Enhanced eHR Security 04.28.17
This document details the enhancements that are included in the April 28, 2017, patch for eSuite Security.
Logout enforced after inactivity
If an eHR user leaves a page idle for longer than the number of minutes identified in the Idle Timeout field in eHR Settings, a Session Expiration Warning dialog will open, giving the user the option to remain online or log out within the next 30 seconds. If the user does nothing within that time, a logout will be enforced automatically, and the user will be navigated to the Employee Login page:
Session Expiration Warning
Logged out message
Employee Login
The auto logout will be enforced on all eHR pages.
Global login and password complexity configuration added to System-wide Settings in eAdministration
eAdministration > System-wide Settings > Password Settings
A global Password Settings page, available only to eAdministrators with “super user” rights, has been added to the System-wide Settings menu in eAdministration. Login and password settings applicable to eHR, ePermits Contractor, eSupplier and eMiscBilling may be viewed and modified from this page:
Most of the settings have been moved to this page from the eHR Settings page (eAdministration > eHR > eHR Maintenance > eHR Settings).
Note: Current eHR settings will be preserved when this April 28, 2017, patch is applied.
Settings are grouped under two categories: Login Configuration and Password Complexity Configuration:
Login Configuration
Maximum failed login attempts: Sets the number of times a user may enter incorrect login credentials before being locked out. The valid range of entries for this field is 1 to 10. The default is 3.
Maximum password age (days): Sets the number of days before a user's password expires and must be updated. The valid range of entries is 0 to 365 days. When the selected number of days has passed, the user will receive a password expiration notice and be prompted to select a new password by entering his or her current password and a new password. Selecting 0 for the Maximum password age disables the password expiration feature. New in release 2017.1, this setting has been made available for releases 9.5 SP1 and 9.5 C SP1 and applies to eHR, ePermits Contractor, eSupplier and eMiscBilling.
Enforce Password History: Identifies the number of new passwords that must be set before a previous password can be reused; for example, if Enforce Password History is 3, when a user sets a new password, the last three passwords cannot be used. The default entry is 5.
Note: Passwords set by administrators, while recorded, are not checked against password history.
Password Complexity Configuration
Minimum password length: Determines the minimum number of characters a password must contain. The number must be between 5 and 25 characters. The default entry is 8.
Require uppercase character: Select if password must contain at least one uppercase letter. The box is selected by default.
Require numeric: Select if password must contain at least one numeric digit. The box is selected by default.
Require symbol: Select if password must contain at least one symbol (#, *, %, etc.). The box is selected by default.
Note: These requirements apply to creating and updating passwords, not to logging in with an existing password that may not adhere to the current requirements.
The ePermits Contractor, eSupplier and eMiscBilling modules have been updated to use the password complexity settings; for example, the image below shows the error messages displayed when an ePermits contractor attempts to create an account using a password that fails to comply with the complexity settings:
eAdministration > ePermits > Contractor Account Management > Create New Account
The same password complexity settings will apply to the Edit Contractor Account page (eAdministration > ePermits > Contractor Account Management > edit) and to the Contractor Account Activation and Forgot Password pages that are accessed through the Activate Account and Forgot Password links on the eSuite Permits public portal:
Activate Account
Forgot Password
Email address change in eHR triggers email notifications to previous and new addresses
An eHR user whose email address is changed through the My Personal Information Change Request page will receive an email notification at the previous email address and one at the new address:
MY HR > Personal Information> MAKE CHANGES
Email notification at previous address
A new template, Email Updated, has been created for this process and added to the Template drop-down on the Email Template Setup page in new world ERP. This template is used for the notification sent to the user’s previous email address and includes the instruction to contact the system administrator if the user did not make the change:
Maintenance > new world ERP Suite > System > Email Templates
Emails will be sent only if approvals of employee email changes are not required through Employee Change Requests in new world ERP (Human Resources > eSuite > Employee Change Requests). Approvals are not required if Approval Required is not selected for Employee Email on the Change Request Type page in new world ERP Maintenance:
Maintenance > new world ERP Suite > Security > Change Request Type
Login/Logout Auditing
With the April 7, 2017, security patch, all login and logout activity in eAdministration, eHR, eSupplier andeMiscBilling was tracked and stored in the eSuite database.
With the April 28, 2017, patch, all login and logout activity ineUtility Management, ePermits Contractor and eLicensingalso will be tracked and stored in the eSuite database.
The following items will be included in this audit:
- User ID
- IP Address
- Session ID
- Area Name
- Username
- Logging Type
- Message