Password Management | | chillidb

Contact Us

Polymorphic Solutions

Level 13, 97 Creek Street
Brisbane, QLD, 4000

Australia


info@chillidb.com

Tel: 1300 65 72 43

About

Newsletter

Video

Partners

Pricing

Terms of Use

Privacy

Security

ChilliDB is a Registered Trademark of Polymorphic Solutions © 2019

Dec 6, 2018

Password Management

0 comments

Edited: Mar 13

ChilliDB has a number of password management features which adhere to industry standards which make it a safe and secure system to hold all of your information.

 

Features include:

  • Locking on password verification failure

  • Forgotten Password processes

  • Forced Resets of Passwords

  • Encryption of passwords

  • Password Policy rules

Password Management Features

 

Locking on Password Verification FailureIf you have forgotten your password, if you keep failing to login, ChilliDB will lock your account after 5 failed login attempts for a period of 5 minutes.

 

 

If you keep trying to log in, while it is locked, you will see the countdown reduces each minute to show you how long you are locked out.

 

When the 5 minutes passes, the message disappears and the lock is removed, allowing you to try again

 

Forgotten Password processes

If you have forgotten your password, you can use the Forgotten Password link on the login panel. Just enter your username, then click the Forgotten Password link.

 

ChilliDB will then ask for the Secret Answers to your Secret Questions

 

When you provide the correct Answers and a new password, you will be able to click Reset Password to reset your password.

 

You will then see the standard login prompt and be able to log into ChilliDB using the new password.

 

If you do not have a Secret Question and Secret Answer defined, then ChilliDB will let you know when you click the Forgotten Password link. To recover your password, you will need to have a member of your staff with sufficient permissions to edit User records, modify your User record and reset your password. After your administrator has modified your password, you should

- Change your password - Your administrator may have checked the box for force this when you first login. If they didn’t, you should do it manually:

o On the home screen, go to Preferences

 

 

 

 

 

 

 

o Select Change My Password

 

 

o Enter your old and new password on the required fields, and then your changes.

 

 

 

 

 

 

- Configure a Secret Question and Secret Answer so that you can use the Forgotten Password link.

o On the home screen, go to Preferences

 

o Select Change My Secret Question

 

o Enter your Secret Question and Secret Answer, then save your changes.

 

Forced Resets of Passwords

Your administrator can choose to Force the Reset of any Users password from the User maintenance screen.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Locate and edit the User record, then check the box Force user to change password at next login, and then save your changes.

 

 

Next time that user tries to login, ChilliDB will force them to change their password.

 

Encryption of passwords

ChilliDB Passwords are stored in an encrypted format using industry best practices. For this reason, if you contact ChilliDB HelpDesk for some activities, they will only be able to reset your password or may ask you to reset your password before they look at your system.

 

Password Policy

ChilliDB supports a number of rules which can be configured to enforce a sensible Password Policy for your whole system, allowing you to choose from any number of the following rules:

  • History - Password must not match the previous X passwords used

  • Letter Content - Password must contain at least X letters

  • Lower-Case Letter Content - Password must contain at least X lowercase letters

  • Symbol - Password must contain at least X symbol characters

  • Expiry - Password will expire if it is more than X days old

 

Configuring Password Policy on an established system will have no effect on existing user accounts until either their password expires (if you configure an Expiry policy) or you edit their User record and check the box “Force user to change password at next login” which will force them to create a compliant password with your policy rules.

 

Choose System Management from the System menu

 

 

 

 

 

 

 

 

 

 

 

 

 

 

From there, you can choose Manage Password Policy

 

 

This will show you any Rules you have in place at present

 

 

You can add additional Rules by clicking create in the top right of the screen. Then choose them from the Rule drop down, and entering the Rule Value – e.g. Rule: History, Rule Value = 5 would mean, ChilliDB passwords must not match the previous 5 passwords

 

Best Practices

  • Do not use the same password for all users you create in ChilliDB.

  • Always force your users to reset their Password when you give them a password so only they know their password

  • Utilise Password Policy to enforce rules such as Password History, Complexity and Ageing for all ChilliDB users.

