Manage User Locking

User locking a feature you can configure at the tenant level for all users and at the employee level to override the tenant-level setting for certain users. When you enable the feature at either level, you specify the number of days of inactivity that triggers the user lock. If a user hasn't logged in to any CXone Mpowerapplication for the number of days you specify, their account becomes locked. User inactivity locking doesn't happen by default; you must enable that feature for your tenantClosed High-level organizational grouping used to manage technical support, billing, and global settings for your CXone Mpower environment. After you've enabled it, you can override the tenant settings at the user level. You can also make a user exempt from inactivity locking.

Tenant-level settings impact all users configured with an employee profile. Users who use an external link to access CXone Mpower applications like Agent are still authenticated and checked for activity.

Elizabeth Bennet is the primary administrator for the Classic, Inc. CXone Mpower tenant. She's been given a directive to improve tenant security by automatically locking any user accounts that have been inactive for 30 days. For extra security, she must decrease that inactivity threshold to 7 days for all user accounts with administrative powers. As a failsafe, her own account must be exempt from inactivity locks. To accomplish this, Elizabeth will: 

  • Turn on the user inactivity lock for the tenant and set the threshold to 30 days.
  • For each administrative user, she needs to modify the employee profile to enable the lock and set the threshold to 7 days.
  • For her own employee profile, she needs to enable the Never Lock user setting.

Since user-level settings override tenant-level settings, all user accounts will be locked after 30 days of activity, with the exception of administrative accounts, which lock after 7 days of activity. Elizabeth's account never locks due to inactivity.

Users who are locked out of their CXone Mpower account appear on the Locked Employees page. You can use this page to reactivate user accounts and reset passwords. User accounts become locked due to inactivity when the inactivity lock is enabled. Users require a password reset when their login attempts have failed.

Configure the User Inactivity Lock for Your Tenant

Required permissionsAdmin Account Settings Edit, Security Policy Configure

You can configure user accounts to lock after a certain number of days of inactivity. This functionality is turned off by default. Turning on this setting can prevent attackers from breaching your system. The following instructions describe how to manage the user inactivity lock setting for your tenantClosed High-level organizational grouping used to manage technical support, billing, and global settings for your CXone Mpower environment. You can override the tenant settings at the user level.

The user inactivity lock applies to employees using any authentication type, including SSO.

  1. Click the app selector icon of app selector and select Admin.
  2. Go to Tenant ConfigurationAccount Settings.

  3. Go to the Lock Users field. Turn it On to apply a user inactivity lock to all the users in your system. Turn it Off to disable the user inactivity lock.

    When you turn Lock Users Off, accounts that were locked while it was On remain locked.

  4. If you turned Lock Users On, set Inactive Days Before User Can Be Locked to the number of days a user account must be inactive before it locks. This is set to 90 days by default after you enable the inactivity lock, but you can specify any number of days from 7 to 90.

    When you decrease the Inactive Days Before a User Can Be Locked threshold, the setting applies retroactively. For example, if you change it from 30 days to 7 days, all employee profiles that have been inactive for at least seven days are immediately locked.

    If you increase the threshold, accounts that were locked at the lower threshold remain locked. For example, if you change the setting from 7 days to 10 days, an account that has been inactive for eight days and was already locked under the previous setting will remain locked.

  5. Click Save.

Configure the User Inactivity Lock for Employees

Required permissionsEmployees Edit or Create, Security Policy Configure

User inactivity lock settings override the tenantClosed High-level organizational grouping used to manage technical support, billing, and global settings for your CXone Mpower environment settings. Review the example in the overview of this page to learn more about how this works.

  1. Click the app selector icon of app selector and select Admin.

  2. Go to Employees.

  3. Scroll or search to find the employee profile you want to edit. Click the profile to open it.

  4. Open the Security tab.

  5. Adjust the user-level inactivity lock settings: 

    • To give the user an inactivity threshold that's different from the tenant setting, turn Lock User On and adjust Inactive Days Before a User Can Be Locked to the custom threshold you want this user to have.

    • To make the user exempt from inactivity locking, leave Lock User Off and select Never Lock User.

    Employee profiles that have the Lock User setting turned Off and the Never Lock User checkbox cleared are subject to the tenant-level settings.

    When you decrease the Inactive Days Before a User Can Be Locked threshold, the setting applies retroactively. For example, if you change it from 30 days to 7 days and the employee profile has been inactive for eight days, the account is immediately locked.

    If you increase the threshold and the account was already locked due to inactivity, it remains locked. For example, if you change the setting from 7 days to 10 days and the user account was already locked but has only been inactive for eight days, it remains locked.

    When you turn Lock Users Off when the user account is already locked, it remains locked.

  6. Click Save.

Unlock User Account

Required permissions: Unlock User On

When you unlock a user, they must log in within two days. Otherwise, their account locks again.

  1. Click the app selector icon of app selector and select Admin.
  2. Go to Security SettingsLocked Employees.
  3. From the table, locate the user you want to unlock. At the end of the user's row, click the Actions Icon of three dots stacked on top of each other icon and select Unlock User.

Unlock User Password

Required permissions: Unlock User On

  1. Click the app selector icon of app selector and select Admin.
  2. Go to Security SettingsLocked Employees.
  3. From the table, locate the user whose password you want to unlock. At the end of the user's row, click the Actions Icon of three dots stacked on top of each other icon and select Unlock Password.