Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
SCIM overviewSCIM configurationAPI tokensIdentity & Access Management overviewLocal authenticationSAML and OAuth settingsIAM logsIAM notification settingsRoles mappingRoles mapping groups
IT Settings
Risk Settings

Local authentication

Configure password-based local authentication policies.

Local Authentication

The Local Authentication screen is where your organisation decides how users log in to DPMS using a username and password, whether every login must be verified with a second factor, and exactly what rules govern the strength and lifetime of those passwords. IT administrators and Data Protection Officers come here when setting up DPMS for the first time, tightening security after an audit, or preparing a migration to single sign-on. Because a single setting on this screen — enforcing two-factor authentication — affects every user's next login across the entire platform, it is one of the most consequential configuration screens in DPMS.

How to open it

In the left-hand sidebar, click IT Settings. Expand the Identity and Access Management section, then select Local Authentication. The direct URL is /it/settings/iam/local.

You need the IT Settings – IAM permission to access this screen. If your account does not have that permission, DPMS shows a standard "access denied" page instead of the Local Authentication content, and the sidebar item may not be visible to you at all.

What you see

When you land on Local Authentication, the top of the page shows a breadcrumb trail reading IT Settings → Identity and Access Management → Local Authentication. The first two segments are clickable links; the last segment is highlighted in blue to show your current location. Flanking the "Identity and Access Management" label are two small arrow buttons — a left chevron and a right chevron — that let you step between IAM sub-sections (such as SAML or OAuth) without returning to a parent menu. This is useful when you need to review several IAM configurations in quick succession.

Below the breadcrumb sits the main content card. The card title reads Local Authentication and there is an Edit button in the upper-right corner. The rest of the card is a read-only list of labelled rows showing your current policy. Boolean settings (such as whether uppercase characters are required) appear as either a green dot with the word Activated or the plain word Deactivated. Numeric settings (such as minimum password length) appear as a number followed by a unit — for example, "8 Characters" or "30 Minutes".

The rows are logically grouped: the first two cover login method and 2FA enforcement; a "Password Requirements" heading introduces the remaining rows, which list each password complexity rule, the minimum and maximum length, and the reset timer.

Working with this screen

Enabling local login and enforcing two-factor authentication for the first time

Imagine you are an IT admin at a company that has just started using DPMS. You want users to be able to log in with a username and password while SSO is being set up, but you also want the extra security of two-factor authentication from day one.

  • On the read-only view, you will see both Local Users and Enforce Two-Factor Authentication showing Deactivated. Click Edit to open the settings form.
  • On the edit form, click the Local Login toggle. It turns blue and shows Activated — this enables password-based login for all users.
  • Click the Enforce Two-Factor Authentication toggle. It also turns blue. Note: this toggle is only interactive when you are logged in as an administrator of the root (default) company. If your organisation uses sub-companies or workspaces, the toggle will appear greyed out and you must make this change from the parent organisation's IT Settings.
  • Leave the password requirements at their defaults for now and click Save.

DPMS immediately applies the change. From this point forward, every user who logs in will be prompted for a one-time code from their authenticator app in addition to their password. Users who are already logged in will see this requirement on their next login — not immediately.

Tightening the password policy to meet a new audit requirement

After an internal security audit, your compliance team requires all passwords to be at least ten characters long and must include an uppercase letter, a digit, and one of a specific set of special characters (!@#$). The maximum length should be 40 characters.

  • On the read-only view, check the current values in the Password Requirements rows. Then click Edit.
  • In the password requirements section, click the Uppercase toggle to turn it on, then the Minimum one digit toggle.
  • Click the Special Characters toggle. As soon as you activate it, a text input field appears directly below. Type your allowed characters — in this case !@#$. If you accidentally type a character twice (for example !!), DPMS automatically removes the duplicate so only one instance is kept.
  • Scroll to the Minimum Length field. Change the value from its current setting to 10. Change Maximum Length to 40.
  • Click Save. DPMS sends the update to the server, which checks that the minimum is not greater than the maximum. If the values are valid, a success notification appears and the read-only view updates to reflect all five changes.

From this point on, any user who sets or changes a password in DPMS — regardless of which screen they use — must satisfy all of these rules.

Heads up: The form does not warn you in the browser if your minimum length is higher than your maximum length. If you enter, for example, minimum 20 and maximum 10, the server will reject the save and show an error message. Always double-check that minimum ≤ maximum before clicking Save.

Shortening the password reset link expiry window

Your DPO has reviewed your security policy and decided that 60-minute password reset links are too long. The new policy requires them to expire after 15 minutes.

  • Click Edit on the Local Authentication card.
  • Scroll to the Reset Timer field at the bottom of the password requirements section. The current value is 60.
  • Clear the field and type 15. Values between 5 and 60 minutes are accepted; 15 falls comfortably within that range.
  • Click Save.

