Toggle menu

User Settings

The iCM and website user tabs let you set up password complexity rules for your users. The recommended settings are taken from guidelines published by the OWASP (Open Web Application Security Project) Foundation.

The list of common passwords that should be blocked is held in the iCM custom folder, often available using iCM's File Manager. It has been compiled using publicly available lists of common passwords.

We strongly recommend you use the suggested password settings.

iCM Users

You can load the recommended settings using the "Use recommended settings" link. This link only appears if your current settings don't meet the minimum recommendations.

Changes to the complexity rules are applied to iCM users the next time they log in, including immediately after an upgrade, forcing them to reset their password so that it meets the new rules.

The rules you can set are:

  • Minimum length
  • Old password kept - this prevents the reuse of old passwords
  • Minimum number of lower/uppercase letters, numbers, special characters
  • Block repeated characters
  • Block commonly used passwords

Password expiry can also be set for users in the iCM Users section.

iCM Login Providers

Beta

This feature is still in beta.

iCM login providers allow users to log into iCM using third party accounts, like a local network or corporate account. It's actually possible to configure any of the Authentication worker's Provider Types as iCM logins, although take care if you enable social media logins as anyone with that account type could then log into iCM (if you want to enable a provider like Google, IP restrict your iCM logins first).

To enable a new provider, press "Create". You can then pick a provider that has already been set up in the API Server configuration from the drop-down, which will populate the name and type inputs. Pick "Other" to enter these details manually. The name and type must match a provider to have any effect.

The providers you enter here can be used to log into the iCM enterprise URL. They can also be inherited by subsites.

Once enabled you'll see a new button on the iCM login page.

iCM Login Screen

Before site user logins can be used to log into iCM, group and user aliases also need to be set up. See Using External Authentication with iCM for a full description.

Website Users

Website user passwords are also managed from within iCM. These settings are used by:

Both of these fields are part of our example registration form.

Recommended settings are listed next to each field. Changing the complexity rules does not force existing users to change their passwords. They will have to meet the new rules if they reset their password.

Failed login attempts and lockout durations are set in the API Server configuration of the iCMSiteUser provider (the defaults are 5 attempts and fifteen minutes).

Profile Form Mappings

Once you have users registered with your site, these mappings should not be changed. Changing mappings will cause problems for existing users. For more information about user profiles and how they can be created and updated, see the Site Groups and Users section.

If you do make changes you must resend the configuration to your API Server so the Authentication worker is aware of them.

PropertyDescription
User Profile FormThis is the private form that iCM should use to display user profiles when you are editing users in iCM (not the user profile object definition or "master" form). The standard form is called "iCM User Profile Form"
Email Address FieldThe property within the userprofile object that holds a user's email address

Display Name Template

User accounts in iCM are generally identified by GUIDs (unless created manually in iCM). Rather than display GUIDs in the user trees in iCM a display name is constructed using a Handlebars template.

The template also sets the value of the DisplayUserName property of a user, which can be returned using the iCM API.

This is the default template, which cannot be modified:

{{#and LASTNAME FIRSTNAME}}{{{LASTNAME}}}, {{{FIRSTNAME}}}, {{else if LASTNAME}}{{{LASTNAME}}}, {{else if FIRSTNAME}}{{{FIRSTNAME}}}, {{/and}}{{#if EMAIL}}{{{EMAIL}}}, {{/if}}{{{user.username}}}

It will display the LASTNAME and FIRSTNAME from the user's profile (if both exist), followed by the EMAIL, followed by the account username/unique ID. For example:

Display Name

If either the FIRSTNAME or LASTNAME (or both) are missing, the template will display those elements that are present.

Preferred Name

The preferred name template works on the same principles as the display name. It sets the value of the PrefUserName property available via the iCM API. This value can then be used when the user's name appears on the website, for example in products like Assisted Service.

Rather confusingly the default template uses a single field called {{DISPLAYNAME}}, which is a field in the standard user profile form and nothing to do with the display name described above.

Last modified on July 31, 2024

Share this page

Facebook icon Twitter icon email icon

Print

print icon