Path to function: Preferences > Organisation
So that you don't have to change the same setting every time you create an account, you can change some of the defaults on the accounts preferences page.
Many of the options are about account activation and will apply only if you are creating accounts through the interface (custom self registration can use different settings):
All the values are whole numbers and any fractions will be rounded down.
Some agreements you have with publishers or federations may require you to trace a login back to a user for a period of time after it has happened. This cannot be done if the account has been deleted so you may need to set the automatic deletion period to be long enough to allow for any agreements of this type.
The domain administrator may have set a preference to delete non-activated accounts after a number of days. You should bear this in mind when changing the activation code expiry preference.
Permissive mode (default) means that the system will pass attributes to any federated resource that a user tries to access. In normal operation the resource would then decide whether or not to let the user in based on the attributes that had been passed.
Restrictive mode means that the system will block access attempts to federated resources that are not specified in permission sets. Its intended use is in situations where a resource is not operating according to standards - e.g. they have decided that it is up to you to not send them any response for users that should not have access.
This setting will also have an impact on statistics. A statistic is logged whenever attributes are passed to a resource and restrictive mode will stop those attributes being passed to unspecified resources. In permissive mode, statistics give you a record of all the things your users want to access; in restrictive mode, statistics give you a record only of the things that they should be able to access. Both have their benefits.
This setting only applies to federated resources - other resources such as proxy (if you use them) will always operate as if in restrictive mode.
If enabled for your organisation, these allow access to bypass OpenAthens authentication for specified locations.