Managing Authentication Settings

This topic describes how to set password policy rules for local IAM users in your tenancy.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing password policy.

To view authentication policy, you must be granted inspect access on the authentication-policies resource. For example:

Allow group GroupA to inspect authentication-policies in tenancy

To modify authentication policy, you must be granted the AUTHENTICATION_POLICY_UPDATE permission. This permission is included in the manage verb. For example:

Allow group GroupA to manage authentication-policies in tenancy

If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies for groups or other IAM components, see Details for IAM.

Working with Password Policy Rules

A password policy that you set in the IAM service is applicable for all local (or non-federated) users.

When a user is created or when a user changes their password, the IAM service validates the password that is provided against the password policy to ensure that it meets the criteria for the policy. When a user logs in for the first time to change the password, or resets the password at any time, the password policy is evaluated and enforced.

When Do Changes to Password Policy Rules Take Effect

Changes to password policy rules take effect immediately so that the next time any user changes their password they must create a password that meets the criteria. Existing passwords will continue to work even if they would be invalid under the new rules. Users are not forced to change existing passwords to meet the new criteria. Passwords are evaluated against the rules only at the time they are created or changed.

About the Password Policy Rules

The following table describes the rules that you can include in your password policy:

Rule Setting Options

Default IAM Service Setting

Minimum password length

Minimum value is 8 (characters). Maximum value is 100.

12 characters

Special characters

Require passwords to contain at least 1 special character. Special characters allowed in passwords are:

!#$%&'()*+,-./:;<=>?@[\]^_`{|}~

Special characters not listed are not allowed.

Enforced
Lowercase characters Require passwords to contain at least 1 lowercase alphabetic character a-z. Enforced
Uppercase characters Require passwords to contain at least 1 uppercase alphabetic character A-Z. Enforced
Numeric characters Require passwords to contain at least 1 number 0-9. Enforced

Oracle recommends that you enforce all the password rules.

Using the Console

To edit password policy rules
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Authentication Settings. The authentication settings for your tenancy are displayed.
  2. Click Edit.
  3. Enter the following to set the password policy:
    • Minimum Password Length: Enter a number to define the minimum number of characters that a user's password must contain. Allowed values are 8 through 100.
  4. Select the Password Rules you want to enforce:

    • Must contain at least 1 numeric character: Select the check box to require at least 1 number (0-9) in the password.
    • Must contain at least 1 special character: Select the check box to require at least 1 special character. Allowed special characters are: !#$%&'()*+,-./:;<=>?@[\]^_`{|}~
    • Must contain at least 1 lowercase character: Select the check box to require at least 1 lowercase alphabetic character (a-z).
    • Must contain at least 1 uppercase character: Select the check box to require at least 1 uppercase alphabetic character (A-Z).
  5. Click Save.