accseccfg command

This command displays and configures user account security settings for the CMM, including password policies.

If command syntax is not correctly entered, or if a command fails to run, an error message is returned. See Common errors for a list of error messages that apply to all commands or accseccfg command errors for a list of error messages that are specific to the accseccfg command.

Table 1. accseccfg command.

The command table is a multi-row, four-column table where each row describes a CMM CLI command option: column one lists command function, column two provides a detailed command description, column three shows command-option syntax, and column four lists valid command targets.

Function What it does Command Target (see paths in Command targets)
Display account security settings Displays the user account security settings for the CMM. Returned values:
  • Default security settings used (legacy, high, or custom)
  • -alt: authentication logging timeout (in seconds)
  • -am: user authentication method (local, ldap, localldap, or ldaplocal)
  • -cp: complex password (on, off)
  • -ct: CLI inactivity session timeout (in seconds)
  • -dc: minimum number of different characters in the password (0 to 15) Note: only when -cp (complex password) is enabled.
  • -de: default 'USERID' account password must be changed on next login (on, off)
  • -ia: account inactivity alert time period (in days)
  • -ici: log new login events from same user (on, off)
  • -id: account inactivity disable time period (in days)
  • -lf: maximum login failures (0 to 100)
  • -lp: lockout period after maximum login failures (in minutes, 2880 maximum)
  • -mls: maximum simultaneous user sessions
  • -pc: password change on first access (on, off)
  • -pe: password expiration time period (in days, 365 maximum)
  • -pi: minimum password change interval (in hours)
  • -rc: password reuse cycle (0 to 5)
  • -wt: web inactivity session timeout (in minutes, none, or based on length of user session)
accseccfg
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set account security defaults to legacy level Sets CMM account security to a predefined legacy set of default values. Legacy default values:
  • -alt (authentication logging timeout): retains set value
  • -am (user authentication method): retains set value
  • -cp (complex password): off
  • -ct (CLI inactivity session timeout): retains set value
  • -dc (minimum number of different password characters): 0
  • -de (default account password change at next login): off
  • -ia (account inactivity alert time period): 0
  • -ici (log new login events from same user): retains set value
  • -id (account inactivity disable time): 0
  • -lf (maximum login failures): 20
  • -lp (lockout period after maximum login failures): 2
  • -mls (maximum simultaneous user sessions): retains set value
  • -pc (password change on first access): off
  • -pe (password expiration time): 0
  • -pi (minimum password change interval): 0
  • -rc (password reuse cycle): 0
  • -wt (web inactivity session timeout): retains set value
Note:
  • Modifying any default values after setting the -legacy or -secure option changes the user account security setting indication to custom.
  • Accounts can not be set to -legacy if the CMM chassis security level is set to secure by the security command.
  • The user who is running the accseccfg -legacy command must have a password assigned.
  • The -legacy option must be run alone and not in conjunction with any other accseccfg command options.
accseccfg -legacy
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set account security defaults to high level Sets CMM account security to a predefined high set of default values. High default values are:
  • -alt (authentication logging timeout): retains set value
  • -am (user authentication method): retains set value
  • -cp (complex password): on
  • -ct (CLI inactivity session timeout): retains set value
  • -dc (minimum number of different password characters): 2
  • -de (default account password change at next login): on
  • -ia (account inactivity alert time period): 120
  • -ici (log new login events from same user): retains set value
  • -id (account inactivity disable time): 180
  • -lf (maximum login failures): 20
  • -lp (lockout period after maximum login failures): 60
  • -pc (password change on first access): on
  • -pe (password expiration time): 90
  • -pi (minimum password change interval): 24
  • -rc (password reuse cycle): 5
  • -wt (web inactivity session timeout): retains set value
Note:
  • Modifying any default values after setting the -legacy or -secure option changes the user account security setting indication to custom.
  • The user who is running the accseccfg -high command must have a password assigned.
  • The -high option must be run alone and not in conjunction with any other accseccfg command options.
accseccfg -high
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set authentication logging timeout Sets a custom value for the amount of time that the CMM will not log repeated authentication events (login or logout) by the same user.
Note: When managing the Lenovo Flex System chassis with a program that uses the Common Information Model (CIM) interface, such as the optional Lenovo XClarity Administrator, if the accseccfg -alt value is not set to none, the CIM interface uses a minimum authentication logging timeout of 3600 seconds whenever the accseccfg -alt value is set to less than 3600 seconds. Other CMM functions use the configured accseccfg -alt value.
accseccfg -alt timeout

where timeout is 0, 5, 30, 60, 300, 600, 1800, 3600, 43200, or 86400 seconds. If a value of none is entered, the initial and any repeated authentication events will never be logged.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set user authentication method Sets a custom value for CMM user authentication method.
Important: If the authentication method is set to ldap (ldap only), you might not be able to log in to the CMM if the LDAP server is unreachable or if login credentials are not correctly configured.
accseccfg -am method
where method is
  • local
  • ldap
  • localldap
  • ldaplocal
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Enable / disable complex password Enables or disables the complex password for CMM user authentication.
Note:
  • -cp must be on to set the CMM chassis security level to secure with the security command.
  • -cp must be on to configure the -dc (minimum number of password character types) command option. Setting -cp to off will set -dc to 0.
  • The user that is running the accseccfg -cp command must have a password assigned.
accseccfg -cp state

where state is on or off .

