Security Policies in Zoho Creator | Zoho Creator help

Security Policies in Zoho Creator

This help page is for users in Creator 6. If you are in the older version (Creator 5), click here. Know your Creator version.

1. What Does This Page Cover?

Learn how you can use security policies to improve a user's authorization process and provide enhanced protection. This is one of the many features offered in Zoho Creator under Governance.

2. Availability

  1. Security Policies can be accessed only in the paid plans of Creator.
  2. Only the super admin and admins can access Security Policies.

3. Overview

Security policies are a set of rules that ensure the protection of an organization's data. They can refer to the various measures taken to ensure and protect an organization's integrity and confidential data. Ensuring such a framework is put in place fills any security gaps and helps an organization to steer away from vulnerabilities that might stem from a security breach.
Security policies is a broad spectrum term that includes all kinds of security measures that play roles at different levels and spheres of an organization's development. For example:
  1. A company may require their employees to use multi-factor authentication to be able to use the platform.
  2. Similarly, a policy laying down the guidelines for password creation and their maintenance helps employees to be aware and ensure that no security breach stems from their ends.

4. Security Policies in Creator

In Creator, we use Zoho Directory's support to provide the foolproof implementation of security policies. This configuration helps create a set of rules that needs to be followed by the whole organization. It increases the levels of authorization to ensure login security, helps create complex passwords, restricts the number of logins, helps create IP address-based restrictions, and more. The four most important attributes of a security policy that Creator provides, to help maintain a high profile security system are:
  1. Password Policy
  2. Multi-Factor Authentication (MFA)
  3. Allowed IPs
  4. Advanced Settings
  1. To perform actions in Zoho Directory, you need to be an admin in ZD or be set up with a custom role who can make changes to ZD.
  2. For the configurations made in Zoho Directory to be applicable to the users in Creator, they will have to be assigned to the Creator application from the Users module in Zoho Directory. Learn more

Default Policy
This is the policy that is listed by default in Zoho Directory's Security Policies tab, even before you create policies of your own. All four attributes mentioned above can be configured by the super admin or admin. This policy applies to all users unless they have been assigned with a policy that has more priority.
  1. The Default Policy can be edited but cannot be renamed, deleted, or deactivated.
  2. The Default Policy is always last in priority.

Priority of Security Policies
In Zoho Directory, the order in which the security policies are displayed indicates a hierarchy from top to bottom.  When a user is added to more than one policy, the policy which is higher in the order in the priority list, is applied. These priority lists can be changed by simply dragging and dropping the policy up or down using the  icon.

4.1. Use Case

Say you run an organization that has a large number of employees. You will need to make sure there are no internal security breaches. To ensure this, you can draft a thorough security policy:
  1. Set rules that must be followed to ensure that your employees create complex passwords for their accounts. Complex passwords ideally include a mix of letters with upper and lower cases, numbers, and special characters. Eg. "aD34@W1*!S".
  2. Enable multi-factor authentication to bring about a stratified authorization system.
  3. Regulate the authorized IP addresses through which your employees can log in.
  4. Monitor and manage their session details.
This will lessen the possibilities of ransomware and cyberattacks.

4.2. Navigation Guide

Once you sign in to your Creator account, you can find Governance under the MANAGE section on the left-side pane of your dashboard. Once there, you land in the Security Policies tab by default.
Clicking Configure Security Policy here will take you to Zoho Directory's Admin Panel from where you can add and manage policies.

4.3. Policy Info

In Zoho Directory's Policy Info tab, you can include groups of users in the policy and exclude specific users from conforming to this policy if necessary.
  1. Those groups/users are listed under Applicable Groups and Excluded Users respectively.
  2. The number of groups included and the number of excluded users are displayed right next to the respective headings.
  3. Clicking on a user/group will redirect you to the Users/Groups module of Zoho Directory.
  4. Hovering over an excluded user lets you to remove those users from the exemption.
  5. Hovering over an included group lets you to remove those set of users from the policy.
Note: You can Rename, Delete, or Deactivate a newly-created policy from the Security Policy Configuration.

