# Configuring Security Policies

Navigate to **Admin > Settings > Security Policies** to create and manage Password and Single Sign-on (SSO) security policies for users. You can apply these security policies to user accounts to determine whether they log into Vault with a password or using SSO.

If necessary, you can use the <a href="/en/gr/856420/">_Convert Security Policy_</a> action to change a user's security policy assignment.

The _System Managed_ security policy does not appear on the _Security Policies_ page, and you cannot edit it, delete it, or assign it to a user.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: Security policies apply across all Vaults in a multi-Vault domain. You must be a <em>Domain Admin</em> to modify these settings.</p>
    </div>
  </div>
</div>



## Password Security Policies {#create}

Password security policies allow user accounts to log into Vault with a password. On these security policies, you can configure password requirements, expiration period, reuse policy, security question policy, and more. Regardless of how you configure password-related fields on Password security policies, users are always able to unlock their accounts by resetting their passwords.

To create and edit a Password security policy:

1. On the **Admin > Settings > Security Policies** page, click **Create > Password**. If editing an existing Password security policy, click on the security policy from the list and then click **Edit**.
2. Enter a **Policy Name** and an optional **Description**.
3. Select the **Status**. By default, new security policies are created in the _Active_ status.
4. Select **Password** as the **Authentication Type**.
5. Optional: Adjust the remaining [security policy settings][1] as needed.
6. Click **Save**.

## Single Sign-on Security Policies

Single Sign-on (SSO) security policies allow user accounts to use SSO. When creating a new SSO security policy, you must apply the new security policy to each user account individually. If you edit an existing SSO security policy, you can bypass this step only if the existing policy is already in use, but you may have to enter the **Federated ID** for each user if your SSO configuration uses **Federated ID** rather than **Vault User Name** as the **User ID Type**.

See <a href="/en/gr/13977/">Configuring Single Sign-on</a> for more information.

To create or edit an SSO security policy:

1. On the **Admin > Settings > Security Policies** page, click **Create > Single Sign-on**. If editing an existing SSO security policy, click on the security policy from the list and then click **Edit**.
2. Enter a **Policy Name** and an optional **Description**.
3. Select the **Status**. By default, new security policies are created in the _Active_ status.
4. Optional: Select one SAML <a href="/en/gr/43346/">**Single Sign-on Profile**</a>.
5. Optional: Select one SAML <a href="/en/gr/43346/">**eSignature Profile**</a>.
6. Optional: Select one <a href="/en/gr/43329/">**OAuth 2.0 / OpenID Connect Profile**</a>.
7. Optional: Adjust the remaining [security policy settings][1] as needed.

## Security Policy Settings {#security-policy-settings}

For each security policy, you can configure the settings below.

