The admin can choose to expire user credentials after a configurable number of days. Once credentials have expired, all API calls will error out. Only API or user account is supported at this point to enable the user to change the password. If the user has configured an email address, Forgot Password workflow can also be followed to reset the password.
The administrator controls this feature through the Avi Load Balancer CLI or REST API. The setting for it is maintained within the UserAccountProfile object. By default, all the users in the system are attached to Default-User-Account-Profile, as shown in the following example. If required, the admin can create a new user account profile with different thresholds.
+-------------------------------+---------------------------------------------------------+ | Field | Value | +-------------------------------+---------------------------------------------------------+ | uuid | useraccountprofile-6753548e-7ac5-4601-939b-ad4394405db4 | | name | Default-User-Account-Profile | | max_password_history_count | 0 | | max_login_failure_count | 20 | | account_lock_timeout | 30 | | max_concurrent_sessions | 0 | | credentials_timeout_threshold | 0 | +-------------------------------+---------------------------------------------------------+ CLI commands to set credentials_timeout_threshold: [admin:10-10-24-52]: > configure useraccountprofile Default-User-Account-Profile Updating an existing object. Currently, the object is: [admin:10-10-24-52]: useraccountprofile> credentials_timeout_threshold 60 Overwriting the previously entered value for credentials_timeout_threshold [admin:10-10-24-52]: useraccountprofile> save +-------------------------------+---------------------------------------------------------+ | Field | Value | +-------------------------------+---------------------------------------------------------+ | uuid | useraccountprofile-6753548e-7ac5-4601-939b-ad4394405db4 | | name | Default-User-Account-Profile | | max_password_history_count | 0 | | max_login_failure_count | 20 | | account_lock_timeout | 30 | | max_concurrent_sessions | 0 | | credentials_timeout_threshold | 60 | +-------------------------------+---------------------------------------------------------+