Self-Service Troubleshooting Policy

The self-service troubleshooting feature allows Self-Service Console users to troubleshoot routine authentication problems when they cannot access protected resources using primary methods, such as passwords or passcodes.

The self-service troubleshooting policy defines an alternative form of authentication, such as security questions, used to access the Troubleshooting feature. The policy also specifies the circumstances that lock a user out of the Troubleshooting feature.

You must select one of the following methods to unlock users:

  • System automatically unlocks user accounts after a specified amount of time

  • Administrators unlock user accounts manually

You can manually unlock a user’s account at any time.

You assign these policies to security domains. The policy applies to all users assigned to the security domain.

Self-service troubleshooting policies assigned to upper-level security domains are not inherited by lower-level security domains. For example, if you assign a custom policy to the top-level security domain, all new security domains that you create below it in the hierarchy are still assigned the default self-service troubleshooting policy.

Self-service troubleshooting policies allow you to define secondary authentication methods. A secondary authentication method allows a user to access the Self-Service Console even if the primary authentication method is not working.

Note: Self-service troubleshooting policies only determine the lockout criteria for the self-service troubleshooting feature. To set lockout requirements for the Self-Service Console, Security Console, and resources protected by Authentication Manager, see Lockout Policy.

Self-service troubleshooting policies apply to all logon attempts regardless of how many different tokens a user uses to authenticate. For example, if a user has two unsuccessful attempts with a software token and one unsuccessful attempt with a hardware token, that counts as three unsuccessful attempts.

Add Self-Service Troubleshooting Policy

You associate Self-Service Troubleshooting policies with security domains. The policy that you select for the security domain overrides the default policy.

In a replicated deployment, changes to policies might not be immediately visible on the replica instance. This delay is due to the cache refresh interval. Changes should replicate within 10 minutes. For instructions to make changes take effect sooner on the replica instance, see Flush the Cache.


  1. In the Security Console, click Authentication > Policies > Self-Service Troubleshooting Policies > Add New.

  2. In the Self-Service Troubleshooting Policy Name field, enter the policy name. Use a unique name, and do not exceed 128 characters.

  3. (Optional) To designate the new policy as the default policy for the system, select Default Policy. When this option is selected, new security domains use this policy.

  4. (Optional) Select the Authentication Method with which users authenticate if they cannot use their primary authentication method.

  5. The Lock User Accounts field controls the number of unsuccessful authentication attempts a user is permitted to make to the Self-Service Troubleshooting feature. You can allow an unlimited number of unsuccessful attempts, or a specified number of unsuccessful attempts within a specified number of days, hours, minutes, or seconds. After the number has been reached, this policy locks the user's account out of the troubleshooting feature.

  6. In the Unlock field, you can either require administrators to unlock accounts after users have exceeded the limit specified in the Lock User Accounts field, or you can allow the system to automatically unlock accounts after a specified number of days, hours, minutes, or seconds.

  7. Click Save.

Manage a Self-Service Troubleshooting Policy

You can edit, view, or delete a self-service troubleshooting policy.


  1. In the Security Console, click Authentication > Policies > Self-Service Troubleshooting Policies > Manage Existing.
  2. Do the following:
    Edit a self-service troubleshooting policyYou can edit a self-service troubleshooting policy to change information such as the policy name, the default policy, the alternative authentication method, and the circumstances that locka user out from the troubleshooting feature.
    1. Click the policy that you want to edit, and select Edit.

    2. Make any necessary changes to the policy.

    3. Click Save.

      If you have not saved your changes, you can click Reset to restore the policy to its original state.

    Delete a self-service troubleshooting policyWhen you delete a self-service troubleshooting policy, the policy is removed from the deployment and can no longer be assigned. Each security domain must have a self-service troubleshooting policy. If you delete a self-service troubleshooting policy that is assigned to a security domain, the default self-service troubleshooting policy is automatically assigned to the security domain.

    Note: Before deleting the default self-service troubleshooting policy, you must first designate another policy as the default.

    1. Use the search fields to find the self-service troubleshooting policy that you want to delete.

    2. Click the policy that you want to delete, and select Delete.

    3. Click OK.

    Duplicate a self-service troubleshooting policy

    When you duplicate a self-service troubleshooting policy, you create a policy with information that is identical to the original. You can edit the policy to customize it. The new policy is not assigned to any security domain until you manually assign it.

    1. Click the policy that you want to duplicate, and select Duplicate.

    2. In the Self-Service Troubleshooting Policy Name field, enter a name for the new policy, and make any other necessary changes to the new policy.

    3. Click Save.