Product Documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Product Documentation
  2. /
  3. Tenant
  4. /
  5. Security

Security

Manage Security

Tenant Administrators can access user security settings by navigating to the Settings icon in the upper right corner of the screen.

img_50.png

Click on the Security tab under the Tenant section to access the Tenant Security Configuration page.

img_77.png

Multifactor Authentication

Canopy supports Multifactor Authentication (MFA) via email and virtual devices supporting Time-based One-time Passwords (TOTP). The default setting for MFA is email authentication.

Email Authentication

Tenant security settings default to Email authentication when onboarding users and transitioning MFA devices.

img_59.png

Canopy recommends that you use email authentication only for the periods of initially configuring and switching virtual MFA devices.

Authentication App

Tenant Administrators can switch to the Authentication App setting for user authentication following initial configuration.

When set to Authentication App, added users will automatically be prompted to set a password and login. After logging in, the option to Set Up Virtual MFA Device will appear under Personal Settings when hovering over or clicking on the Settings icon.

img_29.png

Users can then follow the prompts to set up virtual device authentication to use for future logins (see Personal Settings for detailed instructions).

Authentication App Key Icon

When the admin has configured MFA security settings to the Authentication App, the Key icon will appear beside users who have set up their virtual MFA device.

The Key icon is only present on accounts protected with a virtual MFA device:

img_42.png

See How to Revert from Authenticator App to Email Authentication.

🥾 How to configure multifactor authentication

  1. Sign in as a Tenant Administrator.
  2. In the upper right corner of any page on Canopy, click the Settings icon, and then under Tenant, click Security. img_63.png
  3. To the right of Multifactor Authentication, click on the dropdown box and select either Email or Authentication App. img_60.png
  4. Configuration completed.

🥾 How to onboard users

Once added to the system, new users will automatically receive a Canopy welcome email directing them to click a button to create a password.

img_32.png

Users will be directed to enter and confirm a password.

img_33.png

When MFA is set to Email authentication, new users will then be prompted to enter an email authentication code.

img_34.png

A Canopy multifactor authentication email with a code to use to login to Canopy will be automatically emailed to new users.

img_36.png

Inactivity Timers

Tenant Administrators can set an inactivity timer (1-60 minutes) before the system automatically logs users out and can also disable an inactive user after a set number of days (1-22 days).

🥾 How to configure access timeouts

  1. Sign in as a Tenant Administrator.
  2. In the upper right corner of any page on Canopy, click the Settings icon, and then under Tenant, click Security. img_63.png
  3. To the right of Log Out User, type in a number from 1 to 60 to specify the number of inactive minutes that are allowed until the system automatically logs out the user.
  4. To the right of Disable User, type in a number from 1 to 22 to specify the number of inactive days that are allowed until the system automatically deactivates the user’s account. img_61.png
  5. Configuration completed.

Access Restrictions

After a tenant is provisioned, it is accessible by anyone from any computer. Tenant administrators can then restrict tenant access by IP address.

Users will still need to provide credentials to access the tenant.

Restrictions are associated by domain and role. For example, a Review Manager may want to restrict Light Reviewers from any domain by an IP address range originating from their corporate network.

When a request to the tenant is generated from any user, that user’s IP address, domain, and role are evaluated against the allowed list. If their IP address is not on the list, an HTTP 403 status code is displayed.

Only Tenant Administrators have the ability to add or remove IP addresses.

You must specify a public IP address that can be accessed by the website. Private IP addresses cannot be accessed by the website.

🥾 How to create an access restriction

  1. Sign in as a Tenant Administrator.

  2. In the upper right corner of any page on Canopy, click the Settings icon, and then under Tenant, click Security. img_63.png

  3. To the right of Access Restrictions, click on the + Add Restriction button. img_68.png

  4. To add a restriction, create a unique name for each restriction. Then choose the domain and tenant level role you would like restricted by IP address.

    img_69.png

    img_72.png

    img_73.png

  5. Click on the info button beside Add IP Addresses to check IP address format details. img_74.png