As part of our efforts to provide comprehensive data security for our users, PensionPro offers an IP Whitelisting feature. When enabled, users attempting to access a firm's PensionPro instance will be unsuccessful if the IP address they are connecting from is not on the list of addresses approved by the firm.
- Setup & Requirements
- Adding Authorized IP Addresses
- Successful Login Conditions
Setup & Requirements
The following sections cover the requirements for setting up the IP Whitelisting feature.
Security Rights Required: Add/Edit Employee
The following Security Rights facilitate the IP Whitelisting feature:
- Authorized IP Address Exempt: Allows the user to bypass IP Address Whitelisting and access PensionPro regardless of the IP address used.
- Manage Authorized IP Addresses: Allows the user to manage the IP Whitelist.
Note: If enabling features that restrict access to PensionPro based on login location, it is recommended that a separate "Break Glass" account is created for recovery purposes in the event that a configuration mistake restricts access to all users. If a loss of access does occur, this account will have the Security Rights necessary to make corrections to the configuration.
To create a "Break Glass" account, add a new employee, then assign it ONLY the following Security Rights:
- Add/Edit Employee
- Authorized Computer Exempt
- Authorized IP Address Exempt
- Security Management
Additionally, PensionPro recommends:
- Using an exceptionally strong password
- Turning on Multi-Factor Authentication for this account
- Keeping this account enabled (active)
For more information on Security Rights, refer to the article Security Rights & Security Roles.
Enabling IP Whitelisting
Security Rights Required: Maintenance, Security Management
To turn on IP Whitelisting:
- Navigate to Maintenance > Preferences > PensionPro.
- Expand the General view grouping, then select the Data Security view.
- Set Enable Authorized IP Address Management to Yes.
Adding Authorized IP Addresses
Security Rights Required: Manage Authorized IP Addresses, Authorized IP Address Exempt
To access the IP Whitelist, select Maintenance > Preferences > Authorized IP Addresses.
New IP addresses can be added to the list of authorized addresses by selecting Add at the top-right.
- The IP Whitelist utilizes IPv4 addresses.
- A Description is recommended to quickly identify who the IP address applies to.
Hovering over an IP address will display Edit and Delete on the right-hand side.
Successful Login Conditions
While the IP Whitelist is in use, a user will only be able to sign in to PensionPro if one of the following conditions is met:
- The user's public-facing IP address is on the list of authorized addresses
- The user has been assigned the Authorized IP Address Exempt Security Right
If these conditions are not met, a user attempting to log in will receive the following error message: