IP Address Whitelisting

As part of our efforts to provide comprehensive data security for our users, PensionPro offers an IP Whitelisting feature. When enabled, users attempting to access a firm's PensionPro instance will be unsuccessful if the IP address they are connecting from is not on the list of addresses approved by the firm.

 

Article Contents

 

 


 

Setup & Requirements

 

The following sections cover the requirements for setting up the IP Whitelisting feature.

 


 

Security Rights

 

Security Rights Required: Add/Edit Employee

 

The following Security Rights facilitate the IP Whitelisting feature:

 

  • Authorized IP Address Exempt: Allows the user to bypass IP Address Whitelisting and access PensionPro regardless of the IP address used.
  • Manage Authorized IP Addresses: Allows the user to manage the IP Whitelist.

 

Note: If enabling features that restrict access to PensionPro based on login location, it is recommended that a separate "Break Glass" account is created for recovery purposes in the event that a configuration mistake restricts access to all users. If a loss of access does occur, this account will have the Security Rights necessary to make corrections to the configuration.

 

To create a "Break Glass" account, add a new employee, then assign it ONLY the following Security Rights:

  • Add/Edit Employee
  • Authorized IP Address Exempt
  • Maintenance
  • Security Management

 

Additionally, PensionPro recommends:

 

For more information on Security Rights, refer to the article Security Rights & Security Roles.

 


 

Enabling IP Whitelisting

 

Security Rights Required: Maintenance, Security Management

 

Note: The Manage Authorized IP Addresses and Authorized IP Address Exempt Security Rights must both be assigned to at least one Employee before this setting can be enabled.

 

To turn on IP Whitelisting:

 

  1. Navigate to MaintenancePreferencesPensionPro.
  2. Expand the General view grouping, then select the Data Security view.
  3. Set Enable Authorized IP Address Management to Yes.

 


 

Adding Authorized IP Addresses

 

Security Rights Required: Manage Authorized IP Addresses, Authorized IP Address Exempt

 

Note: Both of the above Security Rights must be assigned to the user before this menu item becomes available. This is necessary to prevent accidental lock-out.

 

To access the IP Whitelist, select MaintenancePreferencesAuthorized IP Addresses.

 

New IP addresses can be added to the list of authorized addresses by selecting Addadd.png at the top-right.

  • The IP Whitelist utilizes IPv4 addresses.
  • A Description is recommended to quickly identify who the IP address applies to.

 

Hovering over an IP address will display Editedit.png and Deletedelete.png on the right-hand side.

 


 

Successful Login Conditions

 

While the IP Whitelist is in use, a user will only be able to sign in to PensionPro if one of the following conditions is met:

 

  • The user's public-facing IP address is on the list of authorized addresses
  • The user has been assigned the Authorized IP Address Exempt Security Right

 

If these conditions are not met, a user attempting to log in will receive the following error message:

You are connecting from an unauthorized location. Please login from an authorized location or contact your system administrator.

 


 

Frequently Asked Questions

 

  • Why is the System Administrator Security Role missing the Authorized IP Address Exempt Security Right?
    As this Security Role otherwise has unrestricted access across the entirety of the application, PensionPro does not assign this Security Right to the System Administrator Role as a safeguard against attacks originating outside the approved list of IP addresses.