The Security Settings page of the Admin menu is available to Account Owners only. Here you can:

Permitted email domains

In order to keep your account secure from unauthorized access, all users must activate their profile via a link in an email sent from Emarsys. Before they can receive this email, their email domain must be listed here.

Note: Since this is also true for all emails relating to account security and user management, such as password reset, it is recommended to keep all domains used by active user profiles in this list.

admin-security-settings-domains

You can enter as many domains as you like, but there must be at least one (e.g. the email domain of the Account Owner).

IP access control

Even if a user’s login name and password are compromised, you can still prevent unauthorized access with these credentials by restricting login to approved IP addresses (these can be provided by your own IT Support). All other IP addresses will require the additional security precaution of two-step authentication. The settings for two-step authentication are found on each user’s Profile page.

When you first enable IP access control, no IP addresses are whitelisted.

admin-ip-control-secure

  • This is the most secure setting, since every user will require two-step authentication.

You can then add single IP addresses (your own IP address is helpfully displayed) or ranges of addresses.

admin-ip-control-whitelist

  • Users logging in from one of the whitelisted IP addresses (or ranges) can log in with their user name and password only.
  • Users logging in from all other IP addresses must confirm their identity via two-step authentication. (If using a smartphone authenticator app, users can also ask Emarsys to remember individual devices, enabling login with user name and password from that device for 14 days, regardless of the IP address.)

Important note: Emarsys strongly recommends activating this feature! If you do not, Emarsys disclaims all responsibility for any damage resulting from unauthorized access.

API users

In order to keep your API secure you should change your user name and secret key regularly.

api-create-user

These API users are created with a matching key which is available while the confirmation dialog is open. You can copy and paste the key from here. After you close the dialog, the key cannot be retrieved and a new user must be created.

api-create-user-secret

WebDAV users

Although Emarsys strongly recommends using the API or an SFTP server for secure data transfer, we also make WebDAV storage available for our customers who do not have the requisite technical support.

webdav-create-user

Your WebDAV storage will be created as soon as you create your first WebDAV user. Like the API user, you should change the WebDAV user and secret regularly and the key is only available to copy while the confirmation dialog is open.

Key-based SFTP Auto-imports

With this feature you can easily and conveniently set up auto-import events from your SFTP servers. We use 4096-bit RSA keys for optimal security.

Creating the key

To create a key for your SFTP server authentication, open Keyring tab and click Create Key.

admin-security-settings-keyring-1

Note: Give the key a clear and recognizable name for later identification, for example the server where it will be used for authentication.

When you have created the key, the confirmation dialog will show you the key’s name, creation date, the SHA1 fingerprint associated with it and the OpenSSH public key to be used in your SFTP server configuration.

admin-security-settings-keyring-2

This key will now be available for selection in the Remote source options when setting up your auto-imports.

Managing keys

You can view the details of any key by clicking the information-icon icon in the keys list.

You can also delete unwanted keys by clicking the delete-icon icon in the keys list.