The read-only view now shows "15 Minutes" in the Reset Timer row. Any password reset emails sent from this point on will contain a link that expires after 15 minutes. This change affects all local-account users across the entire platform — there is no other place in DPMS to configure this.

Disabling local login after migrating to SSO

Your organisation has fully migrated to a SAML identity provider and no longer wants any user to be able to log in with a username and password.

  • Confirm that your SAML or OAuth configuration in the adjacent IAM sub-sections is fully working and tested. You can use the left/right chevron arrows in the breadcrumb to navigate to those screens without leaving the IAM section.
  • Return to Local Authentication and click Edit.
  • Click the Local Login toggle to turn it off. The toggle turns grey.
  • Click Save.

From this moment, the DPMS login page will not accept local credentials for any user. Anyone who tries to log in with a username and password will be unable to do so and must use the SSO flow.

Heads up: DPMS does not show a warning if you disable Local Users while no federated identity provider is configured. If you turn this off without a working SAML or OAuth provider in place, all users — including you — will be locked out of the platform. Always verify your SSO configuration before saving this change.

Field reference

Local Login — Controls whether users can sign in using a username and password stored in DPMS. Turn this off only when an alternative identity provider (SAML or OAuth) is fully configured and tested.

Enforce Two-Factor Authentication — When activated, every user must complete a one-time code step on every login. Only editable from the root/default company's IT Settings. Changes take effect on the user's next login, not immediately.

Uppercase — Requires at least one uppercase letter (A–Z) in every password. Off by default.

Lowercase — Requires at least one lowercase letter (a–z) in every password. Off by default.

Minimum one digit — Requires at least one numeric character (0–9) in every password. Off by default.

Special Characters — Requires at least one special character in every password. When you activate this toggle, a text input appears where you must enter the set of permitted special characters (for example !@#$%^&*). The field accepts between 1 and 255 characters and automatically removes duplicates as you type. Required when the toggle is on — you cannot save with the toggle on and the field empty. If you have never customised this field, DPMS fills it with a built-in default set of common special characters.

Minimum Length — The shortest password DPMS will accept, in characters. Must be between 4 and 50. Cross-validation against the maximum is performed server-side, not in the browser. The platform default is 8 characters if no value has been saved.

Maximum Length — The longest password DPMS will accept, in characters. Must be between 5 and 50. The platform default is a sensible upper bound if no value has been saved.

Reset Timer — How many minutes a password reset link remains valid after it is sent by email. Must be between 5 and 60. The platform default is typically 30 minutes. Lowering this value reduces the window during which a stolen reset link could be exploited.

How this connects to the rest of DPMS

Local Authentication is one of several sub-sections within the Identity and Access Management area of IT Settings. The IAM section as a whole defines your organisation's authentication strategy. SAML and OAuth configuration screens sit alongside Local Authentication, and you can step between them using the breadcrumb chevron arrows on this screen.

The two-factor authentication setting you configure here is applied platform-wide the moment you save. Every part of DPMS that decides whether to prompt users for a second factor reads from this same configuration. Similarly, all password complexity rules defined here are enforced whenever any local user sets or changes their password — whether through their profile settings, an administrator action, or any other screen in DPMS.

After finishing here, consider reviewing the adjacent SAML and OAuth screens if your organisation uses federated identity, to ensure your overall authentication strategy is complete and consistent. If you have just enabled 2FA for the first time, it is worth communicating the change to your users so they know to set up an authenticator app before their next login.

Tips & common pitfalls

Heads up: Disabling Local Users without a tested SAML or OAuth provider will lock every user — including you — out of DPMS. There is no on-screen warning. Always verify your SSO is working before turning local login off.
Tip: The Enforce Two-Factor Authentication toggle is greyed out and non-interactive in sub-company or workspace accounts. It can only be changed from the root organisation's IT Settings. If you cannot interact with this toggle, contact the administrator of the parent organisation.
  • The Special Characters field is required when the toggle is on. If you activate the toggle but leave the text input empty and click Save, the form will not submit. Either enter at least one permitted character or switch the toggle back off.
  • Duplicate characters are silently removed from the special characters input. If you paste a string that contains repeated characters (for example !!@#), DPMS keeps only one instance of each. The stored value will be !@#. This is intentional but can be surprising.
  • The browser does not warn you if minimum length is greater than maximum length. You can type minimum 30 and maximum 10 and click Save without any immediate error. The server will catch it and return a validation message, but you will not see a warning before the round-trip.
  • 2FA takes effect on the next login, not immediately. Users who are already logged in when you enable enforcement will not be interrupted. They will see the 2FA prompt the next time they log in.
  • There is no unsaved-changes warning. If you click the back arrow or navigate away from the edit form without saving, all your changes are silently discarded. Click Save before leaving.


Was this article helpful?

English
Powered by Product Fruits