Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Security Settings

Info

Security settings allow an Admin user to create and assign user roles, with respective permissions to system users who have access to CRM.COMusers to configure policies governing security-related system features, ranging from creating API keys for client applications to setting up user roles and inviting users.

The configurable security settings vary depending on the logged-in user’s organisation level (i.e. a user logged in at the Service Owner level will not see the same configuration options as someone logged in at the Business level).

Security features are configured and managed via the Settings option, this . This manual covers two areas of security:

  • User Roles & Users

  • API Keys

    all available security settings for all organisations, indicating which options are available per Organisation.

    To configure your Security settings click on your logged-in user name in the top right-hand-corner of the screen > Settings > select Settings from the sidebar menu, then select Security.

    Image RemovedImage Added

    User Roles

    & Users

    and Users

    Status
    titleCLOUD OPERATOR
    Status
    colourPurple
    titleSERVICE OWNER
    Status
    colourBlue
    titleBUSINESS
    Status
    colourGreen
    titleMERCHANT/SERVICE PROVIDER

    Users are the people who perform the day-to-day tasks (e.g. process service requests/orders, monitor performance, setup configuration), either through the User Interface or Web APIs, subject to business network and security restrictions.

    User Roles are a group of permissions assigned to users and define the users' access that users have throughout the system (e.g., to manage Contacts , to configure Reward Offers).

    Admin User Role

    Upon creation of an Organisation (e.g. Service Owner, Business, Merchant/Service Provider), an Admin (owner) user role with full access permissions granted , is automatically created. Such a User Role is assigned to each user who registers an Organisation , or explicitly to users who are invited to join an organisation.

    Creating a new

    User

    Role

    Roles

    Create new User Roles and assign the relevant permissions , prior to inviting users to join the Organisation.

    • Navigate to Settings > Security > User Roles & Users > User Roles > Create User Role

    • Provide a unique name for the User Role

    • Enable the respective toggle to allow access to a particular area of the system

    • Access can be restricted to specific actions too

    • Save your User Role

    Ensure that you have considered all available options and enabled/disabled access accordingly.

    Inviting

    Users

    Inviting a User to join your Organisation, in effect, creates a User with permissions to navigate the system based on the User Role assigned to them.

    • Settings > Security > User Roles & Users > Users > Invite User

    • Complete the user details

    • Select the User Role

    • Save to submit the invitation

    The new user will receive an email informing them that they have been invited to join an Organisation, they must follow the email verification procedure in order to create a password and be able to access the system. The user's credentials for signing - in to the system is are the email they have been invited with , and the their chosen password they have chosen.

    Users have the ability to can access their ‘owned by’ Organisation’s data, and any other child Organisations data ‘owned by’ their Organisation (using masquerade). Refer to the Business Network manual for further details on masquerading.

    Password Policy

    Password Expiration

    Service Owner users have the option to enable a password expiration policy whereby users must reset their passwords upon expiration.

    Password Lockout

    This is a mechanism that provides the ability to lockout a user after a number of invalid login attempts. When a user is locked out they are not able to login for a pre-defined period of time.

    Two-Factor Authentication (2FA)

    2FA is an extra layer of security whereby two distinct forms of identification are required in order to provide a user access to a system, e.g. aside from a username and password, users will be required to provide another piece of information that can be retrieved either by an external authentication application (e.g. Google Authenticator), or in the form of an OTP (via phone or email) to gain access to a system.

    2FA can be configured at the Service Owner level or the Business level. Eligible users have the ability to configure one or multiple 2FA methods.

    View Pending Invites

    Select this option to see users who have not yet accepted the invitation to sign in to the system.

    Image AddedImage Added
    Info
    • The User's state will be Inactive until they have accepted the invitation and signed in to the system, whereby the User state will be changed to Active.

    • In cases where the same User has been invited to multiple Businesses of the same Service Owner, and the User has accepted and signed in to the first Business they were invited to, then any other invitations sent to the User will automatically set the User state to Active.

    API Keys

    Status
    colourPurple
    titleSERVICE OWNER
    Status
    colourRed
    titleTRANSACTION PROCESSOR
    Status
    colourBlue
    titleBUSINESS

    API Keys

    API Keys are unique identifiers that allow a client application (e.g. mobile app, external system) to consume CRM.COM’s Web APIs (back-office/self-service).

    Navigate to Settings > Security > API Keys & Webhooks > API Keys

    • Public Keyis used solely as an organisation identification allowing users to consume self-service APIs, e.g. you’ll need such a key if your customers will be using a consumer app

    • Secret Key should be kept confidential and is used for performing business actions in CRM.COM, such keys fall under security restrictions and permissions

    Multiple public and private keys are supported.

