Managing security settings¶
This chapter explains how to manage security settings for your Signavio Process Manager workspace. The security settings apply to every user in the administrated workspace and also to all future users.
Users of the on premise edition cannot configure IP address filters.
To configure the security settings, click Setup, then edit security configuration in the top drop-down menu of the Signavio Explorer.
You can define the following settings in the configuration dialog Edit security configuration:
These are precisely explained in the following sections.
The IP address filter¶
The IP address filter allows you to define a list of IP addresses that can access the Process Manager and the Collaboration Hub. If the filter is active, devices with unlisted IP-Addresses cannot access the workspace even with valid certificate or username/password combination. This can be very useful for example if you want to restrict access to your workspace or Collaboration Hub to one or several specific companies.
The operating administrator’s IP address is added automatically, so if you are configuring the IP address list and are using a static IP address, you will get access from your current device automatically.
The IP address filter is based on IPv4, therefore IPv6 addresses cannot be added to the list of trusted IP addresses.
To define IP addresses for the whitelist, proceed as follows:
- Click Setup, then Edit security configuration in the top drop-down menu of the Signavio Explorer. The configuration dialog box opens.
- Select Activate address filter.
- In a message dialog, you are asked to confirm the filter activation. Click OK to confirm.
Be careful while configuring the IP address filter.
Now you can add a number of IP addresses to the list of accepted addresses by clicking the Add button:
Enter an IP address into the text field. Note that only Internet IP addresses will be accepted. Local area network (LAN) IP addresses cannot be listed as those addresses depend on the local network configuration. Confirm the IP address:
- Click Save in the configuration dialog. The IP address filter is active now.
It possible to remove an IP address from the list of accepted addresses by selecting the address and clicking the Remove button:
Remove a trusted IP address.
To completely deactivate the address filter, deselect the option.
Defining password policies¶
A password policy can be implemented to enforce the use of secure passwords. This allows you to prevent access security issues even if many users have access to your workspace.
Password policies apply whenever a user changes or initially chooses his password.
To define a password policy, follow these steps:
- Click Setup, then Edit security configuration in the Signavio Explorer’s drop-down menu. The configuration dialog box opens.
- Under Password policies, you will have multiple configuration options, which are explained below (see list Configuration options for password policy).
- Click Save in the configuration dialog. The password policy is active now.
Configuration options for password policy¶
There are four complexity criteria that can be activated by checking the box Complexity Requirements. A valid password should
- contain at least one capital letter (A to Z).
- contain at least one lower case letter (a to z).
- contain at least one number (0-9).
- contain at least one special character (!,§,$,%,&,?,#).
If a password is set and three of those four criteria are met, it will be accepted. For example, the password “Signavio2016” would be accepted, as criteria 1, 2 and 3 are fulfilled. The password “signavio!” only fulfills the criteria 1 and 4 and would not be accepted.
Consider user name
It is possible to forbid the usage of passwords that contain the user name. If this option is activated, the user “JohnDoe” could not use the passwords “JohnDoe”, “JohnDoe123” or “johndoe”. However, the password “John123” will be allowed. To completely forbid the usage of the user name in the password, the option Consider user name (strict) can be activated (see below).
Upper case and lower case are not considered in the validation. Therefore, “00johndoe00” is not allowed as well.
Consider user name (strict)
This option forbids the usage of three or more letters in the same order in user name and password. The validation process is case insensitive. For example, the user “John Doe” could not use the password “John123” here. However, the password “JoJo” would be allowed.
Minimum/maximum password age (days)
A user can change his password, if the specified number of days since the last change has passed.
Maximum password age (days)
After the specified number of days has passed, a user is asked to choose a new password. When activating this option, the password history settings should be activated as well to prevent the usage of already used passwords (see below).
Minimum/Maximum password length (characters)
Define the minimum/maximum length of a password. Usually, longer passwords are more secure than shorter ones.
Enter the number of previous passwords that will be “remembered” and cannot be re-used by the user. For example, if the number is set to 5, the 5 last used passwords will be rejected as new password.
After having saved the password policy, users are informed accordingly when they change their password the next time and the new password does not conform with the policy.
If a user chooses a password that does not fulfill the password policies, he will see this information.
In this case, the password is too short, contains the user name and is not complex enough.