Manage User Locking

NiCE CXone locks users out for two reasons:

  • Periods of inactivity: You can configure the number of days of inactivity. It can be anywhere between 7 and 90 days. The default is 90 days.
  • Failed login attempts: You can configure the number of allowed login attempts when you create the password policy in login authenticators.

You can unlock users in the Admin application when they are locked for either reason.

A user who was locked out because of too many failed login attempts may want to change their password. They can request a password reset from the login page by clicking the Forgot your password link. If they're able to log in, they can change their password from their profile page.

Inactivity Locking

You can configure locking for user inactivity at the system level for all users and at the employee level, which overrides the system-level setting for those users. You can also make a user exempt from inactivity locking.

You specify the number of days of inactivity that triggers the user lock. If a user hasn't logged in to any NiCE CXone application for the number of days you specify, their account becomes locked. Before you can configure employee-level user inactivity locking, you must enable it at the system level.

System-level settings impact all users configured with an employee profile. Users who use an external link to access NiCE CXone applications like Agent Workspace (Agent) are still authenticated and checked for activity.

Elizabeth Bennet is the primary administrator for the Classic, Inc. NiCE CXone tenant. She's been given a directive to improve tenant security by automatically locking any user accounts that have been inactive for 30 days. For extra security, she must decrease that inactivity threshold to 7 days for all user accounts with administrative powers. As a failsafe, her own account must be exempt from inactivity locks. To accomplish this, Elizabeth will: 

  • Turn on the user inactivity lock for the tenant and set the threshold to 30 days.
  • For each administrative user, she needs to modify the employee profile to enable the lock and set the threshold to 7 days.
  • For her own employee profile, she needs to enable the Never Lock user setting.

Since user-level settings override tenant-level settings, all user accounts will be locked after 30 days of activity, with the exception of administrative accounts, which lock after 7 days of activity. Elizabeth's account never locks due to inactivity.

Users who are locked out of their NiCE CXone account appear on the Locked Employees page. You can use this page to reactivate user accounts and reset passwords. User accounts become locked due to inactivity when the inactivity lock is enabled. Users require a password reset when their login attempts have failed.

Configure the User Inactivity Lock for Your System

Required permissionsAdmin > Account Settings > Edit, Security Policy > Configure

You can configure user accounts to lock after a certain number of days of inactivity. This option is turned off by default. Turning on this setting can prevent attackers from breaching your system. The following instructions describe how to manage the user inactivity lock setting for your system. You can override the system-level settings at the employee level.

The user inactivity lock applies to employees using any authentication type, including SSO.

When you set Lock Users to Off, accounts that were locked while it was On remain locked.

  1. Click the app selector icon of app selector and select Admin.
  2. Go to Tenant ConfigurationAccount Settings.

  3. On the User Settings tab, click Lock Users to On to apply a user inactivity lock to all the users in your system. Turn it Off to disable the user inactivity lock.

  4. If you set Lock Users to On, set Inactive Days Before User Can Be Locked to the number of days a user account must be inactive before it locks. The default is 90 days after you enable the inactivity lock, but you can specify any number of days from 7 to 90.

    When you decrease the Inactive Days Before a User Can Be Locked threshold, the setting applies retroactively. For example, if you change it from 30 days to 7 days, all employee profiles that have been inactive for at least seven days are immediately locked.

    If you increase the threshold, accounts that were locked at the lower threshold remain locked. For example, if you change the setting from 7 days to 10 days, an account that has been inactive for eight days and was already locked under the previous setting will remain locked.

  5. Click Save.

Configure the User Inactivity Lock for Employees

Required permissionsEmployees Edit or Create, Security Policy Configure

You can override the system-level inactivity lock setting for individual employees. Do so on the Security tab of an employee's profile settings. You can review the example in the overview of this page to learn more about how this works.

  1. Click the app selector icon of app selector and select Admin.

  2. Go to Employees.

  3. Scroll or search to find the employee profile you want to edit. Click the profile to open it.

  4. Open the Security tab.

  5. Adjust the user-level inactivity lock settings: 

    • To give the user an inactivity threshold that's different from the system setting, turn Lock User On and adjust Inactive Days Before a User Can Be Locked to the custom threshold you want this user to have.

    • To make the user exempt from inactivity locking, leave Lock User Off and select Never Lock User.

    Employee profiles that have the Lock User setting turned Off and the Never Lock User checkbox cleared are subject to the system-level settings.

    When you decrease the Inactive Days Before a User Can Be Locked threshold, the setting applies retroactively. For example, if you change it from 30 days to 7 days and the employee profile has been inactive for eight days, the account is immediately locked.

    If you increase the threshold and the account was already locked due to inactivity, it remains locked. For example, if you change the setting from 7 days to 10 days and the user account was already locked but has only been inactive for eight days, it remains locked.

    When you turn Lock Users Off when the user account is already locked, it remains locked.

  6. Click Save.

Unlock User Account

Required permissions: Unlock User On

When you unlock a user, they must log in within two days. Otherwise, their account locks again.

  1. Click the app selector icon of app selector and select Admin.
  2. Go to Security SettingsLocked Employees.
  3. From the table, locate the user you want to unlock.
  4. At the end of the user's row, click the Actions Icon of three dots stacked on top of each other icon and select Unlock User.

Unlock User Password

Required permissions: Unlock User On

  1. Click the app selector icon of app selector and select Admin.
  2. Go to Security SettingsLocked Employees.
  3. From the table, locate the user whose password you want to unlock. At the end of the user's row, click the Actions Icon of three dots stacked on top of each other icon and select Unlock Password.