Compliance: Settings

2024-03-28

Premium Feature — Available in the Enterprise Edition of LabKey Server. Learn more or contact LabKey.

This topic covers settings available within the Compliance module. Both the Compliance and ComplianceActivities modules should be enabled on your server and in any projects where you require these features.

Manage Account Expiration

You can configure user accounts to expire after a set date. Once the feature is enabled, expiration dates can be set for existing individual accounts. When an account expires, it is retained in the system in a deactivated state. The user can no longer log in or access their account, but records and audit logs associated with that user account remain identifiable and an administrator could potentially reactivate it if appropriate.

To set up expiration dates, first add one or more users, then follow these instructions:

  • Go to (Admin) > Site > Admin Console.
  • Under Premium Features, click Compliance Settings.
  • On the Accounts tab, under Manage Account Expiration, select Allow accounts to expire after a set date.
  • Click Save.
  • You can now set expiration dates for user accounts.
  • Click the link (circled above) to go to the Site Users table. (Or go to (Admin) > Site > Site Users.)
    • Above the grid of current users, note the Show Temporary Accounts link. This will filter the table to those accounts which are set to expire at some date.
  • Click the Display Name for a user account you want to set or change an expiration date for.
  • On the account details page click Edit.
  • Enter an Expiration Date, using the date format Year-Month-Day. For example, to indicate Feb 16, 2019, enter "2019-02-16".
  • Click Submit.
  • Click Show Users, then Show Temporary Accounts and you will see the updated account with the assigned expiration date.

Manage Inactive Accounts

Accounts can be automatically disabled (i.e., login is blocked and the account is officially deactivated) after a set number of days of inactivity. When an account was last 'active' is determined by whichever of these is the latest: last admin reactivation date, last login date, or account creation date.

To set the number of days after which accounts are disabled, follow the instructions below:

  • Select (Admin) > Site > Admin Console.
  • Under Premium Features, click Compliance Settings.
  • On the Accounts tab, under Manage Inactive Accounts, select Disable inactive accounts after X days.
  • Use the dropdown to select when the accounts are disabled. Options include: 1 day, 30 days, 60 days, or 90 days.
Accounts disabled by this mechanism are retained in the system in a deactivated state. The user can no longer log in or access their account, but records and audit logs associated with that user account remain identifiable and an administrator could potentially reactivate it if appropriate.

Audit Log Process Failures

If any of the events that should be stored in the Audit Log aren't processed properly, these settings let you automatically inform administrators of the error in order to immediately address it.

Configure the response to audit processing failures by checking the box. This will trigger notifications in circumstances such as (but not limited to) communication or software errors, unhandled exceptions during query logging, or if audit storage capacity has been reached.

  • Select (Admin) > Site > Admin Console.
  • Under Premium Features, click Compliance Settings.
  • Click the Audit tab.
  • Under Audit Process Failures, select Response to audit processing failures.
  • Select the email recipient(s) as:
    • Primary Site Admin (configured on the Site Settings page) or
    • All Site Admins (the default)
  • Click Save.
  • To control the content of the email, click the link email customization, and edit the notification template named "Audit Processing Failure". For details see Email Template Customization.

Limit Login Attempts

You can decrease the likelihood of an automated, malicious login by limiting the allowable number of login attempts. These settings let you disable logins for a user account after a specified number of attempts have been made. (Site administrators are exempt from this limitation on login attempts.)

To see those users with disabled logins, go to the Audit log, and select User events from the dropdown.

  • Go to (Admin) > Site > Admin Console.
  • Under Premium Features, click Compliance Settings.
  • Click the Login tab.
  • In the section Unsuccessful Logins Attempts, place a checkmark next to Enable login attempts controls.
  • Also specify:
    • the number attempts that are allowed
    • the time period (in seconds) during which the above number of attempts will trigger the disabling action
    • the amount of time (in minutes) login will be disabled
  • Click Save.

Third-Party Identity Service Providers

To restrict the identity service providers to only FICAM-approved providers, follow the instructions below. When the restriction is turned on, non-FICAM authentication providers will be greyed out in the Authentication panel.

  • Go to (Admin) > Site > Admin Console.
  • Under Premium Features, click Compliance Settings.
  • Click the Login tab.
  • In the section Third-Party Identity Service Providers, place a checkmark next to Accept only FICAM-approved third-party identity service providers.
  • The list of configured FICAM-approved providers will be shown. You can manage them from the Authentication Configuration page.

Manage Session Invalidation Behavior

When a user is authenticated to access information, but then the session becomes invalid, whether through timeout, logout in another window, account expiration, or server unavailability, obscuring the information that the user was viewing will prevent unauthorized exposure to any unauthorized person. To configure:

  • Go to (Admin) > Site > Admin Console.
  • Under Premium Features, click Compliance Settings.
  • Click the Session tab.
  • Select one of:
    • Show "Reload Page" modal but keep background visible (Default).
    • Show "Reload Page" modal and blur background.
  • Click Save.

With background blurring enabled, a user whose session has expired will see a popup for reloading the page, with a message about why the session ended. The background will no longer show any protected information in the browser.

Allow Project Locking

Project locking lets administrators make projects inaccessible to non-administrators, such as after research is complete and papers have been published.

  • Go to (Admin) > Site > Admin Console.
  • Under Premium Features, click Compliance Settings.
  • Click the Project Locking & Review tab.
  • Check the Allow Project Locking box.

Learn more in this topic:

Project Review Workflow

To support compliance with standards regarding review of users' access rights, a project permissions review workflow can be enabled, enforcing that project managers periodically review the permission settings on their projects at defined intervals. Project review is available when project locking is also enabled; if a project manager fails to review and approve the permissions of a project on the expected schedule, that project will "expire", meaning it will be locked until the review has been completed.

Learn more in this topic:

Related Topics