# Runtime Settings Here you configure **security, authentication and access** of the running app. For visual identity, deploy and GitHub, use [Project Settings](https://app.gitbook.com/s/XnYvLewhXbdSQIvAlbqN/documentacao/configuracoes-do-projeto). {% hint style="warning" %} The defaults below are of **the highest possible strictness**.\ They increase friction and require a well-defined support process. {% endhint %} ### Overview (what you control here) You typically configure: * **SSO (SAML/OIDC) + Entra ID** * **Access profiles (RBAC)** and **permissions** * **Users** * **Security policies** (password, 2FA, session, lockout, IP allowlist) * **Audit and trails** * **Email server** (invites, reset, alerts) * **Logs** and **encryption** * **Governance** (LGPD/GDPR) ### Authentication (SSO: SAML/OIDC + Entra ID) Higher-strictness recommendation: * **SSO required** for all users. * **Disable local login** (password) when SSO is stable. * **Enforced MFA at the IdP** (e.g.: Entra ID Conditional Access). * **Restrict by domain** (only approved corporate emails). Deployment checklist: * Set the provider: **SAML** or **OIDC**. * Configure URLs, issuer/client, certificates and claims. * Map claim to **email** (identity) and **groups** (authorization). * Validate logout **scenario** and session expiration. {% hint style="danger" %} Enable SSO first in a test environment.\ A misconfiguration can prevent everyone from logging in. {% endhint %} If it locks login or callback: [SSO and login](https://app.gitbook.com/s/XnYvLewhXbdSQIvAlbqN/solucao-de-problemas/sso-e-login). ### Users and profiles (RBAC) #### Access profiles Use profiles to group permissions by role. Minimum fields: * **Name** * **Description** Best practices (high strictness): * Create small and explicit profiles (e.g.: `Finance: Read`, `Finance: Operate`). * Avoid “Administrator” profiles for daily use. * Use a **Break-glass admin** (emergency) with governance. #### Users Minimum fields: * **Name** * **Email** * **Access profiles** Best practices (high strictness): * Disable self-service registration if it exists. * Use email invitation with short expiration. * Remove access for offboarding on the same day. ### Permissions (high strictness) Recommended default: * **Deny-by-default** (everything denied, allow as needed). * Permissions by: * module * component/entity * action (view/create/edit/delete/export) {% hint style="info" %} Separate “view data” from “export data”.\ Export is one of the biggest leak vectors. {% endhint %} ### Audit and trails Enable auditing for security events and sensitive data. Minimum trail fields: * **User** * **Action** * **Resource** * **Date/Time** * **IP** * **Status** Minimum events (high strictness): * login/logout * login failures and lockouts * password reset/change * changes in SSO and security policies * profile/permission changes * data export Recommended retention: * **365 days** (minimum) * **2–7 years** if there is a regulatory requirement ### Email server Use for: * invitations * password reset (if local login is enabled) * security alerts (e.g.: lockout, new device) Recommendation (high strictness): * Use corporate domain and SPF/DKIM/DMARC. * Avoid providers without reputation and without logs. ### Security policies (high strictness) #### Password policy (when local login exists) Recommended values: * **Minimum Length**: `14` (preferably `16`) * **Require uppercase**: `on` * **Require lowercase**: `on` * **Require numbers**: `on` * **Require special characters**: `on` * **Prevent reuse**: `24` * **Expiration**: `90` days (if your policy requires) {% hint style="warning" %} Password expiration increases support calls.\ If you use SSO + strong MFA, prefer expiration at the IdP. {% endhint %} #### Two-Factor Authentication (2FA) Recommended values: * **Enabled**: `on` * **Mandatory for all**: `on` * **Available methods**: * **TOTP/Authenticator** (preferred) * Email only as fallback (if allowed) #### Session management Recommended values: * **Inactivity timeout**: `15` minutes * **Absolute session timeout**: `8` hours * **Max concurrent sessions**: `1` * **Allow "Remember Me"**: `off` {% hint style="info" %} Single session reduces the risk of session hijacking.\ It also reduces “account sharing”. {% endhint %} #### Login attempts (lockout) Recommended values: * **Max attempts**: `5` * **Lockout duration**: `30` minutes Extra recommendation (if supported): * Progressive lockout (e.g.: 5 failures = 30 min, 10 failures = 24 h). #### IP allowlist (allow only approved networks) Recommended values: * **Enabled**: `on` (in production) * Register corporate networks and IPs. Examples: * `192.168.1.0/24` * `10.0.0.0/8` * `203.0.113.10/32` {% hint style="danger" %} IP allowlist is easy to get wrong.\ Maintain an emergency path (VPN + fixed IP + break-glass account). {% endhint %} ### Logs Recommendation (high strictness): * Security logs separate from application logs. * Never log: passwords, tokens, secrets, sensitive data. * Alert on critical events (e.g.: many login failures, permission change). ### Encryption (in transit and at rest) Recommendation (high strictness): * **In transit**: TLS 1.2+ required. * **At rest**: * database with encryption at rest * attachments/files with encryption at rest ### LGPD/GDPR and data governance Minimum points to operate with rigor: * Role-based access control (RBAC) and least privilege principle. * Trails for access and export of personal data. * Retention policy by data type. * Process for: * responding to data subject requests (when applicable) * removal/anonymization (when applicable)