Security policies (MFA & IP allowlist)
Force every user — or just your admins — to enrol two-factor authentication, workspace-wide, from the Security tab. The setting is scoped to your workspace, and every change is written to the audit log. A second access control, the admin-panel IP allowlist, is enforced for your workspace but set up by the OnTrackio team rather than from this tab.
:::note Before you begin
- An admin account on your workspace. The
admin,it-admin, orsuper-adminrole reaches Admin → Settings. - Open the page from the admin sidebar under Settings, then select the Security tab. The direct path is
/admin/settings. - Saving the form needs no extra confirmation, but MFA enforcement takes effect immediately for affected users — read Require MFA before you switch it on. :::
What the Security tab controls
The Security tab holds four settings. This page focuses on multi-factor authentication, the one access-control policy you switch on yourself. The other three (session lifetime, super-admin emails, and the admin IP allowlist) are summarised below — the IP allowlist is enforced workspace-wide but configured by the OnTrackio team rather than from this tab. See Restrict the admin panel by IP.
| Setting | Type | Default | What it does |
|---|---|---|---|
| Require MFA for admins | Toggle | Off | Forces two-factor enrolment for the admin, it-admin, and super-admin roles. |
| Require MFA for everyone | Toggle | Off | Forces two-factor enrolment for every signed-in user, including end users. |
| Session lifetime (minutes) | Number | 480 (8 hours) | How long a session stays signed in. Allowed range 5–43200 (30 days). |
| Super admin emails | Text (comma-separated) | Empty | Addresses promoted to the super-admin role on first sign-in. |
:::note Changes are audited Saving the Security tab writes an Updated application settings entry to the audit log under the settings channel, attributed to you. See the Audit log. :::
Require MFA
Two independent toggles enforce two-factor authentication. They stack: turning on Require MFA for everyone already covers admins, so you rarely need both.
| Toggle | Applies to | When to use |
|---|---|---|
| Require MFA for admins | admin, it-admin, and super-admin roles | The safe default for any workspace — protect every privileged account. Maps to ISO 27001 A.9.4.2 and NIS2 Article 21(2)(j). |
| Require MFA for everyone | Every signed-in user, including end users with no admin access | The stricter posture. Switch on only after the rollout has reached the whole company — enabling it with users unenrolled is disruptive. |
To turn on MFA enforcement:
- Open Admin → Settings, then select the Security tab.
- In the Two-factor authentication panel, tick Require MFA for admins, Require MFA for everyone, or both.
- Select Save settings at the bottom of the page.
A confirmation appears — Settings saved. Some changes (session lifetime, SSO credentials) take effect on the next request. MFA enforcement itself applies on the affected user's next request.
What an affected user sees
When a policy applies to a user who hasn't enrolled, every page they open redirects to My profile → Two-factor authentication with the message Two-factor authentication is required by your organisation. Set it up to continue. They can still reach the enrolment steps, sign out, and complete the login challenge — but normal navigation stays blocked until they enrol. A user enrols by setting up an authenticator app or a passkey; see Set up two-factor authentication.
:::tip Either factor satisfies the policy A confirmed TOTP authenticator or at least one registered passkey counts as enrolled. A user who has a passkey is not forced to also set up TOTP. :::
:::warning Enrol your own admin account first If you switch on Require MFA for admins before enrolling your own account, your next request redirects you to the enrolment screen too. You can complete enrolment from there, but enrolling first avoids the interruption. :::
Restrict the admin panel by IP
The admin-panel IP allowlist limits the whole admin panel to a list of trusted CIDR ranges. With it in place, a request to any admin page from an IP outside the list is rejected with a hard 403 — not a redirect — and the block is recorded in the audit log. End-user pages are never affected, and a signed-in session survives the block, so the same person reaches the panel normally once they return from a permitted IP.
This control closes a common enterprise-procurement requirement for network segregation (ISO 27001 A.13.1.3, SOC 2 CC6.6). By default no allowlist is set, so every IP reaches the admin panel.
The allowlist is not yet self-service in the Security tab. To turn it on, send your trusted ranges to OnTrackio support and the team configures it for your workspace. Provide both IPv4 and IPv6 CIDR blocks as needed — for example 203.0.113.0/24, a single host as 198.51.100.42/32, or an IPv6 range as 2001:db8::/32.
| Property | Behaviour |
|---|---|
| Scope | Admin panel only. End-user pages are unaffected. |
| Default | No allowlist — every IP reaches the admin panel. |
| Address families | Both IPv4 and IPv6 CIDR blocks. |
| On block | HTTP 403 with an explanatory message. The signed-in session is preserved. |
| Audit | Each block is logged with the client IP, the user, and the page. |
:::tip Send the ranges your admins actually use When you request the allowlist, include every network your team administers the workspace from — office egress and any VPN egress — so an admin on a permitted network is never caught out. A blocked admin sees the message Access to the admin panel is restricted by IP allowlist, and can still sign in again from a listed IP. :::
:::note Restricting the API is separate The admin-panel allowlist does not cover the REST API. To limit API access by IP, pin an API token to a CIDR range when you create it — see API tokens and webhooks. :::
Save settings
The whole Security tab posts with the single Save settings button at the bottom of the page — there's no per-section save. Validation runs server-side, so a failed save returns you to the tab with the field error shown inline.
| Field | Rule |
|---|---|
| Session lifetime (minutes) | Whole number between 5 and 43200. |
| Super admin emails | Up to 1000 characters, comma-separated. |
| Require MFA for admins / for everyone | On or off. |
Troubleshooting
| Symptom | What to do |
|---|---|
| Every admin page returns Access to the admin panel is restricted by IP allowlist | Your current IP isn't on the allowlist. Sign in from a listed network — your session is still valid — or ask OnTrackio support to add your range. The block is intentional. |
| You're stuck on the two-factor setup screen and can't navigate | Your workspace requires MFA. Complete enrolment — set up an authenticator app or a passkey — so the policy is satisfied, then navigation is unblocked. See Set up two-factor authentication. |
| You enabled Require MFA for admins and got redirected yourself | Expected — the policy includes your account. Finish enrolment from the setup screen, then continue. |
| An admin is blocked from one office but not another | The allowlist only covers the ranges currently configured. Ask support to add the other office's egress range. |
| A turned-on MFA toggle didn't seem to take effect | Enforcement applies on the affected user's next request. Have the user reload; if they're already enrolled, no redirect occurs. |
| Settings won't save and a field shows a red error | Fix the highlighted field. Session lifetime must be 5–43200; super-admin emails must be under 1000 characters. |