cfengine · aleksandrychev · Sep 5, 2024 · Sep 5, 2024 · nickanderson · Sep 6, 2024
diff --git a/api/enterprise-api-ref/status-settings.markdown b/api/enterprise-api-ref/status-settings.markdown
@@ -88,29 +88,23 @@ API call allowed only for administrator.
   },
   "data": [
     {
-      "hostIdentifier": "default.sys.fqhost",
-      "rbacEnabled": true,
-      "logLevel": "error",
-      "ldapEnabled": true,
-      "blueHostHorizon": 900,
-      "sameHostsNumberOfRuns": 3
+       "blueHostHorizon": 2400,
+       "enforce2FA": false,
+       "hostIdentifier": "default.sys.fqhost",
+       "hostsCollisionsThreshold": 3,
+       "logLevel": "error",
+       "minPasswordLength": 8,
+       "passwordComplexity": 3,
+       "passwordExpirationAfterResetHours": 48,
+       "rbacEnabled": true
     }
   ]
 }
 ```
 
 **Output**:
 
-* **rbacEnabled** *(boolean)*
-    Whether RBAC is applied to requests.
-* **hostIdentifier** *(string)*
-    The identfying string for hosts, such as name or IP.
-* **ldapEnabled** *(boolean)*
-    Whether external authentication is activated.
-* **logLevel** *("emergency", "alert", "critical", "error", "warning", "notice", "info", "debug")*
-    Syslog filter specifying the severity level at which messages produced by the API should be emitted to syslog and apache.log. (default: error).
-* **sameHostsNumberOfRuns** *(integer)*
-    Number of samples used to identify a duplicate identity. Default value is 3.
+See [Update settings][Status and settings REST API#Update settings] field section for output descriptions
 
 
 **Example usage:** `Example: Viewing settings`
@@ -138,7 +132,21 @@ administrator.
     Threshold in minutes that hosts are unreachable before they are considered a health issue.
 * **sameHostsNumberOfRuns** *(integer)*
     Number of samples used to identify a duplicate identity. Default value is 3.
-
+* **enforce2FA** *(boolean)*
+    Determines if two-factor authentication (2FA) is mandatory for all users.
+    If set to `true`, users must enable 2FA; otherwise, they will be locked out within 48 hours after the first login.
+    Default value: `false`
+* **minPasswordLength** *(integer)*
+    Sets the minimum required length for user passwords.
+    The value represents the number of characters.
+    Default value: `8`
+* **passwordComplexity** *(integer)*
+    Defines the level of password complexity required.
+    The range is from 0 to 4, where zero turns of the password complexity check and four turns on the maximum level.
+    Default value: `3`
+* **passwordExpirationAfterResetHours** *(integer)*
+    Specifies the number of hours after which a password must expire following a reset.
+    Default value: `48`
 
 **Example Request Body:**
 
@@ -149,7 +157,11 @@ administrator.
   "logLevel": "error",
   "ldapEnabled": true,
   "blueHostHorizon": 900,
-  "sameHostsNumberOfRuns": 5
+  "sameHostsNumberOfRuns": 5,
+  "minPasswordLength": 12,
+  "passwordComplexity": 4,
+  "passwordExpirationAfterResetHours": 24,
+  "enforce2FA": true
 }
 ```
 

diff --git a/api/enterprise-api-ref/users-rbac.markdown b/api/enterprise-api-ref/users-rbac.markdown
@@ -367,3 +367,30 @@ API call allowed only for administrator.
 
 Remove role definition.
 API call allowed only for administrator.
+
+## Unlock user
+
+If a system enforces using two-factor authentication (2FA),
+users must configure it after their first login within 48 hours.
+This endpoint unlocks users who have been locked out due to this reason
+and grants an additional 48 hours to complete the 2FA setup.
+
+Note: to be able to perform this action related RBAC rule (alias `user.unlock`) should be enabled.
+
+**URI:** https://hub.cfengine.com/api/user/:username/unlock
+
+**Method:** POST
+
+**Example request (curl):**
+
+```console
+curl --user <username>:<password> \
+  -X POST \
+  https://hub.cfengine.com/api/user/tom/unlock
+```
+
+**Example response:**
+
+```
+HTTP 202 ACCEPTED
+```