Viewing or Modifying Login Policy Properties

View or change properties of a login policy for a simplex or multiplex.

Prerequisites

Database Version	Login Policy Privileges
SAP Sybase IQ 15.3 and 15.4	View any login policy property page – none. Modify any login policy property – You must have one of: DBA authority USER ADMIN authority
SAP Sybase IQ 16.0	View any login policy property page – none. Modify any login policy property – you must have the MANAGE ANY LOGIN POLICY system privilege.

Database Version

SAP Sybase IQ 15.3 and 15.4

View any login policy property page – none.

Modify any login policy property – You must have one of:

DBA authority
USER ADMIN authority

SAP Sybase IQ 16.0

View any login policy property page – none.

Modify any login policy property – you must have the MANAGE ANY LOGIN POLICY system privilege.

The SAP Sybase IQ resource is authenticated and running.

Task

In the Perspective Resources view, select the resource, and select Resource > Administration Console.
In the left pane, expand IQ Servers > Security, and then select Login Policies.
Select one or more login policies from the right pane and either:
- Click the arrow to the right of the name and select Properties, or
- From the Administration Console menu bar, select Resource > Properties.
Tip: Use Shift-click or Control-click to select multiple LDAP login policies.

The Login Policy Properties view appears.

View or modify the properties.

When you are modifying properties, you need not click Apply before changing screens; however, doing so saves any changes.
When you are modifying properties, you need not click Apply before changing screens; however, doing so saves any changes.

Area	Description
General	Password life time – Number of days the password is valid. The user must reset the password when the lifetime expires. Valid range is 0 - unlimited (default). Password grace time – Number of days before password expiry that users receive warnings that the password is about to expire. Valid range is 0 (default) - unlimited. Password expiry on next login – Whether the user must reset the password at the next login. Valid values are ON and OFF (default). Locked – Whether the user account is locked when maximum number of failed login attempts is exceeded. Valid values are ON and OFF (default). Maximum connections – Number of times the same user can be logged in to the server. Valid range is 0 - unlimited (default). Maximum failed login attempts – Number of failed login attempts before the account is locked. Valid range is 0 - unlimited (default). Maximum days since login – Number of days allowed between logins before the account is locked. Valid range is 0 - unlimited (default). Maximum non-DBA connections – The maximum number of concurrent connections that a user without SERVER OPERATOR or DROP CONNECTION system privileges can make. This option is supported only in the root login policy. Valid range is 0 - unlimited (default). (16.0 only) Auto unlock time – The time period after which locked accounts are automatically unlocked. This option can be defined in any login policy, including the root login policy. Valid range is 0 - unlimited (default). (16.0 Root login policy only) Root auto unlock time – The time period after which locked accounts are automatically unlocked. Valid range is 0 - unlimited. Default is 15 minutes. (16.0 only) LDAP primary server – The name of the primary LDAP server configuration object. (16.0 only) LDAP secondary server – The name of the secondary LDAP server configuration object. (16.0 only) LDAP auto failback period – The time period, in minutes, after which automatic failback to the primary server is attempted. Valid range is 0 - unlimited. Default is 15 minutes. (16.0 only) LDAP failover to standard authentication – Permits authentication with standard authentication when authentication with the LDAP server fails due to system resources, network outage, connection timeouts, or similar system failures. However, it does not permit an actual authentication failure returned from an LDAP server to fail over to standard authentication. Valid values are ON (default) and OFF. (16.0 only) Change password dual control – Requires input from two users, each granted the CHANGE PASSWORD system privilege, to change the password of another user. Valid values are ON and OFF (default). (16.0 only) Default logical server – Sets the logical server if the connection string omits a Logical Server parameter. Name of an existing user-defined logical server AUTO – value of the default logical server in the root login policy. COORDINATOR – the current coordinator node NONE – denies access to any multiplex server. OPEN – use alone or with the name of a user-defined logical server. Allows access to all multiplex nodes that are not members of any user-defined logical servers. SERVER – allows access to all of the multiplex nodes, subject to the semantics of the SERVER logical server. Clear All Overridden Values – Clears all overridden values set. Restore to IQ Default – Changes all option settings back to default values. Comment – A comment for the login policy.
LDAP (16.0 only)	Enable LDAP user authentication – Enables SAP Sybase IQ LDAP user authentication and allows configuration of SAP Sybase IQ LDAP properties. Primary LDAP server – Select the name of the primary SAP Sybase IQ LDAP server from the drop-down list. Secondary LDAP server – Select the name of the secondary SAP Sybase IQ LDAP server from the drop-down list. Auto failback period – Specify the time period in minutes after which automatic failback to the primary server will be attempted. Valid range is 0 – 2147483647. Default value is 15 minutes. Failover to standard authentication – Permits authentication with Standard authentication when authentication with the SAP Sybase IQ LDAP server fails due to system resources, network outage, connection timeouts, or similar system failures. However, it does not permit an actual authentication failure returned from an SAP Sybase IQ LDAP server to failover to Standard authentication. Default value is ON. Update LDAP DN refresh time – Updates the current time value associated with the login policy. During user authentication, this value is compared against the corresponding value found for the user in the ISYSUSER system table. If the value in the login policy is newer than the value defined in ISYSUSER, a search for a new user DN is triggered and the ISYSUSER system table is updated.
Logical Server Assignment (Multiplex only)	Assignment Type – Custom – Allows access to user-defined logical server(s), including OPEN. Select each applicable logical server. Default – Inherits logical server assignment of root login policy. None – Disallows access to any logical server. Server – Allows access to every multiplex node. Connection requires ACCESS SERVER LS system privilege.
Logical Server Option Overrides (Multiplex only)	For any login policy EXCEPT root login policy, page available after selecting Custom and Default Assignment Types only. Max Conn. – Click in the Max Conn. column beside the logical server to be overridden and specify the override value. The valid range is 0 – unlimited (default). (15.3, 15.4 only) DQP Enabled – Enables or disables DQP at the connection level. Valid values are ON (default) and OFF.

Do one of:
- Click OK to update any changes to the database and exit the properties view.
- Click Apply to update any changes to the database, but remain in the properties view.
- Click Cancel to cancel any changes not updated to the database and exit the properties view.