The Security Settings page of the Management menu is available to Account Owners only. Here, you can set the security levels for account access and data management.
Please note that account owners must verify their email address (Management > User Management) before accessing this page. Trying to open Security Settings without a verified email address will result in an error message: "Forbidden
".
Permitted email domains for users
To keep your account secure from unauthorized access, all users must activate their profile via a link in an email sent from Emarsys. Before they can receive this email, their email domain must be listed here.
Since this is also true for all emails relating to account security and user management, such as password resets, it is recommended to keep all domains used by active user profiles in this list.
You can enter as many domains as you like, but there must be at least one (e.g. the email domain of the Account Owner).
IP access control
Even if a user’s login name and password are compromised, you can still prevent unauthorized access with these credentials by restricting login to approved IP addresses (these can be provided by your own IT Support). All other IP addresses will require the additional security precaution of two-step authentication. The settings for two-step authentication are found on each user’s Profile page.
Prerequisites: Before setting up two-step authentication, you need to enable IP access control at an account (tenant) level as follows:
1. Navigate to Management > Security Settings > IP access control.
2. Check the Require two-step authentication when logging in from unrecognized IP addresses checkbox.
When you first enable IP access control, no IP addresses are added to allowlists.
This is the most secure setting, since every user will require two-step authentication.
You can then add single IP addresses (your own IP address is helpfully displayed) or ranges of addresses.
Users logging in from one of the IP addresses (or ranges) from an allowlist can log in with their user name and password only.
Users logging in from all other IP addresses must confirm their identity via two-step authentication. (If using a smartphone authenticator app, users can also ask Emarsys to remember individual devices, enabling login with user name and password from that device for 14 days, regardless of the IP address.)
Important: Emarsys strongly recommends activating this feature! If you do not, Emarsys disclaims all responsibility for any damage resulting from unauthorized access.
API users
In order to keep your API secure, change your user name and secret key regularly.
These API users are created with a matching key which is available while the confirmation dialog is open. You can copy and paste the key from here. After you close the dialog, the key cannot be retrieved and a new user must be created.
API permission system
You can edit your API users individually to limit which endpoints they are allowed to be used with their respective methods.
For existing API users, all permissions are enabled by default. However, for new API users, the required endpoint operations must be activated one by one. New API permissions will be disabled by default for all API users. See the list of permissions required for the listed API endpoints.
WebDAV users
Although Emarsys strongly recommends using the API or an SFTP server for secure data transfer, we also make WebDAV storage available for our customers who do not have the requisite technical support.
Your WebDAV storage will be created as soon as you create your first WebDAV user. Like the API user, you should change the WebDAV user and secret regularly and the key is only available to copy while the confirmation dialog is open.
Key-based SFTP Auto-imports
With this feature you can easily and conveniently set up auto-import events from your SFTP servers. We use 4096-bit RSA keys for optimal security.
Creating the key
To create a key for your SFTP server authentication, open Keyring tab and click Create Key.
Give the key a clear and recognizable name for later identification, for example, the server where it will be used for authentication.
When you have created the key, the confirmation dialog will show you the key’s name, creation date, the SHA1 fingerprint associated with it and the OpenSSH public key to be used in your SFTP server configuration.
This key will now be available for selection in the Remote source options when setting up your auto-imports.