Kanshin Docs / Security Policies

Security Policies

Security policies are the rules your organization sets for how sign-in behaves — how strong passwords must be and how sessions are treated. You manage them on the Policies page under Security.

Password policies

A password policy sets the requirements a user’s password must meet. You can require:

RequirementWhat it enforces
Minimum lengthPasswords must be at least this long
Character classesRequire uppercase, lowercase, digits, and/or special characters
HistoryPrevent reusing a number of previous passwords
ExpirationRequire a new password after a period
Lockout thresholdHow many failed attempts trigger a lock
MFA escalationRequire a second factor in defined situations

Session policies

A session policy governs how long people stay signed in and when they must re-authenticate:

SettingWhat it controls
Session lifetimeHow long a session lasts before it ends
Idle timeoutHow long an inactive session is kept before it ends
Maximum concurrent sessionsHow many sessions one person may have at once
Re-authentication for sensitive actionsRequire signing in again before certain actions

How policies apply

Policies are set on your organization, and can also be set on a specific realm. When both exist, the realm’s policy takes precedence over the organization’s, so you can hold your production realm to stricter rules than your test realm while keeping a sensible organization-wide default.

Set your policies once, and they define the sign-in expectations for everyone in scope — a single place to express your organization’s security posture.