Access Preferences
  • 23 May 2023
  • 6 Minutes To Read
  • Dark
    Light
  • PDF

Access Preferences

  • Dark
    Light
  • PDF

Article Summary

Access Preferences refers to the restrictions that secure the way all users access the system. A user must be an admin user or have the Manage Access Preferences (MANAGE_ACCESS_PREFERENCES) to edit these preferences.

Please Note

Access preferences include password policy settings. For security reasons, we recommend carefully controlling which users have the Manage Access Preferences permission.

Managing access preferences

To add and edit access preferences:

  1. On the main menu, go to Administration > Access > Preferences.
  2. Enter all the necessary information. See below for more information on the fields.
  3. Select Save Changes.

All the available Access Preferences

Fields for access preferences

Fields with a green outline are required fields. Fields with a grey outline are not required.

Timeout Session (required)

Sets the amount of inactive time that can elapse before a user is automatically logged out.

Min Password Length (required)

Sets the minimum number of characters for user passwords. The minimum password length Mambu allows is 6 characters; as a best practice we recommend at least 8. For more information, see Password Policy.

Minimum Numeric Character Count (required)

Sets the minimum number of characters that are numbers for user passwords. Mambu recommends a minimum value of at least 3 numerical characters. Minimum values of less than 3 will result in a warning message. The default value is 1.

Minimum Uppercase Character Count

Sets the minimum number of uppercase characters for user passwords. Mambu recommends a minimum value of at least 3 uppercase characters. Minimum values of less than 3 will result in a warning message. If this field is selected, the default value of 0 must be changed.

Minimum Special Character Count

Sets the minimum number of special characters for user passwords. Mambu recommends a minimum value of at least 3 special characters. Minimum values of less than 3 will result in a warning message. If this field is selected, the default value of 0 must be changed.

Automatic Expiry of User Passwords

Defines the validity time period of user passwords. When a password expires, the user will be forced to change it before accessing Mambu.

Please Note

This setting does not apply to API users.

Automatic Expiry of API Consumer Key

Defines the expiration value for all API keys generated during key rotation. This value will not affect keys created in the UI, or created using the createApiKeyByConsumer endpoint. For more information, see API key rotation in the User Guide and the API consumers endpoint in our API Reference.

Limit Previously Used Passwords

Sets the amount of previously used passwords that may not be reused when setting a new user password. The limit value must be between 1 and 10. The default value is 4.

If you edit this setting, it only applies to new passwords, not to passwords that were set before the setting was re-configured.

Lock User After Failed Logins (required)

The Lock User After Failed Logins option is activated across all environments in Mambu. The number of failed login attempts can now be set between 3 and 6.

Please Be Aware

Locked users can only be unlocked by an administrator.

The cooldown duration refers to the period after which a user can try logging in again after they've reached the maximum login attempts. The recommended minimum values for the cooldown duration are as follows:

Failed login attemptsCooldown duration
315 minutes
430 minutes
560 minutes
6permanent
Please Note

When the maximum number of failed logins is reached, Mambu will automatically send an email to the user to inform them that their account is locked.
In order to make use of this functionality:

If the invalid login attempts come via the APIs using basic auth, the same rules defined in Administration > Access > Preferences > Lock User After Failed Logins apply.

IP Access Restrictions

Whitelist approved IP Addresses

An administrator may define a whitelist of approved IP addresses and also define the types of users that the whitelist applies to by using the Apply To setting, which applies to all the IP addresses. It is not possible to configure granular settings for each IP address.

Please Note
This feature does not support IPv6 IP addresses and IP whitelisting only covers the Mambu cloud banking platform.

Whitelist approved IP Adresses

The types of users that the whitelist may apply to are:

  • Admins: users or API consumers with admin access rights accessing through the UI or API.
  • Users: users accessing through the Mambu UI.
  • API: users with API rights or API consumers accessing via API.

If a whitelist is defined, devices must use one of the approved IP addresses in order to log in to Mambu.

To add an IP address to the whitelist:

  1. Select the Whitelist approved IP Adresses checkbox.
  2. Enter the IP address in the field below the whitelist.
  3. Select Add.

IP whitelisting supports the following IP address formats:

  • Static IPv4 IP addresses
  • IPv4 IP addresses with wildcards (Example: 192.168.0.*)
  • IPv4 IP addresses with byte range (Example: 192.168.0.1-25)
  • Classless Inter-Domain Routing (CIDR) notation (Example: 192.168.0.1/24)

Blocked IP addresses

API consumers generate API keys which are used to authenticate API requests. Mambu blocks any IP address that issues a total of 10 unauthorized API requests from an API consumer. This applies even if the IP has been whitelisted. There is no timeframe within which these 10 calls need to be made. Administrators may remove IP addresses from the blocked list.

Blocked IPs list

Please Note

API Consumers is an early access feature. For more information, see API Consumers.

To remove an IP address from the blocked list:

  1. On the main menu, go to Administration > Access > Preferences.
  2. Under the IP Access Restrictions section, select the Show / Hide blocked IPs check box.
  3. Select the IP addresses you would like to remove and select Reset.

Critical Actions Re-Authentication

A Critical Action is an action which Mambu deems has business critical functionality. You can find a list of all critical actions below.

If you select the Require Admin Password check box in the Critical Actions Re-Authentication section, then this protection mechanism invokes a re-authentication request, and users are asked to provide their credentials when they perform critical actions in the system.

In the context of using Mambu login

With this setting enabled, logged-in users are prompted to re-enter their password for identity verification whenever performing critical actions such as changing important settings, modifying products, making transfers, and so on.

In the context of using federated authentication

When using federated authentication, you delegate user and password management to your identity provider, hence we cannot manage its re-authentication requests.

We generally advise you to use granular administrative permissions properly and setup multi-factor authentication (MFA) in your Identity Provider, if you want to setup good access practices.

If you choose to keep this option enabled when you are using federated authentication, please note that we will only ask administrators to re-authenticate before executing a critical action, as the rest of the users do not have Mambu credentials.

Actions considered "Critical" in Mambu

The following is a list of critical actions:

  • Toggle App State
  • Store App
  • Delete App
  • Database export
  • Reset Data
  • Store Accounting Settings
  • Store Security Settings
  • Store General Settings
  • Toggle Loan Product Activation
  • Change Branch State
  • Store Product Document Template
  • Delete Product Document Template
  • Toggle Savings Product Activation
  • Delete Savings Product
  • Store Federated Authentication Settings
  • Delete Role
  • Store Role
  • Store User
  • Delete User
  • Change User State
  • Lock User
  • Toggle Support/Delivery Access
  • Store API consumer
  • Update API consumer
  • Delete API consumer
  • Delete API key
  • Store Loan Product
  • Store Savings Product

Was this article helpful?