The self-service troubleshooting feature allows Self-Service Console users to troubleshoot routine authentication problems when they cannot access protected resources using primary methods such as passwords or passcodes.The Self-Service Troubleshooting policy defines an alternative form of authentication, such as security questions, used to access the Troubleshooting feature. The policy also specifies the circumstances that lock a user out of the Troubleshooting feature.
You associate Self-Service Troubleshooting policies with security domains. The policy that you select for the security domain overrides the default policy.
In a replicated deployment, changes to policies might not be immediately visible on the replica instance. This delay is due to the cache refresh interval. Changes should replicate within 10 minutes. For instructions to make changes take effect sooner on the replica instance, see Flush the Cache.
In the Security Console, click Authentication > Policies > Self-Service Troubleshooting Policies > Add New.
In the Self-Service Troubleshooting Policy Name field, enter the policy name. Use a unique name, and do not exceed 128 characters.
(Optional) To designate the new policy as the default policy for the system, select Default Policy. When this option is selected, new security domains use this policy.
(Optional) Select the Authentication Method with which users authenticate if they cannot use their primary authentication method.
The Lock User Accounts field controls the number of unsuccessful authentication attempts a user is permitted to make to the Self-Service Troubleshooting feature. You can allow an unlimited number of unsuccessful attempts, or a specified number of unsuccessful attempts within a specified number of days, hours, minutes, or seconds. After the number has been reached, this policy locks the user's account out of the troubleshooting feature.
In the Unlock field, you can either require administrators to unlock accounts after users have exceeded the limit specified in the Lock User Accounts field, or you can allow the system to automatically unlock accounts after a specified number of days, hours, minutes, or seconds.