  • Remind all users that they should never write down their passwords near their desk or use obvious passwords which are easy to guess. Utilise Password Complexity to enforce this.

  • Be careful of web browsers which remember your passwords or try to automatically log you into ChilliDB as they can cause many repeated failures and lock a ChilliDB account repeatedly.

Was this article helpful?

New Posts
  • Q: When contacts are expired, does it automatically remove them from a distribution list? A: When a contact is expired all records related to them are expired too. ChilliDB does automatically unsubscribe them during the expiring procedure. The reason for being unsubscribed in the distribution list is shown as 'Contact expired from system' . Q: What happens if they have been expired by accident? How would they be un-expired and resume their subscriptions? A: This is most easily done by clicking 'Subscribe to other lists' from the distribution list tab on the contact page and selecting the distribution lists you would like to subscribe to. For other records such as memberships, you can filter for expired records and un-expire from there Was this article helpful?
  • In many areas of ChilliDB such as custom fields, contacts, organisations, and most other modules, we provide the expire concept. Expiring data is a way to effectively delete something but with the option to bring it back again if needed. Deleting data permanently deletes it from ChilliDB. An expired contact for example is hidden from the system like they are deleted but they can be viewed from the search if filtering for expired contacts, and be unexpired if needed. If you are unable to see the expire option for a record, please check your user role tickets using System > Users > Maintain Roles + Tickets, or contact your system administrator if you don't have access to the Users menu. Most areas of ChilliDB don't provide a delete function, if you would like to delete something but are unable to do it yourself, we can do so using helpdesk support hours. Was this article helpful?
  • The Sensitivity feature allows the user to restrict access to some information within the ChilliDB system based on certain Types or according to custom selected User Roles. At the moment, this feature is applied to Contacts, Notes, and Membership Packages. This Article covers different levels of sensitivity, how different areas of ChilliDB are affected by sensitivity settings, and managing sensitivity. Table of Contents Levels of Sensitivity Finding Information if the Record is Sensitive Reporting Views Web Service Outlook Plug-in Managing Sensitivity Settings Bypassing Sensitivity Settings Frequently Asked Questions Levels of Sensitivity The ChilliDB system currently offers three levels of sensitivity: 1. No sensitivity – the record can be viewed or modified by any logged-in user as long as that user has the security ticket to view or modify the record. 2. Sensitivity based on Type – the record can only be viewed or modified by those User Roles defined at the Type level. In this level, the Type will contain selected User Roles that can access (view or modify) the record associated with the Type. This is managed through the Reference Table Maintenance screen when creating or editing the Type. Where a record has no sensitivity settings applied and then those settings have changed for the Type, the record will automatically apply the Sensitivity based on the Type. This is because the Sensitivity based on Type will override the “No sensitivity” condition. 3. Sensitivity based on selected User Roles – the record can only be viewed or modified by the User Roles defined to access that specific record. Even though some User Roles contain the security ticket to view or modify the record, they won’t be able to access the record if the User Roles are not included in the allowed User Role list for that specific record. This is managed through the Manage Sensitivity screen which is accessible when viewing the record via the Quick Action called “Manage Sensitivity” or when creating or editing a record via a link in the Sensitivity field. This will only appear if the User has the security ticket “Sensitivity Modify”. The sensitivity based on selected User Roles will override sensitivity rules based on Type. The user can also enable all User Roles to access the record. This will ensure the record will stay accessible to all User Roles even though the Sensitivity settings for the record Type have changed. Finding Information if the Record is Sensitive When the records have Sensitivity settings applied, the user whose User Role is not included in the Sensitivity settings, experiences the following conditions: View/Modify Records The user is not able to access the record display page. The page indicates that the record is sensitive and redirects the user back to the home page. Some of the links in the system such as in the Search pages show the Sensitive records in a different colour. The default colour is orange; however the user can customise this colour setting at the database level. The links are also disabled from clicking and are showing a tooltip to notify that the sensitivity rules apply to the record. The address details, phone, fax, email, and some other details such as gender, date of birth, job title and department which are specific to the Contact record are hidden from the export and print list when doing Export All or Print All from the search results grid. The sensitive Contacts are not included in the Bulk Update for Contacts. When selecting the sensitive Contacts to be included in the Bulk Update, a warning message is shown to notify that the sensitive Contacts will not be included in the Bulk Update process. Send Message Custom fields and the Contact communication details for phone, fax, and email are hidden when refining the Contact recipients of the message upon performing the “Send Message” Quick Action from some screens like Contact Search, Contact tab in Organisation Display screen, Distribution List Display screen, and Membership Display screen. When viewing notes from screens such as Contact note listings and Note searches, all custom fields and the details field are hidden Within the Refine Message Recipient screen, the sensitive Contact name is shown in a specific colour. The default colour is orange; however the user can customise this colour setting at the database level. Since the communication details are hidden, the sensitive Contact shows the “Not Available” message in the Communication Address area. The Refine Message Recipient screen also shows the warning message to indicate how many sensitive Contacts are shown in the recipient list and notify the user that those sensitive Contacts will not be included when sending the message. Furthermore, these sensitive Contacts are not included in the Send Message screen. The sensitive Contacts do not appear on the search result when the user tries to search for the message recipient from the Find Recipient popup screen (accessible from the Send Message screen by clicking Find link). When sending message to a Distribution List, any sensitive Contacts contained in the Distribution List are not included as the message recipients. A notification message appears on the Send Message screen to notify that the sensitive Contacts contained in the Distribution List will not be included in the message. Distribution List The Contact communication details for phone, fax, and email are hidden when they are displayed in the Members or Unsubscribed Members tabs within the Distribution List Display screen. The Contact communication details for phone, fax, and email are hidden when assigning the Contact’s communication item to the Distribution List upon performing the “Subscribe to Distribution List” Quick Action from some screens like Contact Search and Contact tab in Organisation Display screen. The communication items are still shown in the Communication address area however the details of those communication items are marked as “** HIDDEN **”. Within the Subscribe to Distribution List screen, the sensitive Contact name is shown in a specific colour. The default colour is orange; however the user can customise this colour setting at the database level. The Subscribe to Distribution List screen also shows the warning message to indicate how many sensitive Contacts are shown in the subscriber list. Event The phone, fax, and email of the sensitive Contact are hidden from the Event Attendee list screen which is accessed from selecting the “Show/Export Full Attendee List” Quick Action item or by clicking the “Show List” link on the Session tab under “Registrations/Attendance count” column within the Event Display screen. The phone, fax, and email as well as the address details of the sensitive Contact are also hidden from the export list and print list when doing Export All or Print All from the Event Attendee list screen above. Membership The Contact communication details for phone, fax, and email will be hidden when assigning the Contact as Member of a Membership package which manages the Distribution List. The communication items will still be shown in the Address field however the details of the communication item will be marked as “**HIDDEN **”. The drop down list which is showing available communication for the Contact is also disabled and the rule for automatic communication subscription into a Distribution List is used in here to automatically select the preferred communication item to be assigned into the Distribution List managed by the Membership Package. As for the user whose User Role is included in the Sensitivity settings experiences the following conditions: The user is able to view the record. A padlock icon is displayed on the top right corner of the panel next to the Online Help icon to indicate that the record applies sensitivity settings. Bringing the mouse icon over the padlock icon shows the tooltip with information showing the level of sensitivity applied to the record as well as the User Roles which are allowed to view/modify the record. Clicking the padlock icon shows the Sensitivity Display popup screen showing the same information in the padlock icon tooltip. When the user has the security token/ticket to modify the sensitivity settings, the user is able to see the “Manage Sensitivity” Quick Action from the record display screen, or has the Sensitivity field shown as a hyperlink from the record maintenance screen. Clicking on the “Manage Sensitivity” Quick Action or the Sensitivity field hyperlink will enable the user to manage the sensitivity settings