Security Settings

You can configure global security settings for ASM Core, including license corrals, password settings and service desk and workflow groups for the organization.

Enabling Integrated Security

Integrated Security allows Analysts to use their workstation login ID and password to access ASM Core. This means that when they launch ASM Core, they do not need to enter a username and password, which makes logging in quicker. However, it also means that only the Analyst logged in to a particular workstation can access ASM Core from that workstation. You will still need to select the system you want to work with if there is more than one (such as Dev, Test, etc).

If you want to log in using the default Admin account and use integrated security, append noauth=true to the system URL to bring up the login window (e.g.: .../core.aspx?noauth=true). However, most administration functions can be performed by any Analyst as long as they have the permissions through their General Access security role.

Using Integrated Security and Directory Integration

If your system is configured for Active Directory integration through the Integration Platform Settings, Alemba recommends that you enable Integrated Security. If it is enabled for another type of directory server integration and Authenticate Imported People against Source is selected in the Integration Source Details for this directory server, this setting is ignored.

If you enable integrated security and select Authenticate Imported People against Source in the Integration Source Details for the directory server, a person record imported through a directory server integration scan will be authenticated using the details stored in the ASM database or the directory server. If you do not enable integrated security, people logging in will be authenticated using the details stored in the ASM database.

Before you start

Enable Windows Authentication and disable Anonymous Authentication for the related virtual directory in IIS on the web server where ASM Core is installed.

Select Default Self Service Portal for the system in the ASM Core Server Console as explained in the Server Console Guide.

Ensure that you have Security Setup selected in the Admin tab of your General Access security role to access the Security options within the System window.

1. Select the Menu button , then Admin, and then select System Administration.

   The System Administration window is displayed, with a menu of options available . In the Explorer pane, expand Security.

2. Select the Security Settings option. The Security Settings window appears. Select the appropriate settings for your system:

Full Application and HTML Only	Enables ASM Core to automatically take the login details (username and password) from the workstation log in for the main application and the HTML Only interface. This means that the ASM Core login for an Analyst must match their workstation login.
Self Service Portal	Enables integrated security on the Self Service Portal. If this option is cleared, Users must log into the Self Service Portal manually with their ASM Core username and password.
Passwords Required for Authorization/Approval	Select this to force Analysts to enter a password when authorizing requests and completing approvals. This option only becomes enabled if one of the previous options is selected. This setting is ignored when attempting to be used in combination with SSO, which is configured in the Integration settings.

4. Select to save the changes. Provide the Change Reasons if prompted to do so.

Configuring Security Settings for Passwords

You can configure the security settings for Passwords that are used to log into ASM Core.

Before you start

Ensure that you have Security Setup selected in the Admin tab of your General Access security role to access the Security options within the System window.

1. Select the Menu button , then Admin, and then select System Administration.

   The System Administration window is displayed, with a menu of options available . In the Explorer pane, expand Security.

2. Select the Security Settings option from the Explorer pane to display the Security Settings window. The Password Configuration options are in the second section of the window .

Password Expiry	Select to enforce an expiry period for passwords of a specified number of days. If an Analyst logs on and their password has expired, they are forced to change their password. The new password cannot be the same as their old password.
Expiry Period (Days)	Password Expiry option must be selected to enable this option. The number of days before passwords will expire. The default is 14 but it can be overwritten.
Encrypt Password	Select to encrypt passwords in the database, so that passwords cannot be read. Only passwords that are added to the database after this option has been enabled will be encrypted. Users will not be able to use the Forgotten Password functionality on the Self Service Portal to receive their password by email. Attempting to do so will return an error message .
Disable Access on Login Failure	Select to disable person records, preventing them from logging in, after a defined number of failed attempts.
Max Failed Logins	This field becomes active when Disable Access on Login Failure is selected. Specify the number of times a User or Analyst can attempt to log in to ASM Core or Self Service Portal with an invalid password. The system will notify the person of the remaining number of attempts before the system will disable their access. The number of failed logins is calculated by the system based on consecutive login attempts. After a successful login, the count for failed logins is reset, and the calculation of any subsequent failed logins restarts.
Log Call on Access Disabled	This field becomes active when Disable Access on Login Failure is selected. Select to log a call if an Analyst’s access is disabled.
Reset Password When Forgotten	This option is automatically selected and disabled if you select the Encrypt Password option. Select to enable resetting of passwords if an Analyst does not remember their password. An administrator can set the Analyst’s password. No email is sent when a password is reset.

3. Select to save the changes. Provide the Change Reasons if prompted to do so.