each user authentication compares against the value found for the user in the ISYSUSER system table. When the value in the login policy is newer than the value defined in ISYSUSER, the search for a user DN is done to refresh the value in ISYSUSER. The value NOW is the only valid value to assign to this policy option. All others result in an error. The value is stored as a string in the server’s default format. Regardless of the server’s local timezone, the value is stored in Coordinated Universal Time (UTC). Select the option to record the refresh SAP Sybase IQ LDAP server DN time.

Click Finish.