This help page is for users in Creator 6. If you are in the older version (Creator 5), click here. Know your Creator version.

1. What Does This Page Cover?

3. Overview

1. A company may require their employees to use multi-factor authentication to be able to use the platform.
   
2. Similarly, a policy laying down the guidelines for password creation and their maintenance helps employees to be aware and ensure that no security breach stems from their ends.
   

4. Security Policies in Creator

1. Password Policy
2. Multi-Factor Authentication (MFA)
3. Allowed IPs
4. Advanced Settings

Important: 

1. To perform actions in Zoho Directory, you need to be an admin in ZD or be set up with a custom role who can make changes to ZD.
2. For the configurations made in Zoho Directory to be applicable to the users in Creator, they will have to be assigned to the Creator application from the Users module in Zoho Directory. Learn more

Note : 

1. The Default Policy can be edited but cannot be renamed, deleted, or deactivated.
2. The Default Policy is always last in priority.

4.1. Use Case

1. Set rules that must be followed to ensure that your employees create complex passwords for their accounts. Complex passwords ideally include a mix of letters with upper and lower cases, numbers, and special characters. Eg. "aD34@W1*!S".
2. Enable multi-factor authentication to bring about a stratified authorization system.
3. Regulate the authorized IP addresses through which your employees can log in.
4. Monitor and manage their session details.

4.2. Navigation Guide

4.3. Policy Info

1. Those groups/users are listed under Applicable Groups and Excluded Users respectively.
2. The number of groups included and the number of excluded users are displayed right next to the respective headings.
3. Clicking on a user/group will redirect you to the Users/Groups module of Zoho Directory.
4. Hovering over an excluded user lets you to remove those users from the exemption.
5. Hovering over an included group lets you to remove those set of users from the policy.

Note: You can Rename, Delete, or Deactivate a newly-created policy from the Security Policy Configuration.

4.4. Password Policy

1. Decide the length of the password that an employee needs to set for their logins.
2. Ask the employee to use both upper and lower cases in their password to enhance complexity.
3. Set the minimum number of special characters and digits that need to be included in the password.
4. Decide for how long an employee is allowed to use a password before changing it.
5. Restrict them from changing their passwords frequently.
6. Disallow them from using previous passwords during reset.

Note: 

1. When a user uses a verified Zoho account to log in to Creator, they will have to follow Zoho Directory's password policy that has been set by your organization.
2. If the user tries to sign in using an external identity provider, Zoho Directory's password policy will not apply to them. Their credentials need to match the password policy set by the external IdP.

4.5. Multi-Factor Authentication (MFA)

1. Zoho OneAuth - Our own authenticator that offers multiple sign-in modes and passwordless sign-in.

Note: If you've enabled OneAuth, you can choose to enable or disable faceID/touch ID and passwordless sign-ins.

1. Other authenticator apps such as Google Authenticator and Authy, which generates OTPs for sign-in.
2. Hardware security key such as YubiKey.
3. SMS-based OTPs.

1. MFA lifetime - You can also set a time limit on MFA, after which, the employees will not need to go through multi-factor authentication after signing in from a genuine and trusted browser.
2. Allow backup recovery codes - Users will be able to generate and use backup recovery codes when they have trouble signing in.

4.6. Allowed IPs

1. You can restrict your users to sign in to your organization only from the then current IP, through which the Zoho Directory was accessed.
2. An IP range can also be set from which your users can sign in to the organization.
3. To create a more rigid rule, you can add a static IP that can be used by the whole organization for sign in purposes.

Note: If a user whitelists an IP address for themselves in Zoho Accounts and the same user has been assigned with a security policy that whitelists a different IP, they will be able to only use the IP address added in Zoho Directory's security policy.

4.7. Advanced Settings

1. Sessions Lifetime - Time limit after which the employees will be automatically signed out of the organization. The Default value is 30 days.
2. Idle Session Timeout - Time limit for the idle period after which the employees will be automatically signed out. The default value is Never.
3. Concurrent Sessions - The number of simultaneous sessions that an employee can use for signing in to your organization. The Default value is 50 sessions. If needed, you can restrict the number of concurrent sessions to anywhere between 1 and 10.

5. Configuration of Security Policy

1. Add Security Policy - Learn to add a new security policy with custom configurations.
2. Configure Password Policy - Learn to create a robust password policy that can be assigned to different groups of users.
3. Configure MFA - Learn to enable different types of authentication methods.
4. Configure Allowed IPs - Learn to whitelist IP addresses.
5. Configure Session Management - Learn to manage the session rules that your employees will have to follow certainly.

6. Benefits of Using Security Policies

1. Password policies prevent breaching of data and ensure that employees can safeguard their own credentials. A orgnaization's responsibility needs to be clearly mirrored in the sophisticated password policy that they build.
2. Most organizations resorted to using the two-factor authentication method before MFA gained popularity. MFA allows the inclusion of more layers of protection. OTP-based requests, usage of Google Authenticator, and more ensures that an user is fully verified before entering the organization virtually. This prevents hackers from easily breaking into your employees' accounts. Therefore MFA builds a more secure platform for your users and in turn ensures your customers' trust in this kind of a protective framework.
3. Restriction of IP addresses play a pivotal role in protecting company data. This an additional layer of protection. For example, if a cyber attack is initiated using an employee's credentials illegally, the organization will still steer clear of the breach since they would have allowed only specific IP addresses from which an user can log in. All other IPs will not be allowed to enter the organization virtually.

7. Points to Note

1. The number of security policies that can be active at the same time depends on your Directory plan.
2. Any changes made to a security policy will come into effect during the next sign-in or reset password session that a user undergoes.

1. For the configurations made in Zoho Directory to be applied to the users in Creator, they need to be assigned to the Creator application from the Users module in Zoho Directory.
2. All users added in Creator will be listed In Zoho Directory. New users can also be created from Zoho Directory and be assigned to Creator. They will be added automatically in Creator's Users module.
3. A two-way bridge exists between Creator and Zoho Directory. Actions done with Creator users, such as addition, renaming, deletion, deactivation, activation, and so on, get synced in the other product automatically.
4. Users can be assigned to Creator from Zoho Directory only until the Creator plan's user limit is attained.

8. Related Topics

1. Understand Governance
2. Custom Authentication in Zoho Creator
   
3. Active Directory in Zoho Creator
4. Domains in Zoho Creator