{"id":249,"date":"2026-04-01T10:04:25","date_gmt":"2026-04-01T09:04:25","guid":{"rendered":"https:\/\/overlaps.co.uk\/docs\/?page_id=249"},"modified":"2026-04-01T10:20:16","modified_gmt":"2026-04-01T09:20:16","slug":"setting-rate-limits","status":"publish","type":"page","link":"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/configuration\/users-and-groups\/setting-rate-limits\/","title":{"rendered":"Setting Rate Limits"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"353\" src=\"https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/04\/config-users-edit-rate-limit.png\" alt=\"The &quot;Edit User Rate Limits&quot; window\" class=\"wp-image-270\" srcset=\"https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/04\/config-users-edit-rate-limit.png 602w, https:\/\/overlaps.co.uk\/docs\/wp-content\/uploads\/2026\/04\/config-users-edit-rate-limit-300x176.png 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><figcaption class=\"wp-element-caption\">Edit User Rate Limits Window<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">You can set a limit on users and groups which controls how many: a) Password Read Requests, and b) Password Expirations or Resets, those users can perform in a given time period.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This can be useful to prevent over-exposure of your Local Administrator passwords, and to prevent a user from mass-exporting them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Password Request limits and Password Reset limits can be controlled independently. To set a limit:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Click the checkbox to Enable the limit you want to impose (use the tabs to switch between Password Requests and Password Resets),<\/li>\n\n\n\n<li>Specify a maximum number of requests (Maximum Requests\/Resets) that can be performed in a specific time frame,<\/li>\n\n\n\n<li>Specify the time span and period that this will be monitored over,<\/li>\n\n\n\n<li>If the user attempts more than the maximum requests in the given time period, they will be blocked until that time period has passed.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">For example, for a normal user you may want them to stay under <strong>25 requests per day<\/strong>, so you would set it to:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Maximum: 25, Every: 1, Period: Day.\n<\/pre>\n\n\n\n<h2 id=\"a-warning-note-on-group-memberships\" class=\"wp-block-heading\"><strong>A warning note on group memberships<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In order to handle multi-group membership in an efficient and minimally complex way, there is an important point to remember: where a user is a member of multiple groups, each with its own distinct rate limit, OVERLAPS will select the lowest value from each of the rate limit time periods and the number of requests.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This means if you have a group with a limit of 5 requests every day, and another with a limit of 25 requests every 10 minutes, a member of both groups will end up with the limit 5 requests every 10 minutes (5 being the lowest value from the former, and 10 minutes being the lowest from the latter).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is done to be in-line with least privilege best practices. If the need arises to override the rate limit a user is experiencing because of their group memberships, the correct way would be to add the user explicitly to OVERLAPS&#8217;s Users and Groups section, as explicit user settings always take priority over group memberships.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You can set a limit on users and groups which controls how many: a) Password Read Requests, and b) Password Expirations or Resets, those users can perform in a given time period. This can be useful to prevent over-exposure of your Local Administrator passwords, and to prevent a user from mass-exporting them. Password Request limits [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":63,"menu_order":300,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-249","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/comments?post=249"}],"version-history":[{"count":2,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/249\/revisions"}],"predecessor-version":[{"id":272,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/249\/revisions\/272"}],"up":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/63"}],"wp:attachment":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/media?parent=249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}