- 03 Apr 2024
- 6 Minutes To Read
- Print
- DarkLight
- PDF
Access Preferences
- Updated On 03 Apr 2024
- 6 Minutes To Read
- Print
- DarkLight
- PDF
Access Preferences refers to the restrictions that secure the way all users access the system. A user must be an admin user or have the Manage Access Preferences (MANAGE_ACCESS_PREFERENCES
) to edit these preferences.
Access preferences include password policy settings. For security reasons, we recommend carefully controlling which users have the Manage Access Preferences permission.
Managing access preferences
To add and edit access preferences:
- On the main menu, go to Administration > Access > Preferences.
- Enter all the necessary information. See below for more information on the fields.
- Select Save Changes.
Fields for access preferences
Fields with a green outline are required fields. Fields with a grey outline are not required.
Timeout Session (required)
Sets the amount of inactive time that can elapse before a user is automatically logged out.
Min Password Length (required)
Sets the minimum number of characters for user passwords. The minimum password length Mambu allows is 6 characters; as a best practice we recommend at least 8. For more information, see Password Policy.
Minimum Numeric Character Count (required)
Sets the minimum number of characters that are numbers for user passwords. Mambu recommends a minimum value of at least 3 numerical characters. Minimum values of less than 3 will result in a warning message. The default value is 1.
Minimum Uppercase Character Count
Sets the minimum number of uppercase characters for user passwords. Mambu recommends a minimum value of at least 3 uppercase characters. Minimum values of less than 3 will result in a warning message. If this field is selected, the default value of 0 must be changed.
Minimum Special Character Count
Sets the minimum number of special characters for user passwords. Mambu recommends a minimum value of at least 3 special characters. Minimum values of less than 3 will result in a warning message. If this field is selected, the default value of 0 must be changed.
Automatic Expiry of User Passwords
Defines the validity time period of user passwords. When a password expires, the user will be forced to change it before accessing Mambu.
This setting does not apply to API users.
Automatic Expiry of API Consumer Key
Defines the expiration value for all API keys generated during key rotation. This value will not affect keys created in the UI, or created using the createApiKeyByConsumer endpoint. For more information, see API key rotation in the User Guide and the API consumers endpoint in our API Reference.
Limit Previously Used Passwords
Sets the amount of previously used passwords that may not be reused when setting a new user password. The limit value must be between 1 and 10. The default value is 4.
If you edit this setting, it only applies to new passwords, not to passwords that were set before the setting was re-configured.
Lock User After Failed Logins (required)
The Lock User After Failed Logins option is activated across all environments in Mambu. The number of failed login attempts can now be set between 3 and 6.
Locked users can only be unlocked by an administrator.
The cooldown duration refers to the period after which a user can try logging in again after they've reached the maximum login attempts. The recommended minimum values for the cooldown duration are as follows:
Failed login attempts | Cooldown duration |
---|---|
3 | 15 minutes |
4 | 30 minutes |
5 | 60 minutes |
6 | permanent |
When the maximum number of failed logins is reached, Mambu will automatically send an email to the user to inform them that their account is locked.
In order to make use of this functionality:
- You must have set up a valid email server.
- The user must have an email address associated with their account.
If the invalid login attempts come via the APIs using basic auth, the same rules defined in Administration > Access > Preferences > Lock User After Failed Logins apply.
IP Access Restrictions
Whitelist approved IP Addresses
An administrator may define a whitelist of approved IP addresses and also define the types of users that the whitelist applies to by using the Apply To setting, which applies to all the IP addresses. It is not possible to configure granular settings for each IP address.
The types of users that the whitelist may apply to are:
- Admins: users or API consumers with admin access rights accessing through the UI or API.
- Users: users accessing through the Mambu UI.
- API: users with API rights or API consumers accessing via API.
If a whitelist is defined, devices must use one of the approved IP addresses in order to log in to Mambu.
To add an IP address to the whitelist:
- Select the Whitelist approved IP Adresses checkbox.
- Enter the IP address in the field below the whitelist.
- Select Add.
IP whitelisting supports the following IP address formats:
- Static IPv4 IP addresses
- IPv4 IP addresses with wildcards (Example:
192.168.0.*
) - IPv4 IP addresses with byte range (Example:
192.168.0.1-25
) - Classless Inter-Domain Routing (CIDR) notation (Example:
192.168.0.1/24
)
Blocked IP addresses
API consumers generate API keys which are used to authenticate API requests. Mambu blocks any IP address that issues a total of 10 unauthorized API requests from an API consumer. This applies even if the IP has been whitelisted. There is no timeframe within which these 10 calls need to be made. Administrators may remove IP addresses from the blocked list.
API Consumers is an early access feature. For more information, see API Consumers.
To remove an IP address from the blocked list:
- On the main menu, go to Administration > Access > Preferences.
- Under the IP Access Restrictions section, select the Show / Hide blocked IPs check box.
- Select the IP addresses you would like to remove and select Reset.
Critical Actions Re-Authentication
A Critical Action is an action which Mambu deems has business critical functionality. You can find a list of all critical actions below.
If you select the Require Admin Password check box in the Critical Actions Re-Authentication section, then this protection mechanism invokes a re-authentication request, and users are asked to provide their credentials when they perform critical actions in the system.
In the context of using Mambu login
With this setting enabled, logged-in users are prompted to re-enter their password for identity verification whenever performing critical actions such as changing important settings, modifying products, making transfers, and so on.
In the context of using federated authentication
When using federated authentication, you delegate user and password management to your identity provider, hence we cannot manage its re-authentication requests.
We generally advise you to use granular administrative permissions properly and setup multi-factor authentication (MFA) in your Identity Provider, if you want to setup good access practices.
If you choose to keep this option enabled when you are using federated authentication, please note that we will only ask administrators to re-authenticate before executing a critical action, as the rest of the users do not have Mambu credentials.
Actions considered "Critical" in Mambu
The following is a list of critical actions:
- Toggle App State
- Store App
- Delete App
- Database export
- Reset Data
- Store Accounting Settings
- Store Security Settings
- Store General Settings
- Toggle Loan Product Activation
- Change Branch State
- Store Product Document Template
- Delete Product Document Template
- Toggle Savings Product Activation
- Delete Savings Product
- Store Federated Authentication Settings
- Delete Role
- Store Role
- Store User
- Delete User
- Change User State
- Lock User
- Toggle Support/Delivery Access
- Store API consumer
- Update API consumer
- Delete API consumer
- Delete API key
- Store Loan Product
- Store Savings Product