IP Address Whitelisting

As part of our efforts to provide comprehensive data security for our users, PensionPro offers an IP Whitelisting feature. When enabled, users attempting to access a firm's PensionPro instance will be unsuccessful if the IP address they are connecting from is not on the list of addresses approved by the firm.

Article Contents

Setup & Requirements
- Security Rights
- Enabling IP Whitelisting
Adding Authorized IP Addresses
Successful Login Conditions

Setup & Requirements

The following sections cover the requirements for setting up the IP Whitelisting feature.

Security Rights

Security Rights Required: Add/Edit Employee

The following Security Rights facilitate the IP Whitelisting feature:

Authorized IP Address Exempt: Allows the user to bypass IP Address Whitelisting and access PensionPro regardless of the IP address used.
Manage Authorized IP Addresses: Allows the user to manage the IP Whitelist.

Note: If enabling features that restrict access to PensionPro based on login location, it is recommended that a separate "Break Glass" account is created for recovery purposes in the event that a configuration mistake restricts access to all users. If a loss of access does occur, this account will have the Security Rights necessary to make corrections to the configuration.

To create a "Break Glass" account, add a new employee, then assign it ONLY the following Security Rights:

Add/Edit Employee
Authorized Computer Exempt
Authorized IP Address Exempt
Maintenance
Security Management

Additionally, PensionPro recommends:

Using an exceptionally strong password
Turning on Multi-Factor Authentication for this account
Keeping this account enabled (active)

For more information on Security Rights, refer to the article Security Rights & Security Roles.

Enabling IP Whitelisting

Security Rights Required: Maintenance, Security Management

To turn on IP Whitelisting:

Navigate to Maintenance > Preferences > PensionPro.
Expand the General view grouping, then select the Data Security view.
Set Enable Authorized IP Address Management to Yes.

Adding Authorized IP Addresses

Security Rights Required: Manage Authorized IP Addresses, Authorized IP Address Exempt

Note: Both of the above Security Rights must be assigned to the user before this menu item becomes available. This is necessary to prevent accidental lock-out.

To access the IP Whitelist, select Maintenance > Preferences > Authorized IP Addresses.

New IP addresses can be added to the list of authorized addresses by selecting Add at the top-right.

The IP Whitelist utilizes IPv4 addresses.
A Description is recommended to quickly identify who the IP address applies to.

Hovering over an IP address will display Edit and Delete on the right-hand side.

Successful Login Conditions

While the IP Whitelist is in use, a user will only be able to sign in to PensionPro if one of the following conditions is met:

The user's public-facing IP address is on the list of authorized addresses
The user has been assigned the Authorized IP Address Exempt Security Right

If these conditions are not met, a user attempting to log in will receive the following error message:

You are connecting from an unauthorized location. Please login from an authorized location or contact your system administrator.