System settings / Security settings

Security settings

ELMA365 allows you to enhance your data protection with configurable security settings. To use this feature, go to Administration > Security Settings.

Here you can:

  • Specify the minimum password length, its quality and periodic reset.
  • Restrict the number of invalid login attempts and configure conditions for user account lockout.
  • Enable two-factor authentication.
  • Enable authentication with phone number.
  • Specify inactivity timeout.

начало внимание

Only users included in the Administrators group can change the security settings.

конец внимание

Password policy

In this section, you can set the password policy and configure account lockout in case of invalid login attempts.

The system will use these settings for user authentication and password recovery.


The available password policy options are:

  • Minimum password length. Specify the minimum number of characters in a password. If the password isn't long enough, the system will notify the user about it when he or she tries to sign in.
  • Use complex password. If this option is enabled, the system will require a password to contain upper- and lowercase letters, numbers, and special characters, for example, +! #, etc. If the password does not meet the requirements, when trying to log in, the user will see a notification.
  • Number of invalid login attempts. Enter the number of times the user can attempt to log in to his or her account with an invalid password before the account is locked. To disable the option, set its value to 0.
  • Reset account lockout counter after. Enter the number of minutes before the counter resets to 0 after a failed login attempt. If the limit is not exceeded, the counter starts from zero after the set period. The user will not be locked.

For example, you limited the number of invalid login attempts to 3 and set the account lockout time to 1 minute. The user who has entered the wrong password twice can wait for one minute and get three login attempts again.

If the time limit is set to 0, the counter won’t be reset and the system will lock the user account after the limit of invalid login attempts is reached.

  • Account lockout duration in minutes. Enter the number of minutes until the account unlocks after a user exceeds the limit of login attempts. During the lockout, the user's status remains Active, bu the Account is locked label appears in their profile. Once the lockout period expires, the user can try to log in again.
    If the lockout duration is set to 0, the only person who can unlock the user is the Administrator. To unlock a user, go to Administration>Users, open the user profile, and click Unlock. To learn more, see Users.
  • User groups that must be informed about account lockout. Here you can specify the user groups that will be notified in the activity stream about account lockout.
  • How often the password is reset, in days. Specify how often users must change the passwords to log in. To disable the option, set its value to 0.
  • Email resend interval, in days. Specify the period for sending emails to remind the user to change the password. If the interval is set to 0, the email will be sent only once. After changing the password, the sending of emails stops automatically.
  • Escalation. This option allows locking a user until the password is changed.

Two-factor authentication

You can require internal users to additionally verify their identities to ensure that the account is used by your employee and not someone else.


Two-factor authentication is available not only for users who were added manually, but also for those imported via AD/LDAP or created automatically via SAML.


To set up two-factor authentication:

  1. Select a Second authentication factor.
  • SMS. Users will be required to enter the login, password, and individual code from SMS. The code will be sent to the number specified in the user profile settings in the Mobile field.
    • SMS provider. Select the SMS service provider the system will use to send the individual code to the user. In ELMA365, integrations with SMSCenter and SMSRU providers are currently available.

начало внимание

If the provider is not listed, make sure that an integration module enabled and set up for this provider.

конец внимание

  • Email. Users will be required to enter the login, password, and individual code sent to their emails. The email will be sent to the address specified during registration of the user in the system.

Please note that in ELMA365 On-Premises, the authentication code is sent through the SMTP server specified during system installation.

  1. Click the Save button. You will receive a verification code for the connection to the service. Depending on the selected authentication factor, the code will be sent via email or SMS.
  2. In the opened window, enter the received code and click the Confirm button.


Please note that if you close the verification window or enter an incorrect code, the two-factor authentication settings will not be saved.

Advanced authentication options

Users can accept invites to ELMA365, sign in and restore their password using the phone number specified in their user profile instead of the login.  

To make that possible, you need to set up an SMS module and enable authentication with phone number.

Signing in with login, AD/LDAP, SAML and OAuth will remain available as well as restoring password and inviting users with email .


To enable authentication with phone number fill out the settings:

  • Allow authentication with phone number. Check the box to activate authentication, user invites and password recovery with phone number;
  • Use one-time authentication codes. Check the box so that users can sign in to ELMA365 with authentication codes without having to enter the password;
  • Authentication code provider type. At the moment only the SMS type is available;
  • Authentication code provider. Select an SMS module that you have set up. The selected provider will send one-time codes for users to sign in, send invites, restore password and save advanced authentication features.

Click Save. A code will be sent to your phone number for checking the connection with the service.

In the provided window, enter the code and click Confirm.

When you save the settings, the phone numbers of all the users will be checked. If there are users without a phone number or users with the same number, you will see an alert about it. You will be able to save your settings only after having resolved the issue.

Once you enable authentication with mobile phone, the following happens:

  • the Email field on the user invite form and in profile settings becomes optional and editable;
  • the Mobile phone field on the user invite form and in profile settings becomes required. It is possible to edit the phone number only if there is an email address specified for the user;
  • the uniqueness of user phone numbers is checked;
  • the authentication window changes. If one-time codes are enabled, the user sees a field for entering their phone number, and the Get Code button. With this type of authentication, two-factor authentication becomes inactive;
  • users imported from AD/LDAP will be able to sign in with a one-time code.

To sign in with login and password, the user has to click Use another sign-in method. In this case, two-factor authentication will become active, if it has been set up.


User sessions

You can manage user sessions:

  • Close user sessions when inactive. Enable this option and specify the inactivity timeout. When a user remains inactive for the specified period of time, the session is automatically terminated. To continue working in the system, the user will have to sign in again regardless of the license type they are using;

  • Limit parallel sessions. Enable this option and specify on how many devices a user can stay signed in at the same time. When this number is reached, the user will see an alert when trying to sign in on another device. The new session will not be created until the user signs out of the system on one of the other devices. This is applied to all authentication methods: login and password, AD/LDAP, SAML, OAuth2. For example, if two parallel sessions are allowed, the user can successfully sign in in the Chrome browser and the mobile app. When trying to sign in in the Firefox browser, the error will appear after the login and password are checked.

начало внимание

For SaaS Enterprise and On-Premises session settings are available only if the ELMA365 Advanced Security Pack solution is activated.

конец внимание


Found a typo? Highlight the text, press ctrl + enter and notify us