System Permissions Management is an administrative feature and can be accessed, by administrators, via the Admin tab > User Management and Security section.
To access Security Permissions Management, go to Admin > User Management and Security > System Permissions.
The Risk Assess security policies can be set to meet a Client’s internal company security policy. It is the location where an administrator can set the following:
- Number of Failed Login Attempts (number of times a user can mistype their password before being locked out of the system - defaults to 3)
- Number of Different Passwords (number of unique passwords that must be used before a previous password can be reused - defaults to 5)
- Password Activation Period (days) (when a user is first sent their account activation email – this is the number of days they have to activate it. After that – the account will no longer be valid – and will require an administrator to re-activate the account - defaults to 45, maximum is 999)
- Password Minimum Length (the minimum number of characters that must be included in the password - defaults to 6, minimum is 6, maximum is 8)
- Password Strength (a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly - defaults to Strong)
- Strong: password must contain at least 2 special characters of the types listed above (e.g., Password – uppercase and lowercase).
- Very Strong: password must contain at least 3 special characters of the types listed above (e.g., Passw0rd – uppercase, lowercase and number).
- Extremely Strong: password must contain at least 4 special characters of the types listed above (e.g., Pas$w0rd – uppercase, lowercase, number and special symbol)."
Risk Assess passwords are encrypted with SHA512.
- Session Timeout (minutes) (the number of minutes the session can be idle before the user is logged out - defaults to 45, minimum is 16, maximum is 120)
- Account Activation Timeout (days) (the number of days the account can remain inactive (user has not logged in) before the login account is deactivated in Risk Assess - defaults to 180, minimum is 1, maximum is 999). When this limit is exceeded the account is flagged as “timed out” and will require an admin to reset the password before the user can log in. This flag does not inactivate the account. This setting only applies to the first time login after their password is reset.
- Use Account Activation Timeout on Password Reset (use the value defined for account activation timeout to apply as well to password resets - defaults to Yes)
- Number of Secret Question Attempts (the number of times the user can type an incorrect answer to the secret question before being locked out of the system - defaults to 5, minimum is 1, maximum is 999)
- There are 2 different scenarios under which the security question is presented to the user. First: The user may use the security question to reset their own password when they forget it. When the user clicks on the “Forgot Password” link on the login page, they are presented with the security question page. If they answer the question correctly, they are notified that they will soon receive an email with their new temporary password. They are required to change the temporary password the first time they log into Risk Assess with it. Second: If the user exceeds the number of allowed password attempts, they are presented with a message that they have been locked out of the system. This message instructs them to go to the login page and request a new password by clicking on the “Forgot Password” link.
- Minimum Password Changes (hours) (minimum number of hours between password changes - defaults to 24, minimum is 1, maximum is 999)
- Default Username in Deep Link (allows a client to set the application to pre-populate the user’s name into the Coupa login screen - defaults to No)
- Setting the option to “Yes” automatically inserts the user’s username into the appropriate spot on the Coupa login screen when the user (internal or external) clicks on the “Risk Assess” link contained in their email notifications
- Use Security For Reporting Categories (allows a client to provision access to reporting categories and subcategories to specific user groups - defaults to No)
- Setting this option to “yes” requires that Report Security Categories be defined. These report security categories provide access to reporting for only those users who are members of the groups that are included in them. Users who do not belong to one or more of the groups included in one or more of the report security categories will not have access to any reporting features.
- View All Reporting Data (With this option, any application-level view restrictions on data are disregarded during report execution. This means that any data for which view access has been denied will be available for reporting.)
The following options are only available when SSO is enabled for the client:
- Single Sign On Required (indicates whether or not single sign on access is required for internal users - if checked all internal users must use an SSO login)
- Single Sign On Required For External Users (indicates whether or not single sign on access is required for external users - if checked all external users must use an SSO login)
- SSO Logout URL (the page that is displayed to users upon logging out of Risk Assess)
- Single Sign On Validation Service URL (implementation endpoint URL that receives authentication requests for processing)
FOR CUSTOMERS UTILIZING THE ANALYTICS MODULE: Analytics utilizes the Admin > Security Policy settings in place at the time that Analytics is turned on for a customer. In cases where a customer is licensing the Analytics module, any changes to the Security Policy settings after turning on Analytics will impact data processing; specifically, the “View All Reporting Data” setting. Activating or deactivating this setting affects system reporting and Analytics. Customers that wish to change their Security Policy settings should first consult with Coupa Customer Support before taking any actions.