User Management Subsystem
Session Management Settings
Session Management Settings
Base Type
Default
Notes
Idle Session Timeout (min)
INTEGER
30
If this setting is changed in Composer, Tomcat must be restarted so that it can go into effect.
Can be set up to 1440 minutes (24 hours).
Allow users to call services on their own User entity regardless of permissions
BOOLEAN
true
If this option is not checked, users must be given explicit permissions to call services on their own user entity.
Restrict the number of concurrent logged in user sessions
BOOLEAN
false
If this option is selected, all users (including Administrators) can only have one concurrent session at a time. The last login will override a current session.
User Session Shape Settings
In the User Session Shape Settings section, you can add or delete Thing Shapes that are associated with the subsystem. The default Thing Shape is GlobalSessionProperties.
Password Hash Settings
* 
If you change the default password hash settings, security could be negatively impacted. The default values are industry-standard recommendations. If you change the values and weaken security, an attacker could recover stored passwords.
The Password Hash Settings are used in the creation of user password hashes during migration and login. If previous hashing properties for a user password do not match these settings during login, the system rehashes the password based on these settings.
Password Hash Settings
Base Type
Default
Notes
Hashing algorithm
STRING
PBKDF2WithHmacSHA512
One of the supported password-based cryptographic hashing algorithms as defined in RFC 2898 (https://tools.ietf.org/html/rfc2898)
Salt size in bytes
INTEGER
64
Number of pseudo-random bytes appended to the user password to increase complexity
Hash size in bytes
INTEGER
64
Byte size of the resulting password hash, which is dependent on the selected hashing algorithm (for example, SHA-256 produces a 256 bit/32 byte hash)
Hashing iterations
INTEGER
100000
After the salted password is hashed, this setting specifies the number of times to rehash the salted password hash by passing it as input to the hashing algorithm to generate a new hash.
Application Key Settings
Application Key Settings
Base Type
Default
Notes
Application Key Lifetime (sec)
INTEGER
86400 (24 hours)
This setting applies to any application keys that do not have an Expiration Date defined.
Authentication Settings
Authentication Settings
Base Type
Default
Notes
Sets HTTP Form Authentication as the default fallback mechanism
BOOLEAN
false
When this option is selected, users who logged in using an organization's form login page will be prompted for credentials on that same page. This feature uses a cookie, which the form login page stores in the user's browser.
Account Lockout Settings
Account Lockout Settings
Base Type
Default
Notes
Maximum Login Attempts
NUMBER
5
The number of log in attempts a user is allowed within the time specified in Minutes to Attempt Login before lockout.
Minutes to Attempt Login
NUMBER
5
The amount of time a user has to attempt the maximum log in attempts specified before lockout.
Minutes Locked Out
NUMBER
15
The amount of time a user is locked out for. For example, if a user attempts five unsuccessful log ins within five minutes, their account will be locked out for 15 minutes. After 15 minutes, the user will have another five attempts.
* 
If Minutes Locked Out is set to 0, the user account will not automatically be unlocked, and an administrator must manually unlock the account.
Password Settings
There are two types of password denylists in ThingWorx, and both lists are checked when a user creates a password. The types are:
1. A system-defined list of commonly used internet passwords.
2. A custom, user-defined list of prohibited passwords.
Password Settings
Base Type
Default
Notes
Minimum Password Length
NUMBER
14
The minimum number of characters allowed for passwords. Must be a value between 10 and 128.
Password Denylist Partial Match
BOOLEAN
false
If set to true, checks if any new passwords include a match from the custom or system denylists.
* 
If you set Password Denylist Partial Match to true, your password cannot contain any item in the custom or system denylist. The system denylist includes common names, sports teams and terminology, movies, foods, animals, repeating and/or sequential series of numbers and letters, physical locations, obscenities, and popular culture references.
Password Denylist Case Sensitive
BOOLEAN
false
If set to true, will only flag a new password as invalid if the string matches the exact case of the custom or system denylist entry.
Custom Password Denylist
In the Custom Password Denylist section, you can add, edit, or delete prohibited passwords.
Permissions Management
Permissions Management Setting
Base Type
Default
Notes
ThingGroup Visibility Permission Delegation Enabled
BOOLEAN
false
When enabled, visibility permission checks will include the same check as when it is disabled. In addition, it will check against the visibility permissions of direct Thing Group parents as well as Thing Group parents up the hierarchy paths from the initial entity being checked, stopping each path when no parents are found.
ThingGroup Direct Parents Cache Max Size of entries
NUMBER
10000
Configures the maximum number of entries (set of immediate/direct parents in a Thing Group hierarchy) that the cache can contain. The least used entries are evicted from the cache when necessary.
ThingGroup Direct Parents Cache Concurrency Level
NUMBER
5
Configures the number of expected concurrent updates to entries (set of immediate/direct parents in a Thing Group hierarchy).
ThingGroup Inherited Visibility Permissions Cache Max Size of entries
NUMBER
10000
Configures the maximum number of entries (set of hierarchy inherited visibility permissions principals) the cache can contain, evicting the least used entries from the cache when necessary.
ThingGroup Inherited Visibility Permissions Cache Concurrency Level
NUMBER
5
Configures the number of expected concurrent updates to entries (set of hierarchy inherited visibility permissions principals).
Was this helpful?