BMS Security | Password policy, secure password creation and notification

Introduction

BMS is introducing new ways to customize the password policy settings for logged-in users in your tenants. With this update, you can set the password length requirements, if it can be re-used, how many log-in attempts are possible, and the strength parameters each password must meet.

Emails for reset passwords or new user creation will no longer be using plain text, instead will be based on URLs that will be invalid after one-time use. This feature is implemented in various parts of the PSA.  This guide details all of them below. 

Requirements

The user must have Admin access to make these changes. These features are applicable to Employees, Client portal users, and API users 

Password Policy

Admins can now set password and account policies for their tenant users. Navigate to Admin > Security > Password Policy. 

  • Login Attempts 
    • A default number for attempts is set to 5. Users can customize this as they require.
    • Length of time to disable the account. Default is set to 30 minutes.
    • Zero value will throw a validation error.
  • Password Strength
    • Inputs are disabled when the checkbox is unselected.
    • Minimum values - 8 characters long, maximum 64
    • Password change - Minimum 1

    • Reuse minimum value - 1

    • Require password change - 1 day
      • This does not affect/apply to API Users
    • A validation error is shown if the minimum value is not met.
  • Success banner shall appear at the top when changes are saved successfully.

blobid2.png

Users will be emailed if their account has been locked out. Users can wait for the specified time or contact the admin to unlock the account.

mceclip9.png

Modules

This change is implemented in the following places.

  • New Tenant signups

  • New User setup

  • Reset password page

  • Forgot password page

  • Client portal user creation and reset

  • Support accounts

  • Outbound logs

  • Templates

New tenant signups

When a new MSP is onboarded to BMS, they will have to activate their tenant. The customer will receive an email with tenant details and activation instructions. 

Activation link screen

    • Once a user receives the Signup email the email will contain Tenant’s name, the username, and the Activation link.

    • The root user/tenant admin can create the first and last name and a password and signup to the tenant.

    • Once the account is created, the user will be logged in to BMS.

    • The activation link will automatically  expire in 7 days
    • Password should meet the policy requirements set by the admin of your tenant.

mceclip3.png

mceclip4.png

New User/Client portal setup

  • When an admin creates a new employee via HR/API, they will no longer be getting the passwords in the email.

  • They will receive create password link which will be active for 24 hours.

  • Users will click on the link and be prompted to set a new password.

  • Password should meet the policy requirements set by the admin of your tenant.
  • The same applies to contacts created as Client portal users under CRM > Contacts > Client portal user: Yes

Reset/Forgot password page

Forgot password

User can change their password using the reset password screen. 

  • On the login screen, click on Forgot password, and enter user details.
  • They will receive create password link which will be active for 24 hours.

  • Users will click on the link and be prompted to set a new password. 

  • Password should meet the policy requirements set by the admin of your tenant.

Admin reset 

Admins of your tenant can send reset instructions from

  • HR > Employees > Select employee > Reset and Send instructions
  • CRM > Contacts > Client portal user : Yes > Choose contact > Reset and Send instructions 
  • End-user will get email instructions. 

mceclip6.png

blobid0.png

blobid1.png

mceclip7.png

Support accounts

When the user enables a support account for their tenant, an email will be sent with the following data to Kaseya technicians who work on their issue.

  • The system will be sending an encrypted link, that will auto-login Kaseya technicians.

    • Anyone who has access to the link can click on it and autologin. The link will expire once the activation time set by the customer is reached. Support will have to re-request to enable the account.

    • Expiry duration will be part of the email.
  • Enabling support account process will remain the same.

    • Admin > My Company > Company Settings > Support User > Activate

Outbound Email

  • For every email sent for new users creation, reset password, or support account a corresponding log is created in Admin > Logs > Outbound Email.
  • The email will contain the same instructions and the password reset link.
  • Users with the SSO authentication type will not receive any emails.
  • MFA setup will have no change.

Email templates 

Admin > Business Process > Email templates 

  • %Password% field will be automatically replaced with the reset link. Anyone with the template using the Password field will see the Reset link on their end.
  • These templates can be used under Admin > My Company > Company Settings > User account. 

mceclip1.png

mceclip2.png

API users

Users with API user type access can now create a password of their choice using the reset password screen.

  • Navigate to the gateway link, enter your username and choose reset password OR
  • Admins can select the API user and choose Reset and Send instructions.
  • API users will receive the link to change or create the password.
  • Create your new password and use this to authenticate your API calls.
  • API user type will not be able to login into the system. UI access is limited to the reset/create password screen.
  • API users will need to have a valid email for this to succeed.

mceclip0.png

Related Articles

 

  1.  
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!