At Axero, we have a continuous commitment to protect the security and privacy of our client’s sensitive data. Please review some of the most important security settings to ensure you are following best practices and communicating those best practices to your users.
Documentation: Site Settings
Settings to review:
Allow access only to registered members - If checked, people must register and login to the platform before accessing anything. If unchecked, then your platform can be viewed by Guests in a read-only mode.
Best practice: Checked ☑
Auto-approve members - If checked, then people will be automatically approved as members once they confirm their registered email. If unchecked, then the system admin will have to manually approve every user even after they confirm their email.
Best practice: Unchecked ☐
Allowed email domains - You can restrict user registrations to specific email domains. This is useful if you only want people to register using your company email domain. Enter a list of comma separated values (e.g. yourdomain.com, yourotherdomain.com), or enter * to allow any domain.
Best practice: Restrict user registration to your company email domain only.
Documentation: Email Settings
Enable email sending - Based on actions that people make in the platform, notification emails are sent to other people associated with the activity. If you do not want these emails to be sent, you can turn this off. Leave this feature on if you do want these emails to be sent.
Best practice: Client preference
Documentation: REST API Settings
Enable REST API - You can use our REST API to access your data and perform functions in Axero.
Best practice: If you are not leveraging REST APIs, this setting should be unchecked ☐
Select users who can access the REST API - The REST API key is tied to the user, roles and permissions in Axero Users will be granted or denied access to content or functions in the REST API based on the users’ permissions. It's standard to create a master system user with Site Administrator role to perform administrative functions against the REST API.
Best practice: Only the Site Administrator role should be checked ☑
Documentation: User Section Permissions
All permissions - You should review all permissions for roles other than the site administrator.
Best practice: Users or members should only have “View User Profile” and “Edit” access if required.
Documentation: Login , Edit Edit Profile Page , Edit Registration Page
Edit login page - The login page is the front door to your site. It should be configured with the login paths you are actively using (e.g., SSO, email/username/password, two-factor authentication, and/or social logins).
Best practice: Set the permission for inactive login widgets to Site Administrator only so they will not appear for users logging in.
SSO auto-login - If your site uses Single Sign On (SSO) with auto-login, your users won't see the Communifire login page when they visit your site. Instead, they'll see the login page of your SSO provider.
No SSO Provider - When your intranet doesn't use a Single Sign-On Provider, users who aren't logged in will see a page where they can log in by entering their username or email. To ensure that users can log in on the Communifire login page with their username or email and password, ensure that the following fields are not removed from the login page:
Best practice: Enabled for clients who only leverage SSO logins.
Edit registration page - You can hide the registration form to prevent people from registering on your site.
Best practice: Hide the registration form if you are provisioning users or relying on an integration to do so.
Set Maximum Invalid Login Attempts - You can set the maximum number of invalid login attempts before an account is locked. Go to Control Panel > System > System Properties and search for MaxInvalidLoginAttempts.
Best practice: Set a maximum of 5 invalid login attempts.
is requesting access to a wiki that you have locked: https://my.axerosolutions.com/spaces/5/communifire-documentation/wiki/view/90089/security
Your session has expired. You are being logged out.