As an organization administrator, you can enforce security settings for your organization.

In order to require access by secure server (HTTPS), restrict access to specified IP addresses, and control the ability for all individuals to perform certain actions on contact sources at the organization level, go to Administration > Security Settings.

For individual users, there are permissions that enable or disable access to certain email and landing page capabilities, applications, and user IP. To manage user access restrictions for an individual user, go to User Management and select a user's name.

Note: These restrictions are only applicable to Campaign user IDs and Campaign access. These restrictions are not applicable to Acoustic ID, My Acoustic, or any other Acoustic products.

Set password policies

As an organization administrator, you can enforce password settings, password expiration times, and login attempts for your organization. You can also set up your organization's password settings for all your Campaign users.

Located in Security Settings, you can configure the password policy settings to:

• Choose the number times users can attempt to log in before they are locked out of their Campaign account.
• Determine when or if user passwords expire.
• Decide whether users can reuse previous passwords.
• Define password rules.

Configure access restrictions

General restrictions

Organization administrators can also set the following general restrictions:

• Requires HTTP - Select to require Campaign users to connect over a secure HTTP connection.
• Allow Multi-account Sign-on Links - Select this option to link to or access multiple (secondary) accounts from one primary account. Can be done without logging in to each account individually.
• Enable or disable user IP validation.

IP access restrictions

When a user logs in to Campaign, the system determines whether the login access is through the UI, API, or FTP. Based on how the user accessed the system, the system checks the user and Org restricted IP addresses to determine whether access can be granted.

Tip: As an organization administrator, you must add your computer's IP address to the list and select Allow UI Access. If you do not add this IP, you can lock yourself out of the system.

• Restrict user access to Campaign UI by IP - Restricts or allows access to the Campaign interface from only specified IP addresses.
• Restrict user access to the API by IP - Restrict or allow access to the Campaign API from only specified IP addresses.
• Restrict user access to FTP by IP - Restrict or allow access to the Campaign SFTP server from only specified IP addresses.
• For applications, IP access restrictions apply only to API requests that use jsessionid authentication. If you use OAuth authentication to call Campaign APIs, Campaign uses the OAuth credentials to restrict access.

Note: The reset password option cannot reset and unblock your account if the organization has IP restrictions and the user is trying to reset from an unlisted IP address.

Add individual IP address restrictions for an organization

To add individual IP address restrictions for an organization, take these steps.

1. Go to Settings > Administration > Security Settings.
2. Select Access Restrictions.
3. Click Add new IP Address.
4. The Add Allowed IP dialog box loads.
5. Type the IP address in the IP Address field and then click Add.
6. Select Allow UI Access, Allow API Access, Allow FTP Access or both.
7. Click Save.

Add an IP address range for multiple users

Instead of adding single IP addresses, you can add a range of IP addresses at one time.

1. Go to Settings > Administration > Security settings.
2. Click Access Restrictions.
3. Click Add new IP Range to open the dialog box.
4. Enter the range of IP addresses you want to restrict and then click Add. Now you're ready to provide or restrict UI, API, and FTP access to each IP address.

Note: IP ranges include both the upper and lower limits of the range.

Add IP addresses for an individual user

To add IP addresses for an individual user, take these steps:

1. Go to Settings > User accounts
2. Click the name of the user.
3. Select User IP Restrictions.
4. Click Add new IP Address. The Add Allowed IP dialog box opens.
5. Enter the IP address in the field and click Add.
6. Select Allow UI Access and/or Allow API Access to allow the user access to the Campaign user interface and/or the API from the specified IP address. You can also add a range of IP address for a user if needed.

Set the submission IP address for Transact

To deploy Transact emails, your IP address must be added to access restrictions.

1. Go to Security Settings under Settings.
2. Click Access Restrictions.
3. Click Add new IP address. Do not click Add new IP Range. The Add Allowed IP dialog box appears.
4. Enter the exact IP address, including periods. Do not enter any user or API settings.
5. Click OK. Campaign adds the IP address to the database.
6. Repeat, as necessary.

Note: IP ranges include both the upper and lower limits of the range.

All changes that are made take effect immediately. No saving is required.

Note: For applications, IP access restrictions apply only to API requests that use jsessionid authentication. If you are using OAuth authentication to call Campaign APIs, Campaign uses the OAuth credentials to restrict access instead of IP addresses.

Configure contact source access

Contact source access, set at the organization level, allows or restricts standard users from performing actions on contact sources (databases) within the organization such as adding contacts, importing, and exporting databases, and web form creation.

Contact source management actions include email, test, suppression, seed, and segments and apply to all users of Campaign or the API (excluding organization administrators), and each can be set differently.

Note: Enabling the API settings on the Contact Source Access Management page globally controls the settings for all contact sources in the organization.

You can prevent a standard user from performing an organization activity by clearing the check box next to the activity for that user. Keep in mind that the fields under Authentication for Contact Actions apply only to the API settings and these actions do not require authentication.

Setting definitions

• Create Contact Source - Create contact source.
• Import Create - Create a contact source by importing a contact source.
• Import Add - Import new contacts, and update field values, to a contact source.
• Import Update - Update a contact source by importing.
• Import Opt-Out - Import opt-out fields into a contact source.
• Authentication For Contact Actions - Require contacts to use User Authentication for actions, such as updating their profile.
• Add Contact - Add contacts to contact sources.
• Update Contact - Update contact information in contact sources.
• Delete Contact - Delete a contact from contact sources.
• Opt-Out Contact - Add contacts to opt-out columns in contact sources.
• Select Contact - Select a contact and edit information. This setting enables individuals to change settings for each contact source.
• Contact Source Export - Export contact sources.
• Contact Source Delete - Delete contact sources.
• Contact Source Copy - Copy contact sources.
• Contact Source Merge - Merge contact sources.
• Contact Source Purge - Purge email contact sources. Purging email contact sources removes all information from a contact source.
• List Web Forms - Create web forms.
• Contact Source Set Values - Set field values in contact sources.
• Values Report - Create and update New Values Reports.
• Contact Source Segmenting - Create contact source segments.
• Contact Source Columns In Export - Select contact source columns for export.