4.4. Password Policy

In Zoho Directory's Password Policy tab, you can customize the various rules that govern the creation of passwords by your employees. The three types of predefined strengths that you can choose from are Strong, Good, and Fair. You can also choose Custom and alter all the values of the below attributes according to your needs.
You can:
  1. Decide the length of the password that an employee needs to set for their logins.
  2. Ask the employee to use both upper and lower cases in their password to enhance complexity.
  3. Set the minimum number of special characters and digits that need to be included in the password.
  4. Decide for how long an employee is allowed to use a password before changing it.
  5. Restrict them from changing their passwords frequently.
  6. Disallow them from using previous passwords during reset.
  1. When a user uses a verified Zoho account to log in to Creator, they will have to follow Zoho Directory's password policy that has been set by your organization.
  2. If the user tries to sign in using an external identity provider, Zoho Directory's password policy will not apply to them. Their credentials need to match the password policy set by the external IdP.

4.5. Multi-Factor Authentication (MFA)

Multi-factor authentication is a non-invasive method which allows the addition of one extra layer of security. Instead of just using a password to log in, the employee also needs to use another method such as entering a privately sent OTP or using a hardware key to sign in.  This ensures that the credentials of the employees within the organization cannot be misused. This in turn minimizes the threat of cyberattacks, such as phishing, social engineering, and ransomware attacks. MFA being a modern authentication method almost wholly stops any kinds of account compromises.
In Zoho Directory's MFA tab, the following MFA modes can be enforced for enhanced protection of user identities: 
  1. Zoho OneAuth - Our own authenticator that offers multiple sign-in modes and passwordless sign-in.
Note: If you've enabled OneAuth, you can choose to enable or disable faceID/touch ID and passwordless sign-ins.
  1. Other authenticator apps such as Google Authenticator and Authy, which generates OTPs for sign-in.
  2. Hardware security key such as YubiKey.
  3. SMS-based OTPs.

To ensure an extra layer of security, the following options are also available:
  1. MFA lifetime - You can also set a time limit on MFA, after which, the employees will not need to go through multi-factor authentication after signing in from a genuine and trusted browser.
  2. Allow backup recovery codes - Users will be able to generate and use backup recovery codes when they have trouble signing in.

4.6. Allowed IPs

Directory allows you to whitelist one or more IP addresses through which your employees can access Zoho Creator. For example, when configured accordingly, your organization's data cannot be accessed outside your office premises until the employee uses VPN.
 In Zoho Directory, the different ways to whitelist IPs are:
  1. You can restrict your users to sign in to your organization only from the then current IP, through which the Zoho Directory was accessed.
  2. An IP range can also be set from which your users can sign in to the organization.
  3. To create a more rigid rule, you can add a static IP that can be used by the whole organization for sign in purposes.
Note: If a user whitelists an IP address for themselves in Zoho Accounts and the same user has been assigned with a security policy that whitelists a different IP, they will be able to only use the IP address added in Zoho Directory's security policy.

4.7. Advanced Settings

With Zoho Directory, you can manage the session rules that your employees will be subjected to while signing in to your organization.
  1. Sessions Lifetime - Time limit after which the employees will be automatically signed out of the organization. The Default value is 30 days.
  2. Idle Session Timeout - Time limit for the idle period after which the employees will be automatically signed out. The default value is Never.
  3. Concurrent Sessions - The number of simultaneous sessions that an employee can use for signing in to your organization. The Default value is 50 sessions. If needed, you can restrict the number of concurrent sessions to anywhere between 1 and 10.

5. Configuration of Security Policy

The documentation to the detailed configuration of a security policy is present in Zoho Directory's resources. Refer to Zoho Directory's:
  1. Add Security Policy - Learn to add a new security policy with custom configurations.
  2. Configure Password Policy - Learn to create a robust password policy that can be assigned to different groups of users.
  3. Configure MFA - Learn to enable different types of authentication methods.
  4. Configure Allowed IPs - Learn to whitelist IP addresses.
  5. Configure Session Management - Learn to manage the session rules that your employees will have to follow certainly.

6. Benefits of Using Security Policies

  1. Password policies prevent breaching of data and ensure that employees can safeguard their own credentials. A orgnaization's responsibility needs to be clearly mirrored in the sophisticated password policy that they build.
  2. Most organizations resorted to using the two-factor authentication method before MFA gained popularity. MFA allows the inclusion of more layers of protection. OTP-based requests, usage of Google Authenticator, and more ensures that an user is fully verified before entering the organization virtually. This prevents hackers from easily breaking into your employees' accounts. Therefore MFA builds a more secure platform for your users and in turn ensures your customers' trust in this kind of a protective framework.
  3. Restriction of IP addresses play a pivotal role in protecting company data. This an additional layer of protection. For example, if a cyber attack is initiated using an employee's credentials illegally, the organization will still steer clear of the breach since they would have allowed only specific IP addresses from which an user can log in. All other IPs will not be allowed to enter the organization virtually.

