This guide will discuss the different steps you can take to keep your User Account secure, in order to avoid unauthorised access by a Student, or other Third Party.
- Never Put login details in writing
- Location Based Access Control
- Location Based Access Control By User
- Location Based Access Control By Role
- Time Based Access Control
- Time Based Access Control By User
- Time Based Access Control By Role
- Use Single Sign On
- Use Two Factor Authentication
See Also How to Manage Password Policy and How to Manage Memorable Information
Never Put Login Details in Writing
The first step to keeping your User Accounts secure is to ensure that Login Details are never written down. Whether this is in the form of a printed user slip, or writing down a password to allow cover staff access to the system.
Putting User Account details in writing creates the opportunity for an unauthorised Third Party to gain access to your Account, giving them access to View and Change sensitive information about the Students and Staff at your school.
Location Based Access Control
Location Based Access Control limits the IP Ranges that a User is able to access Bromcom from. For example, you could limit it to just the IP range that the school uses to prevent Users from accessing Bromcom from outside of the school, and require that any Users who need to work from home log in to the schools network via VPN before accessing Bromcom.
There are 2 places that you can configure Location Based Access Control, within the User Account or within the Role.
Location Based Access Control By User
Location Based Access Control By User will limit the restrictions to only the user accounts you apply it to and will Override any restrictions that are applied elsewhere .It is configured through Modules > Setup > System Users.
Select the User Account you would like to edit and click View.
In the User Access control panel tick the Override System Defaults for this User box. This will allow you to edit the Location Based Access Control.
Click the Pencil Icon.
Enter the Start IP and End IP for the IP range that you would like to restrict access to, click the Tick to confirm.
Once you are happy, click Save in the top left hand corner
Location Based Access Control By Role
You can also choose to set Location Based Access Control by Role. This will apply to all User Accounts with that Role assigned to them. Please Note: If the Users also have other Roles assigned to them with different Access Controls they may still be able to log in to the MIS.
Location Based Access Controls by Role are configured through Config > Setup > Roles and Permissions. Select the Role you would like to edit from the drop down and click Edit.
Scroll Down to the User Access Control Panel and click the Pencil Icon under Location Based Access Controls.
Enter the Start IP and End IP for the IP range that you would like to restrict access to, click the Tick to confirm.
Once you’re happy click Save in the top left hand corner
Users with that Role assigned will now only be able to access Bromcom from the IP Addresses specified within the Role. Please Note: Any Users will need to log out and back in again before changes to the Role will take effect.
Whether the Location Based Access Control is set by User or by Role, should a User try to log in from an IP Address outside of the specified range they will receive the following message.
Time Based Access Control
Time Based Access Control restricts access to Bromcom outside of the hours you choose. For example you could limit access to Bromcom to only between the hours of 07:30 – 17:00 to prevent access to sensitive information outside of working hours.
You are able to specify Time Based Access Controls by User or by Role.
Time Based Access Control By User
Time Based Access Control by User will limit the restrictions to only the User Accounts you apply it to and will override any restrictions that are applied elsewhere .It is configured through Modules > Setup > System Users.
Select the User account you would like to edit and click View.
In the User Access Control panel tick the Override System Defaults for this User box. This will allow you to edit the Time Based Access Control.
Click the Pencil icon next to the day you would like to edit, and choose the time period for which you would like the user to be able to access Bromcom, by entering the Start Time and End Time in 24hr format. Click the Tick to save and repeat for any other days you would like to add restrictions to.
Once you are happy, click Save in the top left hand corner
Time Based Access Control By Role
You also have the option to set Time Based Access Controls by Role. This will apply to all User Accounts with that role assigned to them. Please Note: if the Users also have other Roles assigned to them with different Access Controls they may still be able to log in to the MIS.
Time Based Controls by Role are configured through Config > Setup > Roles and Permissions. Select the Role you would like to edit from the drop down and click Edit.
Scroll Down to the User Access Control Panel and click the Pencil Icon next to the day you would like to restrict access for.
Choose the time period during which you would like the user to be able to access Bromcom, by entering the Start Time and End Time in 24hr format. Click the Tick to save and repeat for any other days you would like to add restrictions to.
Once you’re happy click Save in the top left hand corner
Users with that Role assigned will now only be able to access Bromcom during the time frames specified within the Role. Please Note: Any Users will need to log out and back in again before changes to the Role will take effect.
Whether the Time Based Access control is set by User or by Role, should a user attempt to login outside of the specified times they will receive the following message.
Use Single Sign On
Single Sign On allows you to sign in to Bromcom using your schools existing Microsoft or Google Account, reducing the number of Passwords you need to remember and therefore reducing opportunities for your Password to be compromised.
To learn more about how to setup Single Sign On please see How to Enable and Setup Single Sign On for Staff.
Use Two Factor Authentication
Enabling Two Factor Authentication will mean that when you log in to Bromcom you are asked to Scan a QR Code with your phone and enter a code to confirm it is you, meaning that even if your Login Details were compromised they would also need Access to your phone in order to login to your Account.
For more information on setting up and using Two Factor Authentication please see How to Use Two Factor Authentication (2FA).