Print the articleGet a PDF version of this webpage

Set User Access and Password Rules

In this article we explain how to set up user access and passwords.

User Access and Password Rule

When deciding to grant access to employees (Users) to your WhosOnLocation account, there are several rules or policies you can use to ensure your WhosOnLocation account has the same access rules as your other applications. For example, you may want the employee to set a password that contains a minimum of 6 or 8 characters and/or you may want the password to include upper and lower case, or symbols.

In some instances you may not want your employees to have to set a separate password in WhosOnLocation, preferring them instead to automatically be logged in once they logon to their PC.

Accessing User Access Settings

Navigate to Tools > Account

 

Select the User Access option in the red box below:

About Standard Login

This is the user authentication that WhosOnLocation provides by default with every account. In practice user profiles are created manually by the Administrator or automatically via a sync with Active Directory (see Employee Database Management). Once their profile is created the Administrator grants access to the user by sending them an activation link.

To do this; Administrators select Tools > Locations > View > Employees. They then select the tick box beside the user’s name, scroll to the footer of the screen and run the action titled: 'Send Login Permission Email'.

The user will automatically be sent an email from WhosOnLocation to the email address setup against the user's profile. The email includes a unique link for the user. The user selects the link which takes them to the WhosOnLocation Login screen where they are verified and create their own password.

The user then logs in to your WhosOnLocation account using their email address and password. WhosOnLocation takes care of authenticating the user and allowing them access to your WhosOnLocation account.

Password Strength

Best Practice and security auditors recommend that to meet the minimum for compliance, with standards like OWASP, HIPAA, and Sarbanes-Oxley passwords should:

  • Be a minimum of six, preferably eight, characters in length,
  • Be a combination of uppercase and lowercase letters,
  • Mixed with numbers and symbols (!, @, #, $, for example).
  • Not contain personal information, such as the names of spouses or family members (including pets!), or any information that an attacker could easily derive from a user.

WhosOnLocation provides 3 Password Strength options

  1. Simple: minimum of 6 characters;
  2. Standard: (the default) minimum of 6 characters; combination of uppercase and lower case letters;
  3. Complex: (recommended) minimum of 8 characters, combination of uppercase and lower case letters; mixed with at least one number and one symbol (!, @, #, $, for example). This is the user authentication that WhosOnLocation provides by default with every account. In practice user profiles are created manually by the Administrator or automatically via a sync with Active Directory (see Employee Database Management). Once their profile is created the Administrator grants access to the user by sending them an activation link.

Force Password Change

Best Practice and security auditors recommend that to meet the minimum for compliance, with standards like OWASP, HIPAA, and Sarbanes-Oxley passwords should be changed every 45 to 90 days and should be different every time.

The default setting is 'Do not force change'.

Single Sign-on with SAML

Single sign-on is a mechanism that allows you to authenticate users in your systems and subsequently tell WhosOnLocation that the user has been authenticated. The user is then allowed to access WhosOnLocation without being prompted to enter separate login credentials.

You have complete control over your users and they don't need a separate password to log in to your WhosOnLocation. Instead, when users visit your WhosOnLocation and attempt to log in, they are seamlessly redirected to your SAML server for authentication. Once authenticated, users are redirected back to your WhosOnLocation and automatically logged in.

The only user data that needs to be contained in your WhosOnLocation is the user's email address or an external ID that you define. To learn more about Single Sign-on, you may wish to view this page on the helpdesk.

 

Have more questions? Submit a request