Access Preferences
  • 29 Jun 2022
  • 5 Minutes To Read
  • Dark
    Light
  • PDF

Access Preferences

  • Dark
    Light
  • PDF

Access Preferences refers to the restrictions that secure the way all users access the system. A user must be an admin user or have the Manage Access Preferences (MANAGE_ACCESS_PREFERENCES) to edit these preferences.

Please Note

Access preferences include password policy settings. For security reasons, we recommend carefully controlling which users have the Manage Access Preferences permission.

Managing access preferences

To add and edit access preferences:

  1. On the main menu, go to Administration > Access > Preferences.
  2. Enter all the necessary information. See below for more information on the fields.
  3. Select Save Changes.

All the available Access Preferences

Fields for access preferences

Fields with a green outline are required fields. Fields with a grey outline are not required.

Timeout Session (required)

Sets the amount of inactive time that can elapse before a user is automatically logged out.

Min Password Length (required)

Sets the minimum number of characters for user passwords. The minimum password length Mambu allows is 6 characters; as a best practice we recommend at least 8. For more information, see Password Policy.

Minimum Numeric Character Count (required)

Sets the minimum number of characters that are numbers for user passwords. Mambu recommends a minimum value of at least 3 numerical characters. Minimum values of less than 3 will result in a warning message. The default value is 1.

Minimum Uppercase Character Count

Sets the minimum number of uppercase characters for user passwords. Mambu recommends a minimum value of at least 3 uppercase characters. Minimum values of less than 3 will result in a warning message. If this field is selected, the default value of 0 must be changed.

Minimum Special Character Count

Sets the minimum number of special characters for user passwords. Mambu recommends a minimum value of at least 3 special characters. Minimum values of less than 3 will result in a warning message. If this field is selected, the default value of 0 must be changed.

Automatic Expiry of User Passwords

Defines the validity time period of user passwords. When a password expires, the user will be forced to change it before accessing Mambu.

Please Note

This setting does not apply to API users.

Automatic Expiry of API Consumer Key

Defines the expiration value for all API keys generated during key rotation. This value will not affect keys created in the UI, or created using the createApiKeyByConsumer endpoint. For more information, see API key rotation in the User Guide and the API consumers endpoint in our API Reference.

Limit Previously Used Passwords

Sets the amount of previously used passwords that may not be reused when setting a new user password. The limit value must be between 1 and 10. The default value is 4.

If you edit this setting, it only applies to new passwords, not to passwords that were set before the setting was re-configured.

Lock User After Failed Logins (required)

The Lock User After Failed Logins option is activated across all environments in Mambu. The number of failed login attempts can now be set between 3 and 6.

Please Be Aware

Locked users can only be unlocked by an administrator.

The cooldown duration refers to the period after which a user can try logging in again after they've reached the maximum login attempts. The recommended minimum values for the cooldown duration are as follows:

Failed login attempts Cooldown duration
3 15 minutes
4 30 minutes
5 60 minutes
6 permanent
Please Note

When the maximum number of failed logins is reached, Mambu will automatically send an email to the user to inform them that their account is locked.
In order to make use of this functionality:

If the invalid login attempts come via the APIs using basic auth, the same rules defined in Administration > Access > Preferences > Lock User After Failed Logins apply.

IP Access Restrictions

Whitelist approved IP Addresses

This section allows an administrator to define a whitelist of approved IP addresses. Devices must use one of the approved IP addresses in order to log in to Mambu.

We have added extended support for IP address whitelisting, and we now support the following IP address formats:

  • static IPv4 IPs
  • IPv4 IPs with wildcard (Example: 192.168.0.*)
  • IPv4 IPs with byte range (Example: 192.168.0.1-25)
  • Classless Inter-Domain Routing (CIDR) notation (Example: 192.168.0.1/24)
Please Note
We don't support IPv6 IP addresses yet.

Blocked IP addresses

Mambu blocks IP addresses if there are repeated unauthorized API calls from API consumers, which are used to generate API keys for the Mambu UI. For more information, see API Consumers.

An IP address is blocked if there are 10 unathorized calls (calls with invalid credentials) made from the same IP address. There is no timeframe within which these 10 calls need to be made.

The number of unauthorized calls only gets reset if a valid authorized call comes from the same IP address before the maximum number of 10 calls is reached.

You will only be able to see the Blocked IPs list if you have the API Consumers feature enabled.

To see the Blocked IPs list:

  1. On the main menu, go to Administration > Access > Preferences.
  2. Select the Show/Hide blocked IPs check box.

The Blocked IPs list is automatically populated with IP addresses that repeatedly try to access Mambu APIs as anonymous consumers.

You can reset this list and allow access to those IP addresses by selecting Reset.

API Consumers enabled - show blocked IPs

Critical Actions Re-Authentication

A Critical Action is an action which Mambu deems has business critical functionality. You can find a list of all critical actions below.

If you select the Require Admin Password check box in the Critical Actions Re-Authentication section, then this protection mechanism invokes a re-authentication request, and users are asked to provide their credentials when they perform critical actions in the system.

In the context of using Mambu login

With this setting enabled, logged-in users are prompted to re-enter their password for identity verification whenever performing critical actions such as changing important settings, modifying products, making transfers, and so on.

In the context of using federated authentication

When using federated authentication, you delegate user and password management to your identity provider, hence we cannot manage its re-authentication requests.

We generally advise you to use granular administrative permissions properly and setup multi-factor authentication (MFA) in your Identity Provider, if you want to setup good access practices.

If you choose to keep this option enabled when you are using federated authentication, please note that we will only ask administrators to re-authenticate before executing a critical action, as the rest of the users do not have Mambu credentials.

Actions considered "Critical" in Mambu

The following is a list of critical actions:

  • Toggle App State
  • Store App
  • Delete App
  • Database export
  • Reset Data
  • Store Accounting Settings
  • Store Security Settings
  • Store General Settings
  • Toggle Loan Product Activation
  • Change Branch State
  • Store Product Document Template
  • Delete Product Document Template
  • Toggle Savings Product Activation
  • Delete Savings Product
  • Store Federated Authentication Settings
  • Delete Role
  • Store Role
  • Store User
  • Delete User
  • Change User State
  • Lock User
  • Toggle Support/Delivery Access
  • Store API consumer
  • Update API consumer
  • Delete API consumer
  • Delete API key
  • Store Loan Product
  • Store Savings Product

Was This Article Helpful?

What's Next