User administration

Users can be created at the Agency level or the Customer level as appropriate. To edit an existing user, please see the guide on navigating the Administration window.

The options for configuring a user are described below.

Details

Set the email address, name, expiry date and disable the User. See User details for more information.

👍

Expiry

While the User is disabled or the Expiry Date is reached they cannot log into the system.

Password

When creating a new user, the system will offer to send a password reset email once the user has been saved. In this case it's not necessary to set a password or select Force password change on next login.

Otherwise, if directly setting a user's password, it must meet a minimum strength threshold. If the given password does not meet this level, the error message will explain the issue and recommend some adjustments. 

📘

Password strength

Rather than using a specific policy (eg. number of characters, numbers, symbols), password strength is determined by recognising and weighing common passwords, common names and surnames, popular English words, and other common patterns like dates, repeats, sequences, keyboard patterns and character substitution. The required password strength is based on the likelihood of a password attack being able to guess the password.

If setting a new password directly, it is recommended to select Force password change on next login so that the user must choose their own password when they next login.

For compliance with some companies' security policies, it's possible to set password expiry options as a period in days, and the date of next expiry. We do not recommend using password expiry, as independent research shows it forces users to choose poor passwords, rotate through a common list, or even simply increment a digit on the end of their password. It is far better to allow a user to choose a secure password which they will remember, and then add extra security through two-factor authentication.

Roles

Users can be assigned one or more roles to allow access and/or uses of certain features. The available roles are explained within the interface. An administrator can only grant roles which they have themselves. For additional roles, please contact our Support Team.

Security options

As well as the password-specific options described above, it's also possible to control other security-related options for the user

Disable user

Used to prevent all access to the system. This could be used for a temporary restriction; if the user is no longer required it would be better to be deleted.

Expiry date

Used to prevent all access to the system from the configured date. This could be used to automatically restrict a contractor at the end of their allowed period.

IP Restriction

Strongly recommended. Restrict access to the user to a set of pre-configured IP addresses.

Accepts single IPs (eg. 127.0.0.1) and ranges in CIDR notation (eg. 127.0.0.0/24). Multiple entries may be separated with a comma (eg. 127.0.0.0/24,172.16.0.0/24).

As an additional security aid for users without IP restriction, Maxemail will send an email notification to the user each time a login is detected from a new IP address.

Session locking

Automatically lock a user after a set period of minutes of inactivity (no mouse or keyboard input). Work is automatically saved and the user must re-enter their password to resume their session.

Groups

Used to restrict access to certain folders within a customer space. See User access control.

Restricted Customer access

Agency-level users can be restricted to only allow access to certain Customer Spaces. This is useful in Agency environments where Account Managers only need to access their own clients.

Customer Space restrictions do not apply to users with the Agency Administrator role.

Security key (2FA)

It's possible to configure a physical security key against a user. The security key is a single-button USB device provided by Xtremepush, which generates a one-time authentication token unique to the key. It is required each time the user logs in or resumes an inactive session. Please contact your Account Manager for further information, or raise a ticket with the Support Team.