Skip to end of banner
Go to start of banner

Security & Users

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Security Settings

Security settings allow an Admin user to create and assign user roles with respective permissions to system users who have access to CRM.COM.

Security features are configured and managed via the Settings option, this manual covers two areas of security:

  • User Roles & Users

  • API Keys

To configure your Security settings click on your logged-in user name in the top right-hand-corner of the screen > Settings > Security.

User Roles & Users

Users are the people who perform the day-to-day tasks (e.g. process service requests/orders, monitor performance, setup configuration) either through the User Interface or Web APIs, subject to business network and security restrictions.

User Roles are a group of permissions assigned to users and define the access that users have throughout the system (e.g. to manage Contacts, to configure Reward Offers).

Admin User Role

Upon creation of an Organisation (e.g. Service Owner, Business, Merchant/Service Provider) an Admin (owner) user role with full access permissions granted, is automatically created. Such a User Role is assigned to each user who registers an Organisation, or explicitly to users who are invited to join an organisation.

Creating a new User Role

Create new User Roles and assign the relevant permissions, prior to inviting users to join the Organisation.

  • Navigate to Settings > Security > User Roles > Create User Role

  • Provide a unique name for the User Role

  • Enable the toggle to allow access to a particular area of the system

  • Access can be restricted to specific actions too

  • Save your User Role

Ensure that you have considered all available options and enabled/disabled access accordingly.

Inviting Users

Inviting a User to join your Organisation in effect creates a User with permissions to navigate the system based on the User Role assigned to them.

  • Settings > Security > Users > Invite User

  • Complete the user details

  • Select the User Role

  • Save to submit the invitation

The User will receive an email informing them that they have been invited to join an Organisation, they must follow the email verification procedure in order to create a password and be able to access the system. The user's credentials for signing-in to the system is the email they have been invited with and the password they set.

Users have the ability to access their ‘owned by’ Organisation’s data, and any other child Organisations data ‘owned by’ their Organisation (using masquerade).

Password Policy

Password Expiration

Service Owner users have the option to enable a password expiration policy whereby users must reset their passwords upon expiration.

Password Lockout

This is a mechanism that provides the ability to lockout a user after a number of invalid login attempts. When a user is locked out they are not able to login for a pre-defined period of time.

Two-Factor Authentication (2FA)

2FA is an extra layer of security whereby two distinct forms of identification are required in order to provide a user access to a system, e.g. aside from username and password, users will be required to provide another piece of information that can be retrieved either by an external authentication application (e.g. Google Authenticator), or in the form of an OTP (via phone or email) to gain access to a system.

2FA can be configured at the Service Owner level or the Business level. Eligible users have the ability to configure one or multiple 2FA methods.

API Keys

API Keys are unique identifiers that allow a client application (e.g. mobile app, external system) to consume CRM.COM’s Web APIs (back-office/self-service).

Navigate to Settings > Security > API Keys

  • Public Key is used solely as an organisation identification allowing users to consume self-service APIs, e.g. you’ll need such a key if your customers will be using a consumer app

  • Secret Key should be kept confidential and is used for performing business actions in CRM.COM, such keys fall under security restrictions and permissions

Multiple public and private keys are supported.

Webhooks

Webhook are event notification methods where an external application is provided with real time information for a CRM.COM entity without requiring any additional integration. Once a webhook is configured (providing a listener URL) for a specific CRM.COM event via automations, CRM.COM will automatically send requests to that URL every time the automation is triggered. Each webhook request can be protected with additional authentication security, such as username/password or API Key.

A webhook request might be in one of the following states

  • Pending The webhook request is created and awaiting to be send (queued)

  • Success - The webhook request was successfully sent and received by the external application

  • Failed - The webhook request was not sent to the external application successfully (an error description is logged as well for investigation purposes)

Reference Material

You may also find it useful to refer to the following manuals for further reading in relation to Security.

Business Network

Business Network

TABLE OF CONTENTS

  • No labels