Getting started with User PIN policy lockout

The User PIN policy lockout feature allows libraries to set criteria for locking users out of their account if they provide an incorrect PIN to a given client.

For more information, see the following sections:

Prerequisites

Before implementing the User PIN lockout feature for your library system clients, ensure that your libraries have met the following prerequisites.

Planning Prerequisites

Identify the clients that should require enforcement of account lockout rules.
Identify the lockout criteria you want to use for each type of user. Using the User PIN policies, you can configure the following:
The number of tries a user has to provide a correct user name and PIN combination
The amount of time a user is locked out of the account if they fail to log in
The amount of time until SirsiDynix Symphony forgets the attempts to log in, allowing the locked-out user to try logging in again

By default, delivered clients (such as WorkFlows) have the "Enforce user PIN policy lockout" Client ID attribute selected; however, account lockout functionality won't be operational for those clients until User PIN policies are also configured.

Technical Prerequisites

Before you can configure User PIN lockout on your library system, you need to have SirsiDynix Customer Support activate the Policy PINs feature on your SirsiDynix Symphony server.

Implementation of User PIN Lockout

Once you have access to the Policy PINs feature and have determined the lockout criteria for each type of user, you can begin to implement the User PIN Lockout feature.

At this point, you can configure as many User PIN policies with your lockout criteria as your library system needs for its users. Whether or not the client should enforce lockout rules is specified in the Client ID policy corresponding to the client.

Manual account unlocking

Staff users will have the option to manually unlock a user's account after it has been locked. The Privilege tab of the user record displays a "User account is locked" message for a locked-out user. You can mark the "Unlock user" option and type an override to manually unlock the user's account, allowing the user to attempt to log in again.

The "User Lockout" override must be added to the operator policy associated with any override code you want to be able to unlock user accounts. For more information, see Operator Policy Override Codes.

Example of policy setup

The following is an example of how you may choose to configure PIN lockout rules for a given type of user.

User PIN policy

Attribute

Value

Name

STAFF

Description

Staff users

User PIN Minimum Length

4

User PIN Maximum Length

25

User PIN Minimum Number of Lower Case Characters

0

User PIN Minimum Number of Upper Case Characters

0

User PIN Minimum Number of Numeric Characters

0

User PIN Minimum Number of Special Characters

0

Securely store the PIN

Not enabled

Number of Days PIN is Valid

25000 (UNLIMITED)

Number of Days Before PIN Expires to Warn User

0

Number of Days to Allow Users to Change Their PIN After Expiration

25000 (UNLIMITED)

Number of Previous PINs to Check for Uniqueness Against New PIN

0

Number of Allowed Attempts Before Lockout

5

Amount of Time the Account is Locked

30, in minutes

Amount of Time Until Failed Attempts Are Forgotten

30, in minutes

Use This Policy for Invalid Users

Yes

Client ID policy

Attribute

Value

Client ID

3

Name

WORKFLOWS

Description

WorkFlows

Client Type

STAFF

Enforce User PIN policy lockout

[Checked]

These example policies would allow a user to try 5 times to log in to WorkFlows before locking them out. The account would remain locked for 30 minutes, and the failed attempts to log in would be forgotten 30 minutes after the final attempt. This policy would also apply to invalid users who attempt to log in to the WorkFlows client.

Maintenance of login failure records

The Purge Expired Login Failures (Purgelognfails) report is a maintenance report that deletes expired login failures from the SirsiDynix Symphony database. SirsiDynix recommends running this report monthly or on a regular basis to save space on the Symphony server. For more information, see Purge Expired Login Failures Report.

Related topics