Security for users in the WMS

Table of contents

Introduction

It is vital that no unauthorized persons get access to Ongoing WMS. In the following sections we will go through some precautions you as an administrator to Ongoing WMS can take, to make sure that no unauthorized persons get access to your instance of Ongoing WMS. To learn more about how Ongoing as a company work with IT security, please visit our Trust Center.

Best practices

The following are regarded as best practices for users:

  1. Consider integrating with an identity provider (IdP) such as Microsoft Entra ID (