search

Runtime Settings

Here you configure security, authentication and access of the running app.

For visual identity, deploy and GitHub, use Project Settings.

circle-exclamation

The defaults below are of the highest possible strictness. They increase friction and require a well-defined support process.

hashtag
Overview (what you control here)

You typically configure:

  • SSO (SAML/OIDC) + Entra ID

  • Access profiles (RBAC) and permissions

  • Users

  • Security policies (password, 2FA, session, lockout, IP allowlist)

  • Audit and trails

  • Email server (invites, reset, alerts)

  • Logs and encryption

  • Governance (LGPD/GDPR)

hashtag
Authentication (SSO: SAML/OIDC + Entra ID)

Higher-strictness recommendation:

  • SSO required for all users.

  • Disable local login (password) when SSO is stable.

  • Enforced MFA at the IdP (e.g.: Entra ID Conditional Access).

  • Restrict by domain (only approved corporate emails).

Deployment checklist:

  • Set the provider: SAML or OIDC.

  • Configure URLs, issuer/client, certificates and claims.

  • Map claim to email (identity) and groups (authorization).

  • Validate logout scenario and session expiration.

triangle-exclamation

Enable SSO first in a test environment. A misconfiguration can prevent everyone from logging in.

If it locks login or callback: SSO and login.

hashtag
Users and profiles (RBAC)

hashtag
Access profiles

Use profiles to group permissions by role.

Minimum fields:

  • Name

  • Description

Best practices (high strictness):

  • Create small and explicit profiles (e.g.: Finance: Read, Finance: Operate).

  • Avoid “Administrator” profiles for daily use.

  • Use a Break-glass admin (emergency) with governance.

hashtag
Users

Minimum fields:

  • Name

  • Email

  • Access profiles

Best practices (high strictness):

  • Disable self-service registration if it exists.

  • Use email invitation with short expiration.

  • Remove access for offboarding on the same day.

hashtag
Permissions (high strictness)

Recommended default:

  • Deny-by-default (everything denied, allow as needed).

  • Permissions by:

    • module

    • component/entity

    • action (view/create/edit/delete/export)

circle-info

Separate “view data” from “export data”. Export is one of the biggest leak vectors.

hashtag
Audit and trails

Enable auditing for security events and sensitive data.

Minimum trail fields:

  • User

  • Action

  • Resource

  • Date/Time

  • IP

  • Status

Minimum events (high strictness):

  • login/logout

  • login failures and lockouts

  • password reset/change

  • changes in SSO and security policies

  • profile/permission changes

  • data export

Recommended retention:

  • 365 days (minimum)

  • 2–7 years if there is a regulatory requirement

hashtag
Email server

Use for:

  • invitations

  • password reset (if local login is enabled)

  • security alerts (e.g.: lockout, new device)

Recommendation (high strictness):

  • Use corporate domain and SPF/DKIM/DMARC.

  • Avoid providers without reputation and without logs.

hashtag
Security policies (high strictness)

hashtag
Password policy (when local login exists)

Recommended values:

  • Minimum Length: 14 (preferably 16)

  • Require uppercase: on

  • Require lowercase: on

  • Require numbers: on

  • Require special characters: on

  • Prevent reuse: 24

  • Expiration: 90 days (if your policy requires)

circle-exclamation

Password expiration increases support calls. If you use SSO + strong MFA, prefer expiration at the IdP.

hashtag
Two-Factor Authentication (2FA)

Recommended values:

  • Enabled: on

  • Mandatory for all: on

  • Available methods:

    • TOTP/Authenticator (preferred)

    • Email only as fallback (if allowed)

hashtag
Session management

Recommended values:

  • Inactivity timeout: 15 minutes

  • Absolute session timeout: 8 hours

  • Max concurrent sessions: 1

  • Allow "Remember Me": off

circle-info

Single session reduces the risk of session hijacking. It also reduces “account sharing”.

hashtag
Login attempts (lockout)

Recommended values:

  • Max attempts: 5

  • Lockout duration: 30 minutes

Extra recommendation (if supported):

  • Progressive lockout (e.g.: 5 failures = 30 min, 10 failures = 24 h).

hashtag
IP allowlist (allow only approved networks)

Recommended values:

  • Enabled: on (in production)

  • Register corporate networks and IPs.

Examples:

  • 192.168.1.0/24

  • 10.0.0.0/8

  • 203.0.113.10/32

triangle-exclamation

IP allowlist is easy to get wrong. Maintain an emergency path (VPN + fixed IP + break-glass account).

hashtag
Logs

Recommendation (high strictness):

  • Security logs separate from application logs.

  • Never log: passwords, tokens, secrets, sensitive data.

  • Alert on critical events (e.g.: many login failures, permission change).

hashtag
Encryption (in transit and at rest)

Recommendation (high strictness):

  • In transit: TLS 1.2+ required.

  • At rest:

    • database with encryption at rest

    • attachments/files with encryption at rest

hashtag
LGPD/GDPR and data governance

Minimum points to operate with rigor:

  • Role-based access control (RBAC) and least privilege principle.

  • Trails for access and export of personal data.

  • Retention policy by data type.

  • Process for:

    • responding to data subject requests (when applicable)

    • removal/anonymization (when applicable)

PreviousProject SettingsNextIntegrations and API

Last updated

Was this helpful?