Your site's security is high on our priority list. This article reviews the options you have on the Security page of your site.
Site Password
Your learning site will be password protected until your site is launched or goes live. Users who attempt to visit your site's URL will land on a page indicating that the site is closed. To bypass this page, you must enter the site password, or sign in with valid credentials. For testing purposes, you can enter the site password in order to view and test the different user flows without being logged in.
Note
The site password is not related to your personal login credentials.
- From your homepage, select Settings > Security.
- Within the Passwords & Keys section, you will find your assigned site password. This password is randomly generated.
- Go to your site URL and enter the password. Click Enter.
Tip
We highly recommend using a private/incognito browser in order to test your site as a logged out user.
- From here, you are ready to start testing!
Tip
Removing the password protection from your site is the final step in setting up your custom domain (launching your site). You should not remove the password protection on your site until all configuration steps and QA are completed.
Reactivating Your Site Password
If you do happen to accidentally remove password protection before you're ready, please reach out to your Tech Success & Support to have this reapplied to your site.
Primary API Keys
Come here to view and copy your site's API key. For security purposes, your key is masked and you have the option to rotate your key as needed. You can generate up to two primary masked keys at a time, which have full admin permissions to your site.
- From your homepage, select Settings > Security.
- Find the Passwords & Keys section.
- Click Generate API Key.
- Once an API Key has been generated, click the eye icon to view it and copy if needed.
- If you would like to generate a 2nd API Key, click Generate API Key again.
- Once you've generated two API Keys, you have the option to remove either API Key from your site by clicking the trash icon.
Warning
Removing an API Key cannot be undone.
Ancillary API Keys
Ancillary API keys allow you to create multiple API keys for different uses and to assign each key a different scope of permissions. For security purposes, your key is visible only once, when it is initially created.
Create and Scope Keys
- From your homepage, select Settings > Security.
- Find the Ancillary Keys section.
- Click New API Key.
- Define a name for the key and select a user role (from Thought Industries' existing role-based permissions system) to define the permissions the API key has.
- You can optionally create a new user role if no existing role exists with the desired permissions.
Warning
Ancillary keys are always main site keys. Even if you associate a key with a panorama role, the key is NOT restricted to panorama-only data. See the Understanding Panorama support article for details about Client API keys.
Note
You are solely responsible for testing to determine which role you want to assign to each key and we recommend thorough testing to ensure the permissions you select are appropriate for your particular use case. To assist you in defining permissions for each key, find the below table a summary of the permissions required for some common endpoints, with a focus on endpoints that expose user data.
- Utilize the key in Thought Industries REST API requests. Attempting to make a call to an endpoint that is not in scope for the user role will result in a 200 response with an error property in the body.
Common Endpoints and Manager User Role Permissions that Govern Access
This is not an exhaustive list of all endpoints. You are solely responsible for testing to determine which role you want to assign to each key and we recommend thorough testing to ensure the permissions you select are appropriate for your particular use case. | |
Endpoints | Permissions |
---|---|
To allow access, enable any permission that allows access to the user list, e.g., Granting Access, Editing Basic Info, Creating Learners. To restrict access, don’t give any permissions from the Learners section. |
|
To allow access, enable the Editing Basic Info permission. To restrict access, remove this permission. |
|
List Content |
To allow access, enable any permission from the Manage Content section. To restrict access, don’t give any permissions from the Manage Content section. |
All ancillary keys have access to these endpoints. | |
To allow access, enable any permission from the Panorama section. To restrict access, don’t give any permissions from the Panorama section. |
|
Create Client |
To allow access, enable the Creating Clients permission. To restrict access, remove this permission. |
To allow access, enable the Editing and Deleting Clients permission. For the Delete Client endpoint, the user role must be a main site level role (not a panorama role). To restrict access, remove this permission. |
|
To allow access, enable the Managing Assessment Attempts permission. To restrict access, remove this permission. |
|
List Assignment Submissions |
To allow access, enable the Manage Assignments permission and enable the role-level setting “Has Access To All Courses?” To restrict access, remove this permission. |
To allow access, enable the “Manage School Settings” permission. To restrict access, remove this permission. |
|
To allow access, enable the “View Reports” permission. To restrict access, remove this permission. |
|
To allow access, enable the Viewing Content Reports or Manage Roster permission. To restrict access, remove both of these permissions. |
Delete Keys
- From your homepage, select Settings > Security.
- Find the Ancillary Keys section.
- Click the trash icon to delete a key.
Configuring Frame Options
Your instance can be embedded onto another website, domain, or even app, via the use of these HTML tags: <frame>
, <iframe>
, or <object>
. When you do this, we encourage you to set your Frame Options as described below.
- From the homepage, select Settings > Security.
- Find the section for Security Options.
- Choose one of two options from the drop-down::
- Allow (not recommended)
- Allow from Same Origin (recommended)
- Click Save.
Note
We recommend the Allow from Same Origin setting for your site’s Frame Options in order to prevent clickjacking attacks.
Tip
For more information on Frame Options, click here.
Volume Security Requests
Through various security measures, Thought Industries aims to prevent malicious actors from breaking into accounts. There are a few aspects that are good for you to know:
- Account Lockout Functionality
- Login Rate Limiting Functionality
- Volume Security Requests Setting
Account Lockout Functionality
This behavior is always active on every site.
Objective: Prevent a malicious actor from breaking into a single account by guessing the password to that account.
Behavior: Locks out an individual user after 5 failed login attempts within 30 minutes to their account. It does not take IP address into account. After a user is locked out, they’ll see the existing login-too-many-attempts
translation, which defaults to “You have made too many login attempts. Please try again in 30 minutes.”.
Login Rate Limiting Functionality
This behavior is always active on every site.
Objective: Prevent a malicious actor from breaking into multiple accounts, e.g., by guessing the password ‘testtest’ across a variety of email addresses. This is typically an automated effort that tries thousands of email/password combos in a short time.
Behavior: After a high volume of login attempts (failed or otherwise) in a certain time period by a single IP address, we will present a managed challenge, which allows users to prove they are human by clicking a button, and assuming the users are human, it allows the users to continue.
Volume Security Requests Setting
This behavior is always active on every site, unless the toggle for Disable Security Volume Requests? is enabled. This might be useful if you are hosting an in person event that requires the users to redeem registration or redemption codes.
Objective: When this toggle is disabled (default state), the objective is to prevent a malicious actor from sending a large volume of code redemption requests.
Behavior: When this toggle is enabled, block all users from a particular IP address if we receive a large volume of code redemption requests (not login requests) from the IP in a short period of time.
To enable the toggle and ignore volume requests based on IP:
- From the homepage, select Settings > Security.
- Find the section for Security Options.
-
Options:
- Disabled (default): Block users after high number of attempts from the same IP within 5 minutes. Users can log in again after the allotted number of minutes have passed (i.e., 5).
- Enabled (ignore volume requests): Don’t block users based on IP.
- Enable the toggle Disable Security Volume Requests?.
- Click Save.