Configuring Security Settings
Modify security settings for Faspex user accounts, self-registration, external senders and encryption. Go to Server > Configuration > Security to view or modify your server's security settings for Faspex user accounts, self-registration, external senders, and encryption.
Faspex Accounts
| Configuration Option | Description |
|---|---|
| Session timeout | Sessions time out after the specified number of minutes of inactivity. |
| Lock users | Lock a user account based on the number of failed login in attempts in a given number
of minutes, or based on account inactivity. By default, Faspex locks an account after the user fails to login five times in a row within five minutes. The maximum failed login attempts and the rolling period for failed attemps must be positive numbers between 0 and 99. You can also select After number days of inactivity to lock accounts based on inactivity. An administrators must reactivate a locked account before the user can use the account again. For more information, see Reactivating an Inactive Account. |
| Remove users | Remove users after the specified number of days of inactivity. Local, directory service, and SAML users can be configured separately. |
| Prevent concurrent login | If enabled, users can only be logged in from one client at a time. |
| Passwords expire | When activating global password expiration, all users with default
password policies are updated with a password expiration date specified by
the password expiration interval. Admins can override this global policy in
a user's account settings. See Configure User Settings. Note: When changing password expiration interval, changes to password
expiration date do not occur until next password change for each user if
password expiration is already active. |
| Prevent password reuse | Prevent users from reusing passwords. Enter the number of previous passwords users cannot reuse. |
| Use strong passwords | If enabled, requires newly created passwords to contain at least one letter, one
number and one symbol. Existing passwords remain valid. You can change the strong password criteria by editing the faspex.yml file, which is located in the following directory: /opt/aspera/faspex/config/faspex.yml. For more information on faspex.yml, see faspex.yml Configurations Reference |
| Require new users to change password on first login | New users must enter a new password when they first log in. |
| Allow locked out users to unlock themselves | Locked out users can select the Forgot my password button to have a password reset email sent to them. Using the link, they can reset their email and log in. |
| Keep user directory private |
When set to Yes, prevents a Faspex user (even if they have permissions to send to all Faspex users) from being able to see the entire user directory. You can override this setting on a user-by-user basis by editing their permissions. Important: When the privacy setting is turned on (set to
Yes), users who have been assigned the role
of Workgroup Admin can still view the entire list of Faspexusers via the Workgroup
Members page. |
| Allow users to create normal packages | If this feature is disabled, users cannot access the New Packages site and can only create dropbox packages (only if they are a member of a dropbox). This option can also be set for individual users by going to Accounts > Users, clicking the username, and selecting an option for Can create normal packages. |
| Users can see global distribution lists by default | Select to give all users access to the global distribution lists. If this option is disabled, admins must configure a user's settings to grant access to global distribution lists. |
| Ignore invalid recipients | Prevent a package from failing to send even when addressed to invalid recipients. Faspex skips any invalid user and delivers the package to all valid recipients in the list. |
| Allow users to change their email address | Enable users to change their own email addresses in their account preferences (see Updating Email and Connect Settings). If this feature is disabled, only admins can change a user's email address. |
| Send welcome email to all new users | Faspex sends a welcome email to all users. The welcome email includes a link to
download Aspera products, a password reset link, and a link to login to
Faspex. Note: The password reset link expires after one
week. |
Registrations
| Configuration Option | Description |
|---|---|
| Self-registration | Choose whether non-users can create or request user accounts.
Warning: If self-registration is enabled, then it could be
utilized to find out whether a certain account exists on the server.
That is, if you attempt to self-register a duplicate account, you
receive a prompt stating that the user already
exists. After a user self-registers (either moderated or unmoderated), his or her account inherits the permissions of the configured template user and automatically becomes a member of designated workgroups. To configure the template user, go to Accounts > Pending Registrations and select the user. To set the workgroups that newly created users join, click the workgroups link. Although self-registered users are, by default, not allowed to send packages to other self-registered users, you can modify this setting by selecting Self-registered users can send to one another. Important: To prevent a
self-registered account from having the same email address as a full
Faspex user, Admins can add a special option to
faspex.yml. You can find
faspex.ymlin the following directory: Inside faspex.yml, within the "Production:" section, paste the following option and set it to "true": |
| Terms of service | Enter a statement that users are required to accept in order to self register an account. If you do not enter a statement, users are not required to accept terms of service to create an account. |
| Notify the following emails to approve | This field appears when you choose the Moderated
registration policy. Enter one or more email addresses to notify for
moderation. Note: These email addresses are not validated against existing
Faspex admins or managers. |
| Require external users to register | Force external users to register a Faspex account to download packages sent to them.
