Configure Security Settings

Within the IBM Aspera Faspex on Demand Web UI, go to Server > Configuration > Security to view and/or modify your server's security settings for Faspex user accounts, self registration, external senders and encryption.

Faspex Accounts



Configuration Option Description
Session timeout Sessions will time out after the specified number of minutes of inactivity.
Lock users Lock the user account when login attempts fail under the specified circumstance or after a specified number of days of inactivity.
Remove users Remove users after a specified number of days of inactivity.
Prevent concurrent login (checkbox) If enabled, users can only be logged in from one client at a time.
Use strong passwords (checkbox) If enabled, requires newly created passwords to contain at least one letter, one number and one symbol. Note that existing passwords will remain valid. Administrators may also change the strong password criteria by editing the faspex.yml file, which is located in the following directory:
/opt/aspera/faspex/config/faspex.yml

Inside faspex.yml, paste the following (where StrongPasswordRegex is the password criteria as a regular expression and StrongPasswordRequirements is the description that appears to the user underneath the field):

StrongPasswordRegex: (?=.*[A-Z])(?=.*(\d|\W|_)).{7,} 
StrongPasswordRequirements: "Password must meet this criteria..." 

For more information on faspex.yml, refer to Appendix: Configuring Faspex with faspex.yml

Require new users to change password on first login If this feature is enabled, new users must enter a new password when they first log in.
Allow locked out users to unlock themselves If this feature is enabled, locked out users can select the Forgot my password button to have a password reset email sent to them. Using the link, they can reset their email and log in.
Keep user directory private (Yes/No)

When set to Yes, prevents a Faspex user (even if they have permissions to send to all Aspera Faspex users) from being able to see the entire user directory. You can override this setting on a user-by-user basis by editing their permissions.

Important: When the privacy setting is turned on (set to Yes), users who have been assigned the role of Workgroup Admin can still view the entire list of Aspera Faspex users via the Workgroup Members page.

Registrations



Configuration Option Description
Self registration Determines if non-users can create or request user accounts. Choose between none (not allowed), moderated (an administrator must approve the account before it is created), and unmoderated (once a user registers, his or her account will be automatically created). If you allow self-registration, the moderated setting is recommended for security.
Warning: If self-registration is enabled, then it could be utilized to find out whether a certain account exists on the server. That is, if you attempt to self-register a duplicate account, then you will receive a prompt stating that the user already exists.

After a user self-registers (either moderated or unmoderated), his or her account will inherit the permissions of the configured template user and will automatically become members of designated workgroup(s). To configure the template user, go to Accounts > Pending Registrations > template user. To set the workgroups that newly created users will join, click the workgroups link. Although self-registered users are not allowed to send packages to other self-registered users, by default, you can modify this setting by marking the Self-registered users can send to one another checkbox.

Important: To prevent a self-registered account from having the same email address as a full Faspex user, Administrators can add a special option to faspex.yml. You will find faspex.yml in the following directory:
/opt/aspera/faspex/config/faspex.yml

Inside faspex.yml, within the "Production:" section, paste the following option and set it to true:

EnforceSelfRegisteredUserEmailUniqueness: true
Terms of service (Optional) If text is set, then users will be required to accept the statement in order to create an account.
Notify the following emails to approve This field appears when moderated is selected, above. Input one or more email addresses to notify for moderation. Note that these email addresses are not validated against existing Faspex administrators and/or managers.
Self-registered users can send to one another When checked, self-registered users will be allowed to send packages to other self-registered users.
Important: If users are allowed to self-register, then they will see a Request an account link on the login page. After a user clicks this link and completes the form, then you (as the administrator) will be prompted under Accounts > Pending Registrations > Actions to Approve or Deny his or her account.

Outside email addresses



Configuration Option Description
Allow inviting external senders (checkbox) When enabled, external senders (those who do not have Faspex accounts) can be invited to send a package. An Administrator can enable/disable this feature for specific users from the Accounts > [Username] page, while still retaining the server-wide setting of enabled or disabled. Please refer to Create a New Faspex User for details on this user setting.
Allow public URL

A Public URL can be used by external senders to submit packages to both registered Faspex users and dropboxes. The benefit of using a Public URL is in the time-savings, such that external senders no longer need to be individually invited to submit a package (although that functionality still exists). When a Public URL is enabled and posted to a an email, instant message, website, etc., the following workflow occurs:

  1. The external sender clicks the Public URL (which could be for either a dropbox or a registered Aspera Faspex user).
  2. The sender is directed to page where he or she is asked to enter and submit an email address.
  3. A private link is automatically emailed to the sender.
  4. The sender clicks the private link and is automatically redirected to a dropbox or Aspera Faspex user package submission page.
  5. Once the package is submitted through the private link, the dropbox or Faspex user receives it.

Thus, when the field Allow public URL is enabled (e.g. set to Allow), the Public URL feature is turned on for all Faspex dropboxes and registered users. If the Allow dropboxes to individually enable/disable their own public URLs checkbox is enabled as well, then individual dropboxes can override the server setting and turn off this feature. Individual Aspera Faspex users, on the other hand, can override the Public URL server setting for their own accounts by going to Preferences > Misc > Enable public URL and disabling the checkbox.

Important: An Administrator can enable/disable the Public URL feature for specific users from the Accounts > [Username] page, while still retaining the server-wide setting of enabled or disabled. Please refer to Create a New Faspex User for details on this user setting.
Allow sending to external email addresses (checkbox) Faspex packages can be sent to people who do not have Faspex accounts. When set to Allow, all Aspera Faspex users will be able to send to external email addresses, by default. When set to Deny, you must enable this behavior within each individual user account (by checking the option for Sending to external email in their account settings). Please refer to Creating a New Faspex User for details on this user setting.
Package link expires (checkbox and text field) When enabled, the package link will expire after the specified number of days.
Expire after full package download (checkbox) If this checkbox is enabled, the package link will expire after one (1) download (which applies when the link is forwarded, as well). After the first download, the file(s) must be re-sent in a new package, via Faspex, for the recipient to be able to download them again.
Important: You must click the Update button to apply and save your changes.