Skip to main content

User Management – Configuring Security Settings

Written by Caroline Polio

Overview

Organization administrators can manage security settings and user access directly from the Admin Portal.

Changes made to security policies apply to all users within your organization.


🛡️ Managing Security Settings

To configure your organization's security policies, navigate to:

Admin Portal → Security


🔒Managing Multi-Factor Authentication (MFA)

MFA adds an additional layer of account security.

Enabling MFA

  1. Select the Security.

  2. Locate the MFA section and click on manage.

  3. Enable MFA

    • Recommended Setting: Force MFA for all users

Users will be prompted to reconfigure MFA during their next login.


🔑 Password Settings

These settings work together to prevent unauthorized access, ensure credentials stay fresh, and keep your platform secure without disrupting your users.

  1. Select the Security.

  2. Locate the Password section and click on manage.

  3. Open the Configuration tab.

  4. Configure the desired password settings.

  5. Select Save to apply your changes.

📝 Recommended Password Security Settings

Setting

Description

Recommended Value

User Lockout

Number of consecutive failed login attempts allowed before a user's account is temporarily locked.

5 failed login attempts

Password History

Number of new passwords a user must create before a previous password can be reused.

5 new passwords

Password Expiration

Number of days before a password expires and must be reset.

90 days

Password Expiration Reminder

Number of days before password expiration that users are prompted to reset their password.

7 days before expiration


🚫 Restrictions

Restriction settings allow you to control who can access your organization's account based on IP address or email domain.

IP Restrictions

IP restrictions let you create an allowlist of approved IP addresses that can access your organization's account.

Users attempting to sign in from an IP address that is not included in the allowlist will be denied access.

To configure IP restrictions:

  1. Navigate to Security.

  2. Locate the Restrictions section and select Manage.

  3. Open the IP Restrictions tab.

  4. Add the approved IP addresses.

Domain Restrictions

Domain restrictions control which email domains can be used to access your organization's account.

You can choose one of the following options:

Allowlist

Only users with approved email domains can be invited to or access your organization's account. Existing users are not affected by changes to the allowlist.

Denylist

Users with email domains on the denylist cannot be invited to or access your organization's account. Existing users are not affected by changes to the denylist..

✅ Best Practice

An allowlist provides stronger security than a denylist because it permits access only from explicitly approved email domains.

To configure domain restrictions:

  1. Navigate to Security.

  2. Locate the Restrictions section and select Manage.

  3. Open the Domain Restrictions tab.

  4. Select Allowlist or Denylist.

  5. Add the applicable email domains.


🕑Session Timeout

Session timeout settings help protect your organization's account by automatically signing users out after a period of inactivity.

To configure the session timeout:

  1. Navigate to Security.

  2. Locate the Session Timeout section and select Manage.

  3. Configure the desired settings.

  4. Select Save to apply your changes.

Session Timeout Settings

Setting

Description

Default

Idle Session Timeout

Define how long a user session can remain inactive before the user is automatically signed out.

30 minutes

Force Re-login

Require users to sign in again once their session reaches the specified time limit, regardless of whether they have been active or inactive.

90 days

Maximum Concurrent Sessions

Set the maximum number of active sessions a user can have at the same time. If the limit is reached, the oldest session is automatically signed out when a new session is created.

10

Changes apply to all users in your organization.


🕑 Inactivity

The Inactivity page allows administrators to identify users who have not recently accessed the platform.

Use this page to:

  • Review inactive users.

  • Identify accounts that may no longer require access.

  • Support periodic access reviews and account cleanup.

Did this answer your question?