### Problem to solve A potential customer recently requested a feature that would enable them to configure their own account lockout settings. Our current default for gitlab.com (as defined [here](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/8_devise.rb)) is set for 10 failed attempts with automatic unlock in 10 minutes. In order to change these values, the customer would have to compile from source and could be overwritten with a routine upgrade. I propose that we make these account lockout settings easily configurable by customers. ### Target audience Chief Information Security Officer or Director of Security - Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst --> ### Further details By making these account lockout settings configurable, we enable our customers to align GitLab to their own internal security policies and help them better achieve their security and compliance needs. ### Proposal We can hopefully move the `config.maximum_attempts = 10` and `config.unlock_in = 10.minutes` variables out of the https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/8_devise.rb file and into a file that contains other customer-defined variables specific to their organization. ### Permissions and Security These new customer-configurable settings would need to be restricted to authenticated administrators. ### Documentation ### What does success look like, and how can we measure that? An admin installing GitLab CE would be able to change the account lockout settings to match their internal security requirements. ### Links / references Customer: https://gitlab.my.salesforce.com/0016100000W44Pc?srPos=0&srKp=001