Important security update: Secure by default

From P4 Server 2026.1, new server installations automatically use a secure by default configuration that aligns with Perforce security best practices.

When you upgrade to P4 Server 2026.1 or later, the following best practice settings are automatically applied:

security is set to 4, even if you have previously set a value explicitly.
All other configurables still in their default state are updated to new default values.

If you have previously set any of these configurables explicitly, you should set them to the new defaults. See Configuration settings to apply and Configuration settings to review and then apply.

Even if you do not upgrade to P4 Server 2026.1 or later, you should update your security configuration immediately to keep your assets secure and be prepared to upgrade to the latest P4 Server releases without issues. For administrators of publicly accessible or multi-server P4 instances, this should be a priority.

On this page:

Configuration settings to apply

The following configuration settings can be safely applied without additional prerequisites.

Configurable	Default value	Purpose
`dm.info.hide`	`1`	Hides server information from unauthenticated users.
`dm.user.hideinvalid`	`1`	Hides invalid user error on authentication failure.
`dm.user.noautocreate`	`2`	Prevents automatic user creation.
`dm.user.resetpassword`	`1`	Forces new users to reset their password at first login.
`run.users.authorize`	`1`	Hides the user list from unauthenticated users.

Configuration settings to review and then apply

The following configuration settings require ensuring prerequisites are met before they are applied. Set the configurables in the order listed in the following table. Incorrect configuration may prevent users from logging in and may block communication between downstream servers and the main or commit server in either direction.

Before setting security=4, ensure at least one super user has a strong password set and uses a native Perforce authentication method.

P4 Server 2026.1 enforces authentication and removes all implicit behavior, so any automation or workflow that relies on unauthenticated access, auto-created users, or password-less logins will fail unless updated to use explicit users, passwords, and p4 login. To learn more, see the Perforce Knowledge Base article, P4D 26.1 “Secure By Default” – Impact on Scripted Automation.

If you are locked out of the server and need to recover access, see Recovering from a super user lockout.

Configurable Default value Purpose Prerequisites

Configurable	Default value	Purpose	Prerequisites
`dm.user.setinitialpasswd`	`0`	Prevents users from creating their own passwords.	At least one super user already has a strong password. The super user uses P4-native authentication. Always assign a strong initial password when creating users to prevent unauthorized access. Risk of locking yourself out of the server Setting `dm.user.setinitialpasswd=0` without a valid password can permanently prevent the last super user from logging in, leaving you locked out of the server. See Recovering from a super user lockout.
`server.rolechecks`	`1`	Enforces server-to-server role validation.	`serverid` is set and correct for each server (commit, replica, edge). To learn more, see Identify your server. A matching `p4 server` spec exists for each server (commit, replica, edge). To learn more, see p4 server in P4 CLI Reference. Authenticated service users must be used for all replica server and remote depot connections. If the server spec specifies a `User:` field, only that service user can connect. To learn more, see Service users.
`security`	`4`	Enforces strong authentication and disables unauthenticated remote access.	`server.rolechecks` is already set. Users have a strong password set.

dm.user.setinitialpasswd

0

Prevents users from creating their own passwords.

At least one super user already has a strong password.
The super user uses P4-native authentication.

Always assign a strong initial password when creating users to prevent unauthorized access.

Risk of locking yourself out of the server

Setting dm.user.setinitialpasswd=0 without a valid password can permanently prevent the last super user from logging in, leaving you locked out of the server. See Recovering from a super user lockout.

server.rolechecks

1

Enforces server-to-server role validation.

serverid is set and correct for each server (commit, replica, edge). To learn more, see Identify your server.
A matching p4 server spec exists for each server (commit, replica, edge). To learn more, see p4 server in P4 CLI Reference.
Authenticated service users must be used for all replica server and remote depot connections. If the server spec specifies a User: field, only that service user can connect. To learn more, see Service users.

security

4

Enforces strong authentication and disables unauthenticated remote access.

server.rolechecks is already set.
Users have a strong password set.

Additional considerations

For environments using remote depots or replicas, ensure every server has a defined server spec and uses authenticated service users.

The security level changes in P4 Server 2026.1 do not impact existing LDAP authentication environments. LDAP authentication already enforces security level 3, requiring all users using a native Perforce authentication method to have strong passwords. The P4 Server 2026.1 security level update enforces security level 4, which requires authenticated service users for all replica and remote connections.

Security configuration review by Perforce Support

If you want Perforce P4 Support to review your server’s security configuration, include the output of the following commands in your support case. To run the commands, log in to your main P4 Server as a super user.

p4 -ztag info
p4 configure show
p4 configure show allservers
p4 protects
p4 protects -u remote
p4 servers -J

Support will review your current settings and provide recommendations based on your security configurations.

Next steps

Secure the server
Check your server security level

Important security update: Secure by default

Configuration settings to apply

Configuration settings to review and then apply

Additional considerations

Security configuration review by Perforce Support

Next steps

Additional resources