This topic covers settings available within the Compliance module. Both the Compliance and ComplianceActivities modules should be enabled on your server and in any projects where you require these features.

• Manage Account Expiration
• Manage Inactive Accounts
• Audit Process Failures
• Limit Login Attempts
• Limit Third-Party Identity Service Providers
• Manage Session Invalidation Behavior
• Allow Project Locking
• Enable Project Review Workflow

Manage Account Expiration

You can configure user accounts to expire after a set date. Expiration dates can be set for individual accounts. To set up expiration dates, first add one or more users, then follow these instructions:

• Go to (Admin) > Site > Admin Console.
• Under Premium Features, click Compliance Settings.
• On the Accounts tab, under Manage Account Expiration, select Allow accounts to expire after a set date.
• Click Save.

• You can now set expiration dates for user accounts.
• Click the link (circled above) to go to the Site Users table. (Or go to (Admin) > Site > Site Users.)
• Above the grid of current users, note the Show Temporary Accounts link. This will filter the table to those accounts which are set to expire at some date.
• Click the Display Name for a user account you want to set or change an expiration date for.
• On the account details page click Edit.
• Enter an Expiration Date, using the date format Year-Month-Day. For example, to indicate Feb 16, 2019, enter "2019-02-16".

• Click Submit.
• Click Show Users, then Show Temporary Accounts and you will see the updated account with the assigned expiration date.

Manage Inactive Accounts

Inactive accounts can be automatically disabled (i.e., login is blocked) after a set number of days. To set the number of days after which accounts are disabled, follow the instructions below:

• Select (Admin) > Site > Admin Console.
• Under Premium Features, click Compliance Settings.
• On the Accounts tab, under Manage Inactive Accounts, select Disable inactive accounts after X days.
• Use the dropdown to select when the accounts are disabled. Options include: 1 day, 30 days, 60 days, or 90 days.

Audit Process Failures

These settings allow you to send a notification email to administrators if any audit processing fails (for example, if there are any software errors, audit capturing bugs, or if audit storage capacity has been reached). If any of the events that should be stored in LabKey’s Audit Log aren’t processed properly, administrators are informed of the error in order to escalate, fix, or otherwise take action on the issue.

You can also control which administrators are informed: either the primary administrator or all site administrators.

• Select (Admin) > Site > Admin Console.
• Under Premium Features, click Compliance Settings.
• Click the Audit tab.
• Under Audit Process Failures, select Response to audit processing failures.
• Select the audience as: Primary Site Admin or All Site Admins (the default).
• Click Save.
• To control the content of the email, click the link email customization, and edit the notification template named "Audit Processing Failure". For details see Email Template Customization.

Limit Login Attempts

You can decrease the likelihood of an automated, malicious login by limiting the allowable number of login attempts. These settings let you disable logins for a user account after a specified number of attempts have been made. (Site administrators are exempt from this limitation on login attempts.)

To see those users with disabled logins, go to the Audit log, and select User events from the dropdown.

• Go to (Admin) > Site > Admin Console.
• Under Premium Features, click Compliance Settings.
• Click the Login tab.
• In the section Unsuccessful Logins Attempts, place a checkmark next to Enable login attempts controls.
• Also specify:
• the number attempts that are allowed
• the time period (in seconds) during which the above number of attempts will trigger the disabling action
• the amount of time (in minutes) login will be disabled
• Click Save.

Third-Party Identity Service Providers

To restrict the identity service providers to only FICAM-approved providers, follow the instructions below. When the restriction is turned on, non-FICAM authentication providers will be greyed out in the Authentication panel.

Manage Session Invalidation Behavior

When a user is authenticated to access information, but then the session becomes invalid, whether through timeout, logout in another window, account expiration, or server unavailability, obscuring the information that the user was viewing will prevent unauthorized exposure to any unauthorized person. To configure:

• Go to (Admin) > Site > Admin Console.
• Under Premium Features, click Compliance Settings.
• Click the Session tab.
• Select one of:
• Show "Reload Page" modal but keep background visible (Default).
• Show "Reload Page" modal and blur background.

