Security related settings which can be customised
Path: Manage Workspaces >> Security >> Access Restrictions >> Security Policies
Security policies specify the active time period of various email links like password reset or verification links as well as session timeout, failed login attempts, etc. Security policies are specified on the Workspace level by the workspace administrator.
The following security policy is shown for logged in persons in the security policies section:
1. Password Policy: It has 3 options, all the new members registering or joining the workspace will be applicable to this policy.
2. Allow Concurrent Login : When this switch is on a user can log in to the application from multiple endpoints simultaneously.
3. Remember me: It is used to save the username and password in the login form entered by the workspace users. Stay Login check box shows in the workspace login page when this switch is turned on.
4. Global Session Timeout (in minutes) : By this settings superuser can determine the time a user can remain idle before the session is terminated and the user must log in again. It can be set to 0 to set the time unlimited.
5. Email Verification Link Expire Time (in minutes): These are the verification emails where this setting applies.- Workspace invitation to join the Workspace
- Account verification when added by a workspace admin to the Workspace
- Complete registration email after approving the pending member
- 2 step authentication link
- Password reset
- Email claim verification
- Locked member verification
these email links work as per the settings changes on Workspace settings. It can be set to 0 to make the time unlimited.
6. Member Passwordless Authorization Expire Time (in minutes): when user tries to reset password by an email sent by the admin.When they click on the reset password link no password is required. This authorization process time can be limited by this field
7. Password Reset Link Expire Time (in minutes): Workspace admin or owner can send a password reset request. This link has an expiration time that is mentioned here. It can be set to 0 to set the time unlimited.
8. Password Reuse Limit (0: to disable check): Current password can be set again for the users but there is a limit at the workspace & community level. so 0 is considered disabled.
9. Email Claim Link Expire Time (in minutes): The user can claim an existing member email. This email needs to be verified.
10. Rank Assessment Link Expire Time (in minutes): User will get a rank assessment email reminder to all the users who have not been assessed. This setting is community specific.
11. Rank Reviewscale Link Expire Time (in minutes): User will get a review complete email reminder to all the users who have not been done yet. This setting is community specific.
12. Resource Download Link Expire Time (in minutes): When there is a report file link on the email, it will redirect admin to download or open file. This link expiration time can be changed from here.
13. Member Approve Link Expire Time (in minutes): Moderators are getting the member approval link in their mail.
14. Member Reject Link Expire Time (in minutes): Moderators are getting the member reject link in their mail.
15. Member Profile Link Expire Time (in minutes): Member can see their profile after adding.
16. Idea View Link Expire Time (in minutes): When an idea is shared or has any actions, user gets the Idea view link in the email.
17. Idea Approve Link Expire Time (in minutes): Moderators are getting the idea approval link in their mail.
18. Idea Reject Link Expire Time (in minutes): Moderators are getting the idea Rejection link in their mail.
19. Idea Pending Auth Link Expire Time (in minutes): Idea pending link is found for auth apps like Teams, Slack.
20. Conversation View Link Expire Time (in minutes): View the conversation or message, a link with a message subject sent to the user's email.
21. Identity Verification Link Expire Time (in minutes): Identity verification link is sent to the email after locking a person or joining the workspace or register to the workspace.
22. Maximum number failed login attempt before locked down: Admin or workspace owner can set the limit of a failed login attempt before lockdown. It is changeable.
23. Maximum number failed login attempt within (in minutes): It can manage the Maximum number of failed login attempts within a timeframe for a user.
24. Locked down period after maximum number failed login attempt (in minutes): For a certain time of failed login attempts a locked down period is defined.
25. Locked user login prompt duration (in second): A duration is defined for a locked user to login to the workspace.
26. Maximum number failed claim attempt before locked down: For claim account user need to verify the mail. When a user fails to claim, a dimension is set for this failed claim login attempt before the lockdown time period.