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set CLI inactivity timeout Sets the custom value for CMM CLI inactivity session timeout. accseccfg -ct timeout

where timeout is from 0 to 4,294,967,295 seconds, inclusive.

This command can only be run by users who have the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set minimum number of different characters for password Sets custom value for the minimum number of different characters to be used in a CMM password.
Note:
  • The minimum number of different characters applies only when complex passwords are enabled (-cp on). Setting -cp to off will set -dc to 0.
  • The -rc command option must be non-zero to configure the minimum number of password character types. Setting -rc to zero will set -dc to 0.
  • If a -dc value is not set when setting -rc command option to a non-zero value, -dc will be set to a default value of 2.
accseccfg -dc number

where number is from 0 to 15, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Enable / disable default administration password expiration Enables or disables the default administration password expiration for the CMM. If enabled, the manufacturing default 'USERID' account password must be changed at the next login.
Note: -de must be on to set the CMM chassis security level to secure with the security command.
accseccfg -de state

where state is on or off .

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set account inactivity alert time Sets custom value for CMM account inactivity alert time.
Note: The accseccfg -ia value must be less than the accseccfg -id value.
accseccfg -ia time

where time is from 0 to 365 days, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set state for logging of login events from same IP address Enables or disables logging of new login events from the same user from the same IP address.
Note:
  • This value applies only if the value set by the -alt command option is set to something other than 0 or none.
  • When managing the Lenovo Flex System chassis with a program that uses the Common Information Model (CIM) interface, such as the optional Lenovo XClarity Administrator, login event logging is treated as disabled by the CIM interface, regardless of the accseccfg -ici setting. Other CMM functions use the configured accseccfg -ici value.
accseccfg -ici state

where state is on or off .

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set account inactivity disable time Sets the custom value for CMM account inactivity disable time.
Note: The accseccfg -id value must be greater than the accseccfg -ia value.
accseccfg -id time

where time is from 0 to 365 days, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set maximum number of login failures Sets the custom value for the maximum number of login failures before the CMM locks out a user. accseccfg -lf number

where number is from 0 to 100, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set lockout period Sets the custom value for CMM account lockout period, used when the maximum number of login failures is exceeded. accseccfg -lp time

where time is from 0 to 2880 minutes, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set maximum LDAP sessions for user Sets the custom value for the maximum number of simultaneous login sessions allowed for a single LDAP user accseccfg -mls max_sessions

where max_sessions is from 0 to 20, inclusive.

This command can only be run by users who have the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Enable / disable password change at first login Enables or disables the mandatory password change at first CMM login.

When on, new users must change their password the first time they log in. If a user password is changed by a system administrator, this user must change their password the next time they log in.

Note:
  • accseccfg -pc is set to on automatically when accseccfg is set to -high
  • accseccfg -pc must be on to set the CMM chassis security level to secure with the security command.
accseccfg -pc state

where state is on or off .

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set password expiration time Sets custom value for the CMM password expiration time. accseccfg -pe time

where time is from 0 to 365 days, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set password minimum change interval Sets custom value for the minimum amount of time between CMM password changes.
Note: If the minimum password change interval is greater than 0, it must be less than password expiration period.
accseccfg -pi time

where time is from 0 to 1440 hours, inclusive, and less than password expiration period when that period is greater than 0.

This command can only be run by users who have the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set password reuse cycle Sets custom value for the CMM password reuse cycle. This setting determines how many times a password must be changed before being reused.
Note:
  • -rc must be non-zero to configure the -dc (minimum number of password character types) command option. Setting -rc to zero will set -dc to 0.
  • If a -dc value is not set when setting -rc command option to a non-zero value, -dc will be set to a default value of 2.
accseccfg -rc number_reuses

where number_reuses is from 0 to 5, inclusive.

This command can only be run by users who have the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.
Set web interface inactivity timeout Sets custom value for CMM web interface inactivity session timeout. accseccfg -wt timeout

where timeout is 1, 5, 10, 15, or 20 minutes, none (no timeout), or user (user picks timeout each time they log in to the web interface).

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
Primary CMM:
  • mm[p]
  • mm[P]
  • mm[x]
  • where x is the primary CMM bay number.

Example:

To set CMM account security to use the legacy level defaults, while the Lenovo Flex System chassis is set as the persistent command environment, at the system> prompt, type
accseccfg -legacy -T mm[p]
To display the account security settings for the CMM, while the Lenovo Flex System chassis is set as the persistent command environment, at the system> prompt, type
accseccfg -T mm[p]
To disable the authentication logging timeout for the CMM, while the Lenovo Flex System chassis is set as the persistent command environment, at the system> prompt, type
accseccfg -alt none -T mm[p]

The following example shows the information that is returned from these commands:

system> accseccfg -legacy -T mm[p]
OK
system> accseccfg -T mm[p]
-legacy
-alt 300
-am local
-cp off
-ct 0
-dc 0
-de off
-ia 0
-ici off
-id 0
-lf 20
-lp 2
-mls 0
-pc off
-pe 0
-pi 0
-rc 0
-wt user
system> accseccfg -alt none -T mm[p]
OK
system>