• Click Save.

With background blurring enabled, a user whose session has expired will see a popup for reloading the page, with a message about why the session ended. The background will no longer show any protected information in the browser.

Allow Project Locking

Project locking lets administrators make projects inaccessible to non-administrators, such as after research is complete and papers have been published.

• Go to (Admin) > Site > Admin Console.
• Under Premium Features, click Compliance Settings.
• Click the Project Locking & Review tab.
• Check the Allow Project Locking box.

Two lists of projects are shown. On the left are projects eligible for locking. On the right are projects that are excluded from locking and review, including the "home" and "Shared" projects. To move a project from one list to the other, click to select it, then click the or button.

• Click Save when finished.

Lock Projects

Once enabled, administrators can control locking and unlocking on the (Admin) > Folder > Permissions page of eligible projects. Click the Project Locking & Review tab. Click Lock This Project to lock it. This locking is immediate; you need not click Save after locking.

When a project is locked, administrators will see a banner message informing them of the lock. Non-administrators will see an error page reading "You are not allowed to access this folder; it is locked, making it inaccessible to everyone except administrators."

To unlock a project, return to the (Admin) > Folder > Permissions > Project Locking & Review tab. Click Unlock This Project.

Project Review Workflow

To support compliance with standards regarding review of users' access rights, a project permissions review workflow can be enabled, enforcing that project managers periodically review the permission settings on their projects at defined intervals. Project review is available when project locking is also enabled; if a project manager fails to review and approve the permissions of a project on the expected schedule, that project will "expire", meaning it will be locked until the review has been completed.

• Go to (Admin) > Site > Admin Console.
• Under Premium Features, click Compliance Settings.
• Click the Project Locking & Review tab.
• Check the Allow Project Locking box.
• Check the Enable Project Review Workflow box and customize the parameters as necessary.

• Within the interface you can customize several variables:
• Project Expiration Interval: Set to one of 3, 6, 9, or 12 months. Projects excluded from locking do not expire.
• Begin Warning Emails: Set to the number of days before project expiration to start sending email notifications to those assigned the site-role "Project Review Email Recipient". The default is 30 days. Negative values and values greater than the "Project Expiration Interval X 30" will be ignored. Zero is allowed for testing purposes.
• Warning Email Frequency: Set to a positive number of days between repeat email notifications to reviewers. The default is 7 days. Negative values, and values greater than the "Begin Warning Emails" value will be ignored.
• Customize if needed, the text that will be shown in the project review section just above the Reset Expiration Date button: "By clicking the button below, you assert that you have reviewed all permission assignments in this project and attest that they are correct."
• Click Save when finished.

Optionally, click to Customize the project review workflow email template if needed. The default is titled "Review project ^folderName^ before ^expirationDate^" and reads "The ^folderName^ project on the ^organizationName^ ^siteShortName^ website will expire in ^daysUntilExpiration^ days, on ^expirationDate^.<br> Visit the "Project Locking & Review" tab on the project's permissions page at ^permissionsURL^ to review this project and reset its expiration date."

Once enabled, you can access project review on the same (Admin) > Folder > Permissions > Project Locking & Review tab in the eligible folders. Project review email notifications include a direct link to the permissions page.

Project Review Email Recipient Role

Project administrators tasked with reviewing permissions and attesting to their correctness should be assigned the site role "Project Review Email Recipient" to receive notifications. This role can be assigned by a site administrator.

• Select (Admin) > Site > Site Permissions.
• Under Project Review Email Recipient, select the project admin(s) who should receive notification emails when projects need review.

Complete Project Review

When an authorized user is ready to review a project's permissions, they open the (Admin) > Folder > Permissions page for the project.

The reviewer should very carefully review the permissions, groups, and roles assigned in the project and all subfolders. Once they are satisfied that everything is correct, they click the Project Locking & Review tab in the project, read the attestation, then click Reset Expiration Date to confirm.

Note that if the project is locked, whether manually, or automatically as part of expiration, the administrator will see the same attestation and need to review the permissions prior to clicking Unlock This Project.

Related Topics

• Compliance
• Authentication