External users register with the same process as self-registered users. For
more information about requesting accounts, see Requesting an Account. Note: You must first allow users to send
packages to external email addresses by selecting the Allow
sending to external email addresses. For more
information, see the description for the option below. Important: You cannot if you using external flag in Faspex, please do not use "require the external user to register" option. Only one option permitted at the time. |
| Use default registration policy for external users | Use the same registration policy you chose for self registration for external users
registering accounts. Note: This option appears when you selected
Require external users to register. You must
choose a registration policy for self registration to select this
option. |
| Registration policy for external users | If you do not use the default registration policy, choose either
Moderated or Unmoderated.
|
| Terms of service for external users | Enter a statement that external users are required to accept in order to create an account. If you do not enter a statement, users are not required to accept terms of service to create an account. |
| Notify the following emails to approve external users | This field appears when you choose the Moderated
registration policy. Enter one or more email addresses to notify for
moderation. Note: These email addresses are not validated against existing
Faspex admins or managers. |
| Self-registered users can send to one another | Select to allow self-registered users to send packages to other
self-registered users. Note: Self-registered users must have permission to
send to all Faspex users. If a self-registered user does not have
permission to send to all Faspex users, the Self-registered
users can send to one another option has no effect. For
more information giving a user permission to send to all Faspex users,
see Configure User Settings. |
Outside email addresses
| Configuration Option | Description |
|---|---|
| Allow inviting external senders | When Allow inviting external senders is selected, external
senders (those who do not have Faspex
accounts) can be invited to send a package to a user. For more information
on external senders, see Allowing Users to Send to External Email Addresses. Important: An admin can enable or disable this feature for
specific users while still retaining the server-wide setting of enabled
or disabled. Go to Accounts and select the user
to enable or disable this feature. For more information on this setting,
see Configure User Settings. |
| Invitation link expires | Select to set a global policy for invitation link expiration times for
personal and dropbox invitations. You can set a time in days, expire the
link after one successful upload, allow users to set a custom link
expiration policy, or a combination. For example, you can select both a time
in days and allow users to set a custom policy. If the default policy is to
expire links after 5 days, then users can set links to expire after less
than 5 days but not longer than 5 days. Clear this option to never let invitation links expire. |
| Allow public URL |
Allow a user to send a Public URL to users without Faspex accounts. These external users can submit packages to registered Faspex users through this public URL. For more information about Public URLs, see Configuring Public URLs. Select Allow public submission URLs to globally
enable the feature and allow admins to configure this feature on a
user-by-user basis. Set the server default to
Allow or Deny.
Tip: An admin can enable or disable this feature for specific
users while still retaining the server setting. |
| Allow sending to external email addresses | Select Allow sending to external email addresses
to enable all Faspex users to send packages to external email addresses.
This feature is enabled by default. Select Allow sending to external email addresses to globally enable the feature and allow admins to configure this feature on a user-by-user basis. Set the server default to Allow or Deny. Tip: An admin can enable
or disable this feature for specific users while still retaining the
server setting. |
| Package link expires | This field appears when you select Allow sending to external email addresses. When enabled, the package link expire after the specified number of days. |
| Expire after full package download | This field appears when you select Allow sending to external email addresses. If this checkbox is enabled, the package link expires after one download. This is also applicable when the link is forwarded. After the first download, the files must be re-sent in a new package through Faspex for the recipient to be able to download them again. |
Encryption
| Configuration Options | Description |
|---|---|
| Encrypt transfers | Select to encrypt all transfers with the AES-128 encryption method. HTTP fallback transfers are also encrypted. |
| Use encryption-at-rest | Encryption-at-Rest (EAR) requires users, on upload, to enter a password to encrypt the
files on the server. Package recipients are required to enter the encryption
password to decrypt protected files as they are being downloaded. If a user
chooses to keep downloaded files encrypted, they are not required to enter a
password until they attempt to decrypt the files locally. Encryption-at-Rest
is supported by the IBM Aspera Connect
Note: This EAR setting only applies to transfers initiated through
Faspex. Transfers initiated using ascp from the
command line or the High Speed Transfer Server GUI are handled by the
configured aspera.conf file. Transfers initiated by High Speed
Transfer Server version 3.7.4 and above are encrypted with AES-128 by
default. For more information on encrypting ascp
transfers, see the IBM Aspera High-Speed Transfer Server Admin
Guide. |
| Allow dropboxes to have their own encryption settings | Select to allow admins to adjust Encryption-at-Rest settings for each dropbox. For more information on creating and configuring dropboxes, see Creating a Dropbox. |