Access Restrictions
The access restrictions feature provides the control and flexibility to manage user access when logging into Adestra. These restrictions help to prevent unauthorised access to the system and minimise security risks.
On this page:
- Types of Restrictions
- Managing Restrictions
- Authentication Emails
- Manual IP Restrictions
- Enabling Restrictions
- FAQ
Types of Restrictions
IP restrictions
IP restrictions are used to specify the locations that Adestra can be accessed from. This can help prevent off-site access to the system from uncontrolled computers.
IP restrictions can be created manually and applied to a user or the user can be setup to authenticate any unknown IP addresses via an authentication email at log in.
Data download restrictions
Using data download restrictions you can identify who can access client data and from where. This enables you to maintain confidentiality and privacy of your contacts’ personal data and decrease the risks of data security breaches.
Note: This will also prevent users without data download access from viewing adhoc export links sent by email.
OTP tokens
An OTP token provides a two-factor authentication process for logging into Adestra. Using multiple authentication credentials makes it harder for unauthorised users to gain access to your account.
Managing Restrictions
Within the Settings tab in a Users Management page, you can select and manage the type of restriction to be applied to that user.
Allow access from any IP
Selecting this option will grant the user access to Adestra from any IP address. This means the user will be able to log in from all locations.
Allow access from any authenticated IP
This will grant the user access from any IP, as long as the IP can be verified by an authentication email. If a user logs in from an unknown IP address they will be sent an email with a verification link. Once successfully verified the IP address will be added to the permissions list.
Further restrictions for data downloading and OTP tokens are also available as an addition to this option.
Restrict access by specifying a set of allowed IPs
This allows the user access only from the IP addresses defined under the Access Restrictions tab. You can specify from which IP addresses the user can access Adestra as well as adding any additional restrictions to that IP.
As with the previous option, restrictions for data downloading and OTP tokens are also available as an addition to this option.
Authentication Emails
Users can be granted access from any authenticated IP addresses via the 'Settings' tab in their User Management pages. By selecting 'Allow access from any authenticated IP' the user will be sent an authentication email with a verification link, when logging in from an unknown IP.
Clicking the verification link, which lasts for 2 hours, will authorise the requested IP and re-direct the user back to the log in page to continue. Once an IP address has been authenticated it will be added to the access restrictions list and can be altered or removed if necessary.
Manual IP Restrictions
Allowed IP addresses are added to a users account via the 'Access Restrictions' tab of their User Management pages. This page will display the 'Add IP address' button on the side bar.
It is important to note that when manually creating access restrictions need to be enabled in the user's Settings page before these restrictions can take effect, but we do recommend setting up any access restrictions first.
IP Address
Enter either a single IP address or a range of addresses to specify the locations which the user will be given access, for example:
- Single: 1.2.3.4
- Range: 10.0.0.1 - 10.0.10.0
- CIDR Range: 10.0.0.1/16
Alternatively, use * in the text box to apply access from all IP addresses.
Your current IP address can be found within the side bar on the User Management page.
Data download access
Apply additional user restrictions, allowing users to only download contact data from the given or authenticated IP addresses.
Note: Setting these defaults will not change existing restrictions; you can edit an existing restriction under the access restrictions tab
Require OTP token
This option means a user requires an OTP token as well as the usual log in credentials when accessing the system from the specified IP addresses.
Once you have clicked 'Save' to create the IP access restriction, it will be displayed in the lower part of the Access Restrictions page. Remember you will need to enable any access restrictions you create, under the settings tab, in order for them to take effect.
Note: Setting these defaults will not change existing restrictions; you can edit an existing restriction under the access restrictions tab
Enabling Restrictions
If you have set up restrictions but have not enabled them, a warning banner will appear at the top of the access restrictions interface. Without enabling any restriction a user will still have access from all IP addresses.
To enable this click the button on the banner or select the option within the Settings tab.
Similarly, if you enable restrictions before creating any, a banner will appear warning that the user will not be able to log in. You will be prompted to add an IP address which can be done via the button in the banner or under the 'Access Restrictions' tab.
Access Restriction Examples
Home Working Example
These restrictions rules have been used to disallow data downloads from a specified range of IP addresses, excluding just one address. This could apply to a user who often works from home, assigning restrictions to their ISP and only allowing data to be downloaded at the specified IP address, such as the office.
Allowing data only to be downloaded from the office, in this case, could help to secure contacts' personal data and protect against any risks from uncontrolled computers.
The first rule specifies a single IP address which has been given access to download data. While the second gives a range of IP addresses to identify the users ISP, which do not permit data downloading.
Offsite Working Example
These restrictions require the use of an OTP token from all IP addresses, excluding just one address. This could be relevant to a user who travels for work, making it necessary to log on with an OTP token everywhere apart from the given IP address, an office for example.
Putting in place these restrictions help would protect the system when using it offsite, making it harder for someone to acquire all authentication credentials and gain unauthorised access.
The first rule requires an OTP token to be used from all IP addresses. The second identifies a specific IP address where it is not necessary to use an OTP token to access the system.
If you need further help with configuring access restrictions, contact Adestra Customer Support (adestra-support@uplandsoftware.com).
FAQ
How do I find out my IP address?
The user page displays a you are connected from IP: xx.xx.xx.xxx message. However, you may be connected from an IP range in which case, check with your systems administrator.
If there are overlapping restrictions in place, which one will be used?
If you have multiple restrictions, the most specific rule will be used. For example, a restriction for a single IP address would be the most specific, and would be applied first.
Can I edit my own user?
Yes, you can edit your own user by selecting your user in the 'Users' page.
Note: When you make changes to your user, you may be logged out by the system, and you will need to log back in.