On the Login security screen you can keep an eye on who attempts to log in to Sapera, restrict access to specific IP addresses and choose how strict the requirements should be at login. The screen is divided into three tabs: Audit, Allowed IP addresses or ranges and Settings.
1. Open the hamburger menu and select Financial. 2. Select Security and then Login security.
The screen opens on the Audit tab, where you immediately see an overview of login attempts. From here you can switch between the three tabs.
If you cannot see the menu item Security or Login security, you probably lack permissions for the function — contact support.
*Note for administrators: access requires the permission navigation.access.security.blockip (AccessSecurityBlockIpPermission).*
The Audit tab gives you an overview of login attempts distributed by user, IP address and organizational unit. This is where you can detect unusual or blocked login attempts, and it is also where you can quickly approve an IP address that a user logs in from.
The grid contains the following columns:
Organizational unit — the organizational unit the login attempts belong to. User — the name of the user who attempted to log in. Email — the user's email address. IP addresses — the IP address(es) the user attempted to log in from. Date of first login — when the user first logged in from this IP address. Date of last blocked login attempt — when a login attempt was last rejected. Number of blocked attempts — how many times a login has been blocked. Date of last successful login — when there was last a correct login. Successful logins — the total number of successful logins.
At the top of the grid you can filter the overview, so you quickly find what you are looking for. You can filter on organizational unit (dropdown), user (lookup), IP addresses (text), Date of first login (date range), Date of last successful login (date range) and Date of last blocked login attempt (date range). Read more in How to search in lists.
When you select a row in the Audit grid, the button Add selected IP addresses to approved addresses becomes active. If you click it, the selected row's IP address is added directly to the approved addresses for the organizational unit the row belongs to. The button is only active as long as a row is selected.
After you have approved an IP address, it appears on the Allowed IP addresses or ranges tab under the selected organizational unit.
On this tab you manage the IP addresses and address ranges that may log in. The list is controlled per organizational unit, and you select the desired unit in the inheritance selector at the top of the tab.
Organizational unit inheritance: The selector shows the organization's levels, and an underlying unit inherits, by default, the approved IP addresses from the level above. This means you can control access collectively at an upper level and let the units below inherit the list — or set up specific addresses for a single unit.
The grid shows two columns: IP addresses or address range and Description.
You have the following actions:
New — creates a new approved IP address or an address range for the selected organizational unit. Opens the edit dialog (see below).
Edit — edits an existing approved address. The button is only active when a row is selected, and opens the same dialog as New.
Delete — removes the selected approved IP address or range. The button is only active when a row is selected.
Apply for all levels below — copies the current IP address list out to all underlying organizational units, so they get the same approved addresses. The button is only active when the list is not empty. Use it when you want to ensure that an entire branch of the organization shares the same allowed addresses.
When you create or edit an address, a dialog opens with two fields:
IP addresses or address range (required) — here you specify the address or range. The field is validated against CIDR notation, so you can specify both a single address and an entire range (for example a whole network). The field can hold up to 50 characters. If you write a format that does not follow CIDR notation, you cannot save.
Description (optional) — a free text of up to 255 characters, where you can note what the address covers, for example "Head office" or "Store on the main street".
On the Settings tab you choose which login security method your store should use. The setting determines which requirements are made before a user is granted access — from just a password to combinations of password, IP filter and two-factor authentication (2FA).
The Login security field is a dropdown with six options:
Password — the user can log in with just username and password. There is no extra login security.
Password and 2FA if set up — in addition to the password, 2FA is required, but only for the users who have 2FA set up. Users without 2FA log in with the password alone.
Password and IP filter or 2FA if set up — the user must either log in from an approved IP address or use 2FA. The 2FA requirement applies only to the users who have 2FA set up.
Password and IP filter or 2FA — the user must either log in from an approved IP address or use 2FA. Here 2FA is expected to be set up.
Password and IP filter and 2FA if set up — the user must both log in from an approved IP address and use 2FA, but the 2FA requirement applies only to the users who have 2FA set up.
Password and IP filter and 2FA — the strictest setting: the user must both log in from an approved IP address and use 2FA.
When you have changed the setting, you save with Save. If you want to discard your change, you select Cancel.
If IP filtering is turned off at the system level, the tab shows the warning banner IP blocking function is turned off. This means that even if you choose a setting with IP filter, the IP blocking will not take effect until the function is enabled system-wide. Contact support if you want IP filtering enabled.
The approved IP addresses are defined on the Allowed IP addresses or ranges tab per organizational unit. They are linked to the selected login security method on the Settings tab — it is the method that determines whether the IP filter is used at all, and whether it is combined with 2FA. The rules are used at each login: when a user attempts to log in, Sapera assesses access based on the selected security method, the user's IP address and any 2FA. The result of those attempts — both successful and blocked — can you subsequently follow on the Audit tab.
Want to know more?
Read more in these related articles:
Users
Create and manage users in Sapera: the user list with filters and columns, all actions in the toolbar, field-by-field editing, tabs with access and permission management, change password and two-factor authentication.
Groups
Create and edit security groups in Sapera, control what the members have access to via the Permissions tab, and manage membership, group info and token period settings.
