mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Notes on privilege-expiry (#2622)

Browse source
This commit is contained in:
Vladimir Dronnikov 2024-03-05 05:56:46 +03:00 committed by GitHub
parent 9d05b797ed
commit 0813099fad
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
book/src/accounts/policy.md
View file

@ -37,7 +37,7 @@ The minimum length for passwords (if they are allowed).
### Privilege Expiry
The maximum length in seconds that privileges will exist after reauthentication for to a read/write
The maximum length in seconds (<= 3600) that privileges will exist after reauthentication for to a read/write
session.
### Webauthn Attestation
@ -102,6 +102,8 @@ kanidm group account-policy enable <group name>
kanidm group account-policy enable my_admin_group
```
Note that the Account Policy is already enabled for `idm_all_persons`.
### Setting Maximum Session Time
The auth-session value influences the maximum time in seconds that an authenticated session can
@ -135,13 +137,14 @@ kanidm group account-policy password-minimum-length my_admin_group 12
### Setting Maximum Privilege Time
The privilege-expiry time defines how long a session retains its write privileges after a
reauthentication. After this time, the session returns to read-only mode.
reauthentication. After this time (maximum 1 hour), the session returns to read-only mode.
To set the maximum privilege time
```shell
kanidm group account-policy privilege-expiry <group name> <seconds>
kanidm group account-policy privilege-expiry my_admin_group 900
kanidm group account-policy privilege-expiry my_admin_group 86400 # NB: will be limited to 3600
```
### Setting Webauthn Attestation CA Lists