{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "#PasswordPolicy", "description": "A password policy is a specific `Ruleset`. It is separately defined because of its pervasive usage across digital environments and the well known properties (such as length and complexity) unique to a password policy.", "type": "object", "allOf": [ { "$ref": "#Entity" }, { "properties": { "minLength": { "description": "Minimum password length", "type": "integer" }, "requireSymbols": { "description": "Indicates if a password must contain at least one symbol", "type": "boolean" }, "requireNumbers": { "description": "Indicates if a password must contain at least one number", "type": "boolean" }, "requireUppercase": { "description": "Indicates if a password must contain at least one uppercase character", "type": "boolean" }, "requireLowercase": { "description": "Indicates if a password must contain at least one lowercase character", "type": "boolean" }, "maxAgeDays": { "description": "Specifies how long (in days) a password remains valid before it expires (0 indicates no limit - passwords do not expire)", "type": "integer" }, "minAgeMins": { "description": "Specifies the minimum time interval (in minutes) between password changes (0 indicates no limit)", "type": "integer" }, "historyCount": { "description": "Specifies the number of previous passwords that users are prevented from reusing (0 indicates none)", "type": "integer" }, "preventReset": { "description": "Indicates if the user is allowed/prevented to change their own password", "type": "boolean" }, "expiryWarningDays": { "description": "Specifies the number of days prior to password expiration when a user will be warned to reset their password (0 indicates no warning)", "type": "integer" }, "hardExpiry": { "description": "Specifies whether users are prevented from setting a new password after their password has expired", "type": "boolean" }, "excludeUsername": { "description": "Indicates if the username must be excluded from the password", "type": "boolean" }, "excludeAttributes": { "description": "The user profile attributes whose values must be excluded from the password", "type": "array", "items": { "type": "string" } }, "excludeCommonPasswords": { "description": "Indicates whether to check passwords against a common/weak password dictionary", "type": "boolean" }, "lockoutAttempts": { "description": "Specifies the number of times users can attempt to log in to their accounts with an invalid password before their accounts are locked (0 indicates no limit)", "type": "integer" }, "autoUnlockMins": { "description": "Specifies the time interval (in minutes) a locked account remains locked before it is automatically unlocked (0 indicates no limit)", "type": "integer" }, "requireMFA": { "description": "Specifies whether multi-factor authentication (MFA) is required", "type": "boolean" } }, "required": [] } ] }