From 0813099fadd5c003ed20a68176f62dcf17bd54d3 Mon Sep 17 00:00:00 2001 From: Vladimir Dronnikov Date: Tue, 5 Mar 2024 05:56:46 +0300 Subject: [PATCH] Notes on privilege-expiry (#2622) --- book/src/accounts/policy.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/book/src/accounts/policy.md b/book/src/accounts/policy.md index 7dad5e538..45a677138 100644 --- a/book/src/accounts/policy.md +++ b/book/src/accounts/policy.md @@ -37,7 +37,7 @@ The minimum length for passwords (if they are allowed). ### Privilege Expiry -The maximum length in seconds that privileges will exist after reauthentication for to a read/write +The maximum length in seconds (<= 3600) that privileges will exist after reauthentication for to a read/write session. ### Webauthn Attestation @@ -102,6 +102,8 @@ kanidm group account-policy enable kanidm group account-policy enable my_admin_group ``` +Note that the Account Policy is already enabled for `idm_all_persons`. + ### Setting Maximum Session Time The auth-session value influences the maximum time in seconds that an authenticated session can @@ -135,13 +137,14 @@ kanidm group account-policy password-minimum-length my_admin_group 12 ### Setting Maximum Privilege Time The privilege-expiry time defines how long a session retains its write privileges after a -reauthentication. After this time, the session returns to read-only mode. +reauthentication. After this time (maximum 1 hour), the session returns to read-only mode. To set the maximum privilege time ```shell kanidm group account-policy privilege-expiry kanidm group account-policy privilege-expiry my_admin_group 900 +kanidm group account-policy privilege-expiry my_admin_group 86400 # NB: will be limited to 3600 ``` ### Setting Webauthn Attestation CA Lists