| Security Policy Type | Field | Explanation|
| --- | --- | --- |
| Password, SSO | Status | _Active_ or _Inactive_. Only _Active_ security policies are available for selection in the Vault Users UI. |
| Password | Password Requirements | Set the checkboxes to indicate which characters users must include in their passwords: number, upper-case letter, non-alphanumeric character (symbol). |
| Password | Minimum Password Length | Select the minimum number of characters that users must include in their passwords. You can choose a number between 7 and 40. The default value is 8. |
| Password | Password Expiration | Choose how often user passwords should expire. When a user's password expires, Vault prompts the user to create a new password. Choose _No expiration_ (default) or _Expire in…_. You can set the expiration to a value between 30 and 720 days. The default value for the expiration date is 90 days. |
| Password | Password History Reuse | Choose whether Vault should prevent a user from reusing the same password, and how many previous passwords to track and prevent reuse. You can select _No password history tracking_ (default) or _Prevent the reuse of the last…_. You can set the number of passwords to track any number from 1 to 20. The default value is 5. |
| Password | Account lockout duration | Choose how long users will be locked out of their account after 5 consecutive instances of entering the incorrect password. You can set this to _Permanent_ (default), _5 minutes_, _10 minutes_, _30 minutes_, or _60 minutes_. |
| Password | Password Reset Daily Limit | Choose whether Vault should enforce a daily password reset limit and, if so, how long it should be. You can select _Unlimited_ (default) or _Limited to…_. You can set the reset limit to any number from 1 to 10. The default value is 10. This applies to password resets from the login page by unauthenticated users. Password resets performed by an administrator or from the user's profile page do not count against the daily reset limit. |
| Password | Require security question on password reset | Set the checkbox to require that users create a security question and answer the question when resetting their passwords. After enabling this setting, Vault will prompt all users to create the security question the next time they log in. Answers are not case-sensitive. |
| Password | Allow browsers to save and autofill password field on the login form | When this setting is on, users can choose to save passwords to a password manager or to their browser. When the setting is off, Vault prevents this. |
| Password, SSO | Logout user after inactivity | This setting controls the maximum amount of time users can be idle before Vault automatically logs them out. You can set this to _10 minutes_, _15 minutes_, _20 minutes_, _30 minutes_, _45 minutes_, _1 hour_, _2 hours_, _4 hours_, or _8 hours_. When configured, this setting overrides the <a href="/en/gr/63061/#default-session-duration">domain-level _Session Duration_</a> configured in **Admin > Settings > Domain Settings**. By default, this is set to _Domain Default Duration_ and  uses the domain-level _Session Duration_. |
| Password, SSO | Allow device-enforced access | This setting allows users to use their device authentication (biometrics) to refresh their Vault authentication in supported client mobile applications, up to the configured _Logout user after inactivity_ setting. After that duration has passed, users must re-enter their credentials to authenticate again. This setting is applicable to users authenticating via a _Password_ security policy or a _Single Sign-On_ security policy that does not use an associated _OAuth 2.0 / Open ID Connect Profile_ for the given client mobile application. For example, if _OAuth 2.0 / Open ID Connect_ is configured for <a href="/en/gr/71324/">Vault Mobile</a>, this setting does not apply to those users, who instead use standard OAuth refresh tokens. |
| Password, SSO | Allow login via Salesforce.com | Select the checkbox to allow users who are logged into Salesforce.com or Veeva CRM to access Vault without logging in again. When this checkbox is selected, you must specify your company's <a class="external-link " href="https://help.salesforce.com/s/articleView?id=000325251&type=1" target="_blank" rel="noopener">Salesforce.com Organization ID<i class="fa fa-external-link" aria-hidden="true"></i></a>. |

## How to Delete or Inactivate a Security Policy

To delete a security policy:

1. From the _Security Policies_ page, select the policy you want to delete.
2. Select **Delete** from the **All Actions** menu.
3. Click **Continue** to confirm that you want to delete the security policy.

You can only delete security policies that are not assigned to any users. This includes inactive users.

To inactivate a security policy:

1. From the _Security Policies_ page, select the policy you want to inactivate.
2. Click **Edit**.
3. In the _Status_ field, select **Inactive**.
4. Click **Save**.

Once a security policy is inactive, it does not appear as an available option when creating or editing users.

## How to Reset All Passwords {#reset}

Resetting all passwords can help you enforce a new password security policy. For example, if you change the minimum length, resetting all passwords forces users to create passwords that comply with the new minimum length requirement. From the **Security Policies** page, select **Reset All Passwords** from the **All Actions** menu.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: This action does not affect users with Single Sign-on (SSO) security policies. You can only reset passwords for these users through your organization’s Identity Provider (IdP).</p>
    </div>
  </div>
</div>



## User Account Lockout {#user_account_lockout}

Vault locks user accounts after five continuous unsuccessful login attempts over any period of time. Vault does not notify users that they are locked out on the login screen, however, Admins can view a record of lockouts in the **Login Audit History**. User accounts remain locked out until either the user or an Admin requests a password reset.

<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: This setting affects all accounts and is not configurable.</p>
    </div>
  </div>
</div>



[1]: #security-policy-settings