The 'Global user security settings' page allows you to configure security settings which control access to your organization's instance of the Cmd web app.
Prerequisite: Global permissions are only accessible to global administrators.
Reaching the 'Global user security settings' page
Go to https://app.cmd.com/settings/usercontrol, or:
- In the top-right corner of the web app, click the name of the project you're currently viewing to open the drop-down menu.
- Select Project & app settings from the drop-down list.
- On the left-hand menu, under the 'Administration (Global)' section, select Security.
Below are descriptions of the options on this menu. When you're done making changes, be sure to click Save at the bottom of the page.
Allow users to change their account email
Controls whether Cmd users can update the email addresses on their Cmd accounts.
Password change settings
- Allow forgot password - Enables assistance for users who forget their passwords.
- Enforce password change - Requires users to change their passwords regularly.
Note: When enabled, you can establish a maximum number of days before users are prompted to change their password.
- Enforce unique password on change - Stops users from changing their password to one they already used.
Support account settings
Grant/revoke access for the Cmd support team to your Cmd environment. You can set a date for access to expire. Learn more.
Google login settings
- Allow Google login - Allow users to access Cmd with their Google credentials.
Note: To log in with Google credentials, users must configure their Cmd account to use their Google account email.
- Enforce Google login - Requires users to use their Google accounts to access Cmd.
Note: With this setting enabled, any other email credential will not be permitted.
Enforce 2-factor authentication
Requires all users to set up 2-factor authentication in order to log in.
Note: If left disabled, users will still have the option to set up 2-factor authentication. They simply won't be required to. For more information about setting up 2-factor authentication, see Setting up 2-factor authentication.
- Block sessions with rotating IPs - Stops users from logging in if they are using a rotating IP address. To enable, check the box, then click Save in the bottom-right corner.
- Restrict emails to specific domains - Ensures all users' emails are from approved domains. To enable, check the box, enter the whitelisted domains (hit 'Enter' in between multiple domains to add), and click Save in the bottom-right corner.
- Restrict logins to specific IPs - Ensures users can only access Cmd from specific IP addresses. To enable, simply check the box, click Add IPs in the top-right corner (use commas to separate multiple IP addresses), press 'Enter' on your keyboard, and click Save in the bottom-right corner.
- Restrict logins to specific countries - Prevents users from logging in to Cmd from any non-designated countries. To enable, check the box, click where it says 'Select countries' and choose the countries to whitelist. Repeat to add as many countries as you'd like, then click Save in the bottom-right corner.
Web app session timeout
Automatically logs users out of the web app after they have been idle for too long. When enabled, you can choose a length of time (in minutes) after which inactive users will be logged out.
IP risk check
Prevents any user with a high-risk IP address from logging into the web app.
Quick data export
Enables the web app's quick data-export feature.
Enables single sign-on (SSO) for the web app.
Note: You can only add one SAML integration to Cmd.
To add your SAML integration to Cmd, you must provide the SSO service with the Cmd SSO URL and provide Cmd with the SSO service's details and X.509 certificate.
The Cmd SSO URL is generated for you when you enable the SAML setting within Cmd. Consult your SSO service provider for the other required details.
Fore more information on setting up SSO, see the Integrations overview.
Enables System for Cross-domain Identity Management (SCIM). Enabling this setting gives you what you'll need to sync server operator user identities from your identity provider of choice (e.g. Azure, OneLogin, Okta etc.)