Important security update: Secure by default

Beginning with P4 Server 2026.1, new server installations automatically use a secure by default configuration that aligns with Perforce security best practices.

When you upgrade to P4 2026.1 or later, the best practice settings described on this page are automatically applied. Configurables that you explicitly set after the initial installation are preserved, except for security=4.

Even if you do not upgrade to P4 2026.1 or later, you should update your security configuration immediately to keep your assets secure and be prepared to upgrade to the latest P4 releases without issues. For administrators of publicly accessible or multi-server P4 instances, this should be a priority.

Ensure at least one super user has a strong password set before setting the security level to 4.

Configuration settings to apply

The following configuration settings can be safely applied without additional prerequisites.

Configurable Recommended value Purpose
dm.info.hide 1 Hides server information from unauthenticated users.
dm.user.hideinvalid 1 Hides invalid user error on authentication failure.
dm.user.noautocreate 2 Prevents automatic user creation.
dm.user.resetpassword 1 Forces new users to reset their password at first login.
run.users.authorize 1 Hides the user list from unauthenticated users.

Configuration settings to review and then apply

The following configuration settings require ensuring prerequisites are met before they are applied. Set the configurables in the order listed in the following table. Incorrect configuration may prevent users from logging in and may block communication between downstream servers and the main or commit server in either direction.

Configurable Recommended value Purpose Prerequisites
dm.user.setinitialpasswd 0 Prevents users from creating their own passwords.
  • At least one super user already has a strong password.
  • The super user uses P4-native authentication.

Always assign a strong initial password when creating users to prevent unauthorized access.

Risk of locking yourself out of the server

Setting dm.user.setinitialpasswd=0 without a valid password can permanently prevent the last super user from logging in, leaving you locked out of the server.
server.rolechecks 1 Enforces server-to-server role validation.
  • serverid is set and correct for each server (commit, replica, edge). To learn more, see Identify your server.
  • A matching p4 server spec exists for each server (commit, replica, edge). To learn more, see p4 server in P4 CLI Reference.
  • Authenticated service users must be used for all replica server and remote depot connections. If the server spec specifies a User: field, only that service user can connect. To learn more, see Service users.
security 4 Enforces strong authentication and disables unauthenticated remote access.
  • server.rolechecks is already set.
  • Users have a strong password set.

Additional considerations

  • P4 Server versions earlier than 2013.2 do not support security=4. In this case, use security=3 and add a protection rule to disable the built-in remote user:
    list user remote * -//...

  • For environments using remote depots or replicas, ensure every server has a defined server spec and uses authenticated service users.

Security configuration review by Perforce Support

If you want Perforce P4 Support to review your server’s security configuration, include the output of the following commands in your support case. To run the commands, log in to your main P4 Server as a super user.

  • p4 -ztag info

  • p4 configure show

  • p4 configure show allservers

  • p4 protects

  • p4 protects -u remote

  • p4 servers -J

Support will review your current settings and provide recommendations based on your security configurations.

Additional resources