# Runtime Settings Here you configure **security, authentication and access** of the running app. For visual identity, deploy and GitHub, use [Project Settings](/documentation/project-settings.md). {% hint style="warning" %} The defaults below are of **the highest possible strictness**.\ They increase friction and require a well-defined support process. {% endhint %} ### Overview (what you control here) You typically configure: * **SSO (SAML/OIDC) + Entra ID** * **Access profiles (RBAC)** and **permissions** * **Users** * **Security policies** (password, 2FA, session, lockout, IP allowlist) * **Audit and trails** * **Email server** (invites, reset, alerts) * **Logs** and **encryption** * **Governance** (LGPD/GDPR) ### Authentication (SSO: SAML/OIDC + Entra ID) Higher-strictness recommendation: * **SSO required** for all users. * **Disable local login** (password) when SSO is stable. * **Enforced MFA at the IdP** (e.g.: Entra ID Conditional Access). * **Restrict by domain** (only approved corporate emails). Deployment checklist: * Set the provider: **SAML** or **OIDC**. * Configure URLs, issuer/client, certificates and claims. * Map claim to **email** (identity) and **groups** (authorization). * Validate logout **scenario** and session expiration. {% hint style="danger" %} Enable SSO first in a test environment.\ A misconfiguration can prevent everyone from logging in. {% endhint %} If it locks login or callback: [SSO and login](/troubleshooting/sso-and-login.md). ### Users and profiles (RBAC) #### Access profiles Use profiles to group permissions by role. Minimum fields: * **Name** * **Description** Best practices (high strictness): * Create small and explicit profiles (e.g.: `Finance: Read`, `Finance: Operate`). * Avoid “Administrator” profiles for daily use. * Use a **Break-glass admin** (emergency) with governance. #### Users Minimum fields: * **Name** * **Email** * **Access profiles** Best practices (high strictness): * Disable self-service registration if it exists. * Use email invitation with short expiration. * Remove access for offboarding on the same day. ### Permissions (high strictness) Recommended default: * **Deny-by-default** (everything denied, allow as needed). * Permissions by: * module * component/entity * action (view/create/edit/delete/export) {% hint style="info" %} Separate “view data” from “export data”.\ Export is one of the biggest leak vectors. {% endhint %} ### Audit and trails Enable auditing for security events and sensitive data. Minimum trail fields: * **User** * **Action** * **Resource** * **Date/Time** * **IP** * **Status** Minimum events (high strictness): * login/logout * login failures and lockouts * password reset/change * changes in SSO and security policies * profile/permission changes * data export Recommended retention: * **365 days** (minimum) * **2–7 years** if there is a regulatory requirement ### Email server Use for: * invitations * password reset (if local login is enabled) * security alerts (e.g.: lockout, new device) Recommendation (high strictness): * Use corporate domain and SPF/DKIM/DMARC. * Avoid providers without reputation and without logs. ### Security policies (high strictness) #### Password policy (when local login exists) Recommended values: * **Minimum Length**: `14` (preferably `16`) * **Require uppercase**: `on` * **Require lowercase**: `on` * **Require numbers**: `on` * **Require special characters**: `on` * **Prevent reuse**: `24` * **Expiration**: `90` days (if your policy requires) {% hint style="warning" %} Password expiration increases support calls.\ If you use SSO + strong MFA, prefer expiration at the IdP. {% endhint %} #### Two-Factor Authentication (2FA) Recommended values: * **Enabled**: `on` * **Mandatory for all**: `on` * **Available methods**: * **TOTP/Authenticator** (preferred) * Email only as fallback (if allowed) #### Session management Recommended values: * **Inactivity timeout**: `15` minutes * **Absolute session timeout**: `8` hours * **Max concurrent sessions**: `1` * **Allow "Remember Me"**: `off` {% hint style="info" %} Single session reduces the risk of session hijacking.\ It also reduces “account sharing”. {% endhint %} #### Login attempts (lockout) Recommended values: * **Max attempts**: `5` * **Lockout duration**: `30` minutes Extra recommendation (if supported): * Progressive lockout (e.g.: 5 failures = 30 min, 10 failures = 24 h). #### IP allowlist (allow only approved networks) Recommended values: * **Enabled**: `on` (in production) * Register corporate networks and IPs. Examples: * `192.168.1.0/24` * `10.0.0.0/8` * `203.0.113.10/32` {% hint style="danger" %} IP allowlist is easy to get wrong.\ Maintain an emergency path (VPN + fixed IP + break-glass account). {% endhint %} ### Logs Recommendation (high strictness): * Security logs separate from application logs. * Never log: passwords, tokens, secrets, sensitive data. * Alert on critical events (e.g.: many login failures, permission change). ### Encryption (in transit and at rest) Recommendation (high strictness): * **In transit**: TLS 1.2+ required. * **At rest**: * database with encryption at rest * attachments/files with encryption at rest ### LGPD/GDPR and data governance Minimum points to operate with rigor: * Role-based access control (RBAC) and least privilege principle. * Trails for access and export of personal data. * Retention policy by data type. * Process for: * responding to data subject requests (when applicable) * removal/anonymization (when applicable) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.madrix.dev/documentation/runtime-settings.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.