Security policy

Security policy (Configuration → Security Policy) configures password requirements and account lockout behavior for local accounts. Directory and OIDC accounts are governed by their upstream identity provider and are unaffected by these settings. Only users with the System Administrator role can access this page.

Password policy

Password rules are checked when a local password is first set and whenever it is changed. Existing passwords are not re-validated when the policy is tightened — only the next password change will enforce the stricter rules.

Setting	Enforces	Default
Minimum Length	Minimum number of characters	8
Require Digit	At least one digit (0–9)	Enabled
Require Uppercase	At least one uppercase letter (A–Z)	Enabled
Require Lowercase	At least one lowercase letter (a–z)	Enabled
Require Non-Alphanumeric	At least one special character (e.g. @, #, !)	Enabled

Account lockout

After Max Failed Attempts consecutive failed sign-ins, the local account is locked for Lockout Duration minutes. Successful sign-in resets the counter.

A locked account unlocks automatically when the duration elapses. An administrator can also unlock it immediately from the user’s row in user management — useful when you know the lockout was caused by a typo or a stale saved password rather than a real attack.

Tip

Lockout applies to local accounts only. If your users sign in through Directory or OIDC, configure lockout in Active Directory or at the identity provider — fDeploy will not lock those accounts on its side.