27. Maximum number of failed claim attempt within (in minutes): For claim account user needs to verify the mail. User's maximum number of failed attempts for a claim is set by default in a workspace.
28. Locked down period after maximum number failed claim attempt (in minutes): This set a timeframe for the maximum number failed claim attempt. A default value is set for this while creating the workspace.
29. Maximum number failed Two Factor Authentication attempt before locked down : Two factor authentication failed number before lockdown is set here by Workspace admin or Owner. This can be changed from here.
30. Maximum number failed Two Factor Authentication attempt within (in minutes): Two factor authentication failed number is set here by the Workspace admin or Owner. This can be changed from here.
31. Locked down period after maximum number failed Two Factor Authentication login attempt (in minutes): When Two factor login authentication failed maximum times, a locked down period is specified here in the workspace level.
32. Maximum allowed inactive days: Ideascale application has a limit to allow a certain time of inactive user for a workspace or community. In the workspace level this maximum allowed time is set.
33. Force password reset: The number of times that all users must reset their passwords (0 means that there are no restrictions, so no forced resets).
34. Password change interval: User can only change their password once in these mentioned days (0 means unlimited).
35. Enable Two Step Authentication by Email: This switch is used for enabling the 2 step by mail at the workspace level.
36. Email based OTP Expire Time (in seconds): An OTP is sent to the email for email based 2 step authentication. OTP expiration time can be set in a workspace.
37. Enable Two Step Authentication by Authenticator App: 2 step authentication can be enabled by the authenticator app at the workspace by enabling this switch.
38. Allow Auto-Login for Actions by Email Token: This is applicable when a member already login to the application & opened an email to view an idea. then it will automatically redirect the user from email to the idea.
39. Gravatar Enabled: By enabling this automatic avatar is generated for all the users added to this workspace.
40. Authentication Page Banner: Page banner can be enabled for authentication page for workspace.
41. Captcha Enabled: CAPTCHA is used in computing to determine whether the user is human in order to deter bot attacks and spam. CAPTCHA is available in the ideascale application.Captcha is found while registering to the workspace or other page where security verification needs.
42. Strict Transport Security: It is a widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. Ideascale has this option to enable or disable. It has also a sub option Max Age in days that mentions the time in days and how long it is applicable to the application.
43. XSS Protection: This response header is a feature of some browser that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.Ideascale has this option to enable or disable the security.
44. Content Type Option: The Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured. Ideascale application uses this for security purposes.
45. Referrer Policy: What information is sent in the Referer header in a request from Ideascale site is determined by the Referrer-Policy header. we can choose an additional option from Select a Referrer Policy.
46. Content Security Policy: It is an added layer of security in the Ideascale application that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.
47. Public Key Pins: It is a response header type that is used to associate a specific cryptographic public key with a specific web server in order to reduce the risk of MITM attacks using forged certificates.
48. Google Analytics: Google Analytics to track community’s engagements. It allows workspace & community administrators to track, measure, and report on additional user metrics.
49. Permission Policy: It provides a mechanism to allow and deny the use of browser features in a document or within any <iframe> elements in the document. workspace owner can add a permission policy when needed.
50. Cross Origin Embedder Policy: It prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS). IdeaScale allows users to add this when needed.
51. Cross Origin Opener Policy: It allows users to ensure that a top-level window is isolated from other documents by putting them in a different browsing context group, so that they cannot directly interact with the top-level window. IdeaScale allows users to add this when needed.
52. Cross Origin Resource Policy: It is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets websites and applications opt in to protection against certain requests from other origins to mitigate speculative side-channel attacks. We need it for authorized resource sharing with external third parties.
53. Expect Ct: It is an HTTP header that allows websites to opt into Certificate Transparency enforcement before it was enforced by default. IdeaScale allows users to add this when needed.
54. Allowed File Extensions: There is a default list that type file is accepted by Ideascale application. Also can add some other file extensions through this. Without this mentioned list, no file is not added to the Ideascale attachment option.