Praisma Hub LogoPraisma Hub

5.3.2 Administration — Settings — Security Settings — Tokens and Access

Security Settings define how access to the platform is protected within a tenant. These controls regulate authentication behavior, token lifecycles, and session security to reduce attack surface while maintaining predictable user experience.

Authentication Policy

Authentication policy governs how users sign in and maintain access.

Policy controls:

Enforced multi-factor authentication

Maximum login attempts

Account lockout behavior

Policies are applied uniformly across web, API, and mobile entry points.

Token Configuration

Tokens are used for sessions, APIs, and integrations. Security settings define default token behavior.

Token parameters:

Expiration duration

Refresh eligibility

Rotation requirements

Example configuration:

SecurityConfig::set('tokens.default_ttl', 3600);

Session Security

Session behavior is controlled to prevent hijacking and misuse.

Session safeguards:

Idle timeout enforcement

Concurrent session limits

Automatic invalidation on credential change

Session rules are enforced server-side.

Access Restrictions

Additional restrictions can be applied to limit exposure.

Restriction types:

IP allowlists and denylists

Geographic access rules

Client or device constraints

Restrictions are evaluated per request.

Credential Standards

Security settings define minimum standards for credentials.

Standards include:

Password complexity rules

Rotation reminders

Compromised credential detection

These standards are enforced without exposing credential material.

Monitoring and Alerts

Security-relevant activity is continuously monitored.

Monitored events:

Repeated authentication failures

Token misuse or replay attempts

Access from anomalous locations

Alerts are delivered to authorized administrators.

Audit and Change Tracking

All security setting changes are logged immutably.

Example audit record:

AuditLog::record('security.settings.updated', [ 'tenant_id' => tenant('id'), 'actor_id' => auth()->id() ]);

Enforcement and Isolation

Security settings are tenant-scoped and cannot be overridden by user preferences or client configuration. Enforcement occurs at request time and applies consistently across all modules.