Configurables for security

The following configurables help enforce authentication, user management, and multi-server security in P4 Server.

This topic assumes the P4 Server is at version 2025.1 or later. If not, see Earlier documentation versions.

Immediately after you install P4 Server, ensure that the following configurables are set to match the Value column.

Risk of locking yourself out of the server

If your security level is greater than 0 and your organization has only one super user, do not set dm.user.setinitialpasswd to 0 until you have verified that this user has a valid password.

Setting dm.user.setinitialpasswd=0 without a valid password can permanently prevent the last super user from logging in, leaving you locked out of the server.

Set security configurables

To set the security configurables, use:

p4 configure set <name>=<value>

For example:

p4 configure set security=4

Summary of key security configurables

Purpose

Configurable

Recommended

Default

Security impact

Require ticket-based authentication and strengthen overall security. Enforces strong passwords, ticket-based auth, and validates multi-server identity. To learn more, see security.

 security 4 or higher 0

High

Restrict who can set initial passwords. Only super users with passwords can set initial passwords. To learn more, see dm.user.setinitialpasswd = 0.

 dm.user.setinitialpasswd 0 1

High

Prevent automatic user creation. Only super users can create users explicitly. To learn more, see dm.user.noautocreate = 2.

 dm.user.noautocreate 2 0

Medium

Force new users that have been created by a super user to reset their passwords.

Existing users continue working normally and this setting has no effect on passwords, login, or authentication. This setting does not apply to LDAP/SSO users.

 dm.user.resetpassword 1 0

Medium

Hide sensitive server info (p4 info)

 dm.info.hide 1 0

Medium

Hide user details from unauthenticated users.

 run.users.authorize 1 0

Medium

If authentication fails because of an incorrect username, hide the reason for the failure.

 dm.user.hideinvalid 1 0

Medium

Hide information in key/value pairs used in scripts from non-admin users.

 dm.keys.hide 2 0

Medium

Prevent a server from being used as a P4AUTH server without deliberate configuration. To learn more, see server.rolechecks = 1.

 server.rolechecks 1 0

High

security

Before setting

  • Ensure at least one super user has a strong password set.

  • Confirm users have a strong password set.

  • serverid is set and correct for each server (commit, replica, edge).

  • A matching p4 server spec exists for each server (commit, replica, edge).

    • If the server spec specifies a User: field, only that service user may connect.

Enforces

  • All users must have strong passwords.

  • Ticket-based authentication (p4 login) is required.

    • Password-based automation/scripts must switch to tickets.

Multi-server/replication enforcement

  • Only authenticated service users may connect.

  • Every replica must have a valid serverid.

  • Every replica must have a corresponding p4 server spec.

  • If the server spec specifies a User: field, only that service user may connect.

  • Requests are rejected if the replica identity cannot be validated.

For successful configuration at various levels, carefully consider the details in the Server behavior column at Server security levels.

dm.user.setinitialpasswd = 0

As stated above, do not set this to 0 if your security level is greater than 0 and your organization has only one super user. Setting dm.user.setinitialpasswd=0 without a valid password can permanently prevent the last super user from logging in, leaving you locked out of the server.

Before setting

  • Confirm at least one super user already has a valid strong password.

  • Confirm that the super user has Perforce-native authentication.

To help prevent unauthorized access to your system, always assign a strong initial password to any user that you create.

Enforces

  • Only super users with an existing password can set initial passwords.

  • Regular users cannot set initial passwords to themselves or others.

  • dm.user.setinitialpasswd only applies to Perforce‑native (authMethod=perforce) users. It does not control LDAP / SSO password sources.

dm.user.noautocreate = 2

Before setting

  • Confirm at least one super user already has a valid strong password.

Enforces

  • Automatic user creation is disabled.

  • Only a super user can create new users by running p4 user -f username.

  • Unknown users attempting to connect will be rejected.

Existing users continue working normally and this setting has no effect on passwords, login, or authentication.

server.rolechecks = 1

Before setting

  • Confirm serverid is set and correct for each server (commit, replica, edge).

  • Confirm a matching p4 server spec exists for each server (commit, replica, edge).

    • If the server spec specifies a User: field, only that service user may connect.

Enforces

  • Servers may only operate in the role defined in their server spec.

  • Prevents replicas or edges from performing unsupported operations.

  • Rejects servers with missing or incorrect server specs.

  • Fails fast on misconfiguration instead of allowing silent issues.

This applies primarily to replicas, edges, and multi‑server topologies. Correctly configured servers continue working unchanged.

Additional resources

For instructions about setting values for configurables, see the p4 configure command.

For a list of additional configurables that can affect security, see Categories > Security in the P4 CLI Reference.