of the record. The user is able to modify the record, send message to the sensitive Contact, export/print the sensitive Contact, or view the communication details of the sensitive Contact as if the sensitivity settings were not applied. Reporting Views The Reporting Views will ignore the sensitivity rules and will only indicate if the record contains sensitivity settings or not by showing the information within the field called “Is Sensitive”. The field returns a value of true or false . Web Service The Web Service will ignore the sensitivity rules at this stage, and will update it in the future to include the flag to indicate the record contains sensitivity settings or not (similar to the “Is Sensitive” field in the reporting views). Outlook Plug-in As the current Outlook plug-in relies on the web service, the plug-in will also ignore the sensitivity rules at this stage. Managing Sensitivity Settings The user will be able to manage the sensitivity settings where their User Role contains the SENSITIVITY MODIFY ticket. The sensitivity setting itself is managed by selecting the “Manage Sensitivity” Quick Action from the record display screen (this is after the record has been created), or else through the Sensitivity field hyperlink from the record maintenance screen (this is when creating a new record or modifying an existing record). As for managing the settings for the Sensitivity based on Type, the user can create or modify the settings from the Reference Table Maintenance screen by creating a new Type or modifying an existing Type. Bypass Sensitivity Settings The user can have a special privilege to treat all sensitivity rules as nothing (bypassing the sensitivity rules) by assigning a special ticket called “SENSITIVITY OVERRIDE” to the User Role. With assigning that ticket to the User Role, the users associated with that User Role are able to view and modify any records in the system regardless of any sensitivity settings applied to the records. Frequently Asked Questions 1. How do I overwrite a record when Type based sensitivity is applied?\ Answer: You can modify the Sensitivity settings of the Type from the Reference Table Maintenance screen to include additional User Roles. Another way is to assign the “SENSITIVITY OVERRIDE” ticket against your current User Role so you can bypass the sensitivity rules for the sensitive record. 2. What happens if a new Role has been created and I would like to associate this new Role to the Sensitivity settings of a Type? Answer: You can modify the Sensitivity settings of the Type from the Reference Table Maintenance screen to include your current User Role. If your User Role has “SENSITIVITY OVERRIDE” ticket, then you will be able to view the record and then modify the sensitivity settings of that record to set it to be based on user selected User Roles and then include your new Role in the User Roles list. 3. What happens if a Role which is included in the Sensitivity Settings is expired? Answer: You will be asked to assign an existing User Role as a replacement for the expired Role. Any sensitivity settings belong to the old User Role will not be deleted and will be marked as “[EXPIRED]”. 4. Can I filter the sensitive records in my reporting view? Answer: You can filter the records based on the information if the record contains sensitivity or not. However, you cannot filter the sensitive records based on specific User Role. 5. Can the sensitive Contacts be restricted through the Web Service? Answer: The current web service does not allow the user to restrict the sensitive contacts. 6. Can the sensitive Contacts be restricted within the Outlook plug-in? Answer: The current Outlook plug-in does not allow the user to restrict the sensitive contacts. 7. What is the precedence of sensitivity rules? Answer: Below is the order of precedence from the lowest importance to the highest importance within the sensitivity rules: (Lowest) No Security > Restricted based on Type > Restricted based on selected User Roles > Visible to Everyone (Highest) Note: The highest order of precedence can override the lower one. 8. What are the Rules for determining which email address, fax number, or mobile numbers to use for refining the send message recipients? Are they impacted if that Contact is sensitive? Answer: All sensitive Contacts are not receiving any message from restricted users. This means the user is prevented from sending message to them. The sensitive Contacts shows the communication details as “Not Available” and do not include the sensitive Contacts into the To/Cc/Bcc fields when they are transferred from Refine Message Recipients screen. 9. What are the Rules for determining which email address to use for auto-subscription to Distribution List? Are they impacted if that Contact is sensitive? Answer: All sensitive Contacts mark the communication details like email addresses, fax numbers, and mobile numbers as “** HIDDEN **”. However, the users are still able to allocate specific communication item to be assigned to the Distribution List based on the communication item type. When adding a member into a Membership Package and the membership package maintain distribution lists, the auto-subscription rules for subscribing communication item into Distribution List will apply. Was this article helpful?