    Anchor
    webhooks
    webhooks
    Webhooks

    A webhook is an automated call to a server providing real-time information for a CRM.COM entity , without requiring additional integration. These calls are triggered when a specific event happens.

    Each webhook request can be protected with additional authentication security, such as username/password or API Key.

    A webhook request can have one of the following states:

    • Pending - The webhook request has been created and awaiting waiting to be sent (queued)

    • Success - The webhook request was successfully sent and received by the external application

    • Failed - The webhook request was not sent to the external application successfully (an error description is logged for investigation purposes)

    Refer to the Automations manual for more information on Events and Webhooks.

    Advanced

    Password Expiration Policy

    Status
    colourPurple
    titleSERVICE OWNER
    Status
    colourBlue
    titleBUSINESS

    Service Owners can enable a password expiration policy whereby system users must reset their passwords before or after expiration. The user can reset their password on the expiration day during sign-in or before the expiration day by navigating to My Profile and enabling the Change Password toggle.

    Image Added

    The Service Owner and/or Business organisations can set the password expiration policy. If the Service Owner sets it, then this setting will apply to all of its business network (including child Businesses and Merchants). However, if the Business organisation decides to set their own password expiration policy, too, then this setting will overwrite the Service Owner’s configuration. In the event that the Business configuration will overwrite the Service Owner’s configuration, then the maximum number of days for password expiration and notification must be equal to or less than the number of days set by the Service Owner configuration. e.g. if the Service Owner sets 60 days for password expiration, then the Business can set up to or less than 60 days for the same setting.

    • Password expiration number of days

      • Valid range is between 14 to 730 days

      • If not set, then the default is 90 days

    • Password expiration notification

      • Valid range is between 1 and less than the number of expiration days set

      • If not set specified, then defaults to 15 days

    Concurrent Session Policy

    Status
    colourPurple
    titleSERVICE OWNER

    Service Owner users can enable a concurrent session policy whereby users are limited to having a maximum number of active sessions.

    Image Added

    Strong Password Policy

    Status
    colourBlue
    titleBUSINESS

    This setting provides the ability to support only strong passwords for contacts and users alike.

    Image Added

    Contact Strong Password Policy Rules

    • Must be at least 8-characters in length

      • Supports alphanumeric characters

      • Supports special characters

    • Not permitted

      • A sequence of characters or numbers (e.g. “abcdefg” or “123456”)

      • The previous password

    (System) User Strong Password Policy Rules

    • Must be at least 8-characters in length

      • Supports alphanumeric characters

      • Supports special characters

    • Must contain at least

      • One upper and lower case character

      • A number

    • Not permitted

      • A sequence of characters or numbers (e.g. “abcdefg” or “123456”)

      • The previously used password

    • If the user belongs to multiple organisations with different strong password policies, then the most strict policy is applied to ensure the highest level of password security

    Two-Factor Authentication (2FA)

    Status
    colourBlue
    titleBUSINESS

    2FA is an extra layer of security whereby two distinct forms of identification are required to provide a user access to the back-end system, e.g. aside from a username and password, users will be required to provide another piece of information that can be retrieved either by an external authentication application (e.g. Google Authenticator) or in the form of an OTP (via phone or email) to gain access to a system.

    Image Added

    Eligible users have the ability to configure one or multiple 2FA methods.

    Info

    2FA is implemented as system core behaviour for Service Owner users

    OpenID Connect

    Status
    colourBlue
    titleBUSINESS

    OIDC (OpenID Connect) is an authentication protocol implemented by CRM.COM during user login, whereby users can authenticate and access CRM.COM using a single set of credentials from another platform.

    Image Added

    Configuration Document URL

    The URL endpoint to be used to retrieve specific configuration attributes that are required during the OIDC authentication flow, this URL is provided by the OIDC provider.

    Application ID

    This is the business’s OIDC application identifier used to request and gain access to the OIDC provider. Such an ID is also provided by the OIDC provider.

    Core Behaviour

    The following security feature is not configurable but is implemented as part of CRM.COM’s core system behaviour.

    Password Lockout

    This is a mechanism that provides the ability to lock out a system user after a number of invalid login attempts. When a user is locked out, they cannot log in for a pre-defined period.

    User Password Lockout Policy Rules

    • Lockout is enforced after five failed attempts to authenticate using an invalid password within a 15-minute time span (given that the username is valid). A locked-out user cannot authenticate even using the correct username/password until the lockout has been lifted.

    • The lockout period is lifted automatically after 30 minutes or manually by another authorised user.

    Reference Material

    You may also find it useful to refer to the following manuals for further reading in relation to Security.

    Business Network

    Business Network

    Automations

    Automations

    TABLE OF CONTENTS

    Table of Contents