7. Points to Note

  1. The number of security policies that can be active at the same time depends on your Directory plan.
  2. Any changes made to a security policy will come into effect during the next sign-in or reset password session that a user undergoes.
  1. For the configurations made in Zoho Directory to be applied to the users in Creator, they need to be assigned to the Creator application from the Users module in Zoho Directory.
  2. All users added in Creator will be listed In Zoho Directory. New users can also be created from Zoho Directory and be assigned to Creator. They will be added automatically in Creator's Users module.
  3. A two-way bridge exists between Creator and Zoho Directory. Actions done with Creator users, such as addition, renaming, deletion, deactivation, activation, and so on, get synced in the other product automatically.
  4. Users can be assigned to Creator from Zoho Directory only until the Creator plan's user limit is attained.
  1. Understand Governance
  2. Custom Authentication in Zoho Creator
  3. Active Directory in Zoho Creator
  4. Domains in Zoho Creator

    Zoho CRM Training Programs

    Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

    Zoho CRM Training
      Redefine the way you work
      with Zoho Workplace

        Zoho DataPrep Personalized Demo

        If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

        Zoho CRM Training

          Create, share, and deliver

          beautiful slides from anywhere.

          Get Started Now

            Zoho Sign now offers specialized one-on-one training for both administrators and developers.

            BOOK A SESSION

                                      You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.

                                          Manage your brands on social media

                                            Zoho Desk Resources

                                            • Desk Community Learning Series

                                            • Digest

                                            • Functions

                                            • Meetups

                                            • Kbase

                                            • Resources

                                            • Glossary

                                            • Desk Marketplace

                                            • MVP Corner

                                            • Word of the Day

                                              Zoho Marketing Automation

                                                Zoho Sheet Resources


                                                    Zoho Forms Resources

                                                      Secure your business
                                                      communication with Zoho Mail

                                                      Mail on the move with
                                                      Zoho Mail mobile application

                                                        Stay on top of your schedule
                                                        at all times

                                                        Carry your calendar with you
                                                        Anytime, anywhere

                                                              Zoho Sign Resources

                                                                Sign, Paperless!

                                                                Sign and send business documents on the go!

                                                                Get Started Now

                                                                        Zoho TeamInbox Resources

                                                                                Zoho DataPrep Resources

                                                                                  Zoho DataPrep Demo

                                                                                  Get a personalized demo or POC

                                                                                  REGISTER NOW

                                                                                    Design. Discuss. Deliver.

                                                                                    Create visually engaging stories with Zoho Show.

                                                                                    Get Started Now

                                                                                                        • Related Articles

                                                                                                        • Domains in Zoho Creator

                                                                                                          1. What Does This Page Cover? Learn how adding verified domains can help you simplify the user onboarding process, create group aliases for email communication, and host your mailbox with Zoho Mail. This is one of the features offered in Zoho Creator ...
                                                                                                        • Custom Authentication in Zoho Creator

                                                                                                          This help page is for users in Creator 6. If you are in the older version (Creator 5), click here. Know your Creator version. 1. What Does This Page Cover? Learn how you can authenticate a third-party identity provider to allow your users to use ...
                                                                                                        • Introduction to Zoho Creator Procurement

                                                                                                          Procurement is a constructive method used to streamline an organization’s procurement process in and out to achieve desired results while saving money, managing time, and establishing collaborative supplier relationships. The purpose of procurement ...
                                                                                                        • FAQs: Governance in Zoho Creator -Supported by Zoho Directory

                                                                                                          This page covers essential aspects of Zoho Creator, such as governance, Active Directory sync, multi-factor authentication, custom authentication, security policy, and domain verification, ensuring a secure and efficient business workflow. What is ...
                                                                                                        • Basic Privacy and Security

                                                                                                          This page covers essential aspects of Zoho Creator, delving into its security features, official certifications, audit reports, and authentication mechanisms, providing comprehensive insights into data safety for your business workflows. Note: A ...
                                                                                                          Wherever you are is as good as
                                                                                                          your workplace



                                                                                                            Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.


                                                                                                            Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.


                                                                                                            Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.

                                                                                                            CRM Tips

                                                                                                            Make the most of Zoho CRM with these useful tips.

                                                                                                              Zoho Show Resources