As part of our efforts to provide comprehensive data security for our users, PensionPro offers an IP Whitelisting feature. When enabled, users attempting to access a firm's PensionPro instance will be unsuccessful if the IP address they are connecting from is not on the list of addresses approved by the firm.
Article Contents
- Security Rights for IP Whitelisting
- Creating a "Break Glass" Account
- Adding Authorized IP Addresses
- Enabling IP Whitelisting
- Successful Login Conditions with IP Whitelisting Enabled
Security Rights for IP Whitelisting
The following Security Rights facilitate the IP Whitelisting feature:
- Authorized IP Address Exempt: Allows the user to bypass IP Address Whitelisting and access PensionPro regardless of the IP address used.
- Manage Authorized IP Addresses: Allows the user to manage the IP Whitelist.
It is generally advised to only assign the Authorized IP Address Exempt Security Right to users who have a legitimate business purpose for accessing PensionPro outside of a whitelisted IP. For more information on Security Rights, refer to the article Security Rights & Security Roles.
Why is the System Administrator Security Role missing the Authorized IP Address Exempt Security Right?
As this Security Role otherwise has unrestricted access across the entirety of the application, PensionPro does not assign the Authorized IP Address Security Right to the System Administrator Role as a safeguard against attacks originating outside the approved list of IP addresses.
Creating a "Break Glass" Account
Requires Security Rights: Add/Edit Employee
If enabling features that restrict access to PensionPro based on login location, it is recommended that a separate fail-safe (or "Break Glass") account is created for recovery purposes in the event that a configuration mistake restricts access to all users. If a loss of access does occur, this account will have the Security Rights necessary to make corrections to the configuration.
To create a Break Glass account, add a new employee, then assign it ONLY the following Security Rights:
- Add/Edit Employee
- Authorized IP Address Exempt
- Maintenance
- Security Management
Additionally, PensionPro recommends:
- Using an exceptionally strong password
- Turning on Multi-Factor Authentication for this account
- Keeping this account enabled (active)
Adding Authorized IP Addresses
Requires Security Rights: Manage Authorized IP Addresses, Authorized IP Address Exempt
To access the IP Whitelist, navigate to Maintenance > Preferences > Authorized IP Addresses. The grid on this tab displays any IP addresses that have already been added to the whitelist. Hovering over an entry in this grid will display the Edit and Delete
options on the right-hand side.
New IP addresses can be added to the list of authorized addresses by selecting Add at the top-right. Of note:
- The IP Whitelist utilizes IPv4 addresses.
- A Description is recommended to quickly identify who the IP address applies to.
Enabling IP Whitelisting
Requires Security Rights: Maintenance, Security Management
To turn on the IP Whitelisting feature:
- Navigate to Maintenance > Preferences > PensionPro.
- Expand the General view grouping, then select the Data Security view.
- Set Enable Authorized IP Address Management to Yes.
Following these steps, users will only be able to access PensionPro if the criteria in the section Successful Login Conditions with IP Whitelisting Enabled (below) is met.
Successful Login Conditions with IP Whitelisting Enabled
While the IP Whitelist is in use, a user will only be able to sign in to PensionPro if one of the following conditions is satisfied:
- The user's public-facing IP address is on the list of authorized addresses
- The user has been assigned the Authorized IP Address Exempt Security Right
If these conditions are not met, a user attempting to log in will receive the following error message: