Preferences > Account
So that you don't have to change the same setting every time you create an account, you can change some of the defaults on the accounts preferences page.
PLACEHOLDER - UPDATE SCREENSHOT WITH PERMISSIVE / RESTRICTIVE MODE
Many of the options are about account activation and will apply if you are creating accounts through the interface (bespoke self registration can use different settings):
All the values are whole numbers and any fractions will be rounded down.
If you manually set an account's expiry date further in the past than the automatic deletion point, it will be deleted within a day. This is fine if it is a deliberate act, but accidentally setting the expiry date as last year instead of next year will also cause the account to be automatically deleted.
Some agreements you have with publishers or federations may require you to trace a login back to a user for a period of time after it has happened. This cannot be done if the account has been deleted so you may need to set the automatic deletion period to allow for any agreements of this type.
Permissive mode (default) means that a user can attempt access to any federated resource whether or not you have a subscription and a statistic will be logged for it even though they will probably not gain access. Keep using this mode if collecting those statistics is useful to you.
Restrictive mode (recommended) means that the system will block access attempts to federated resources that are not specified in permission sets. Switch to this mode once you have set up your permission sets with the resources you subscribe to. Statistics are only recorded for resources that you specify. This mode is very useful if any of your subscriptions are with providers who expect you to only pass them eligible users.
This setting only applies to federated resources - proxy resources and legacy resources (if you use any) will always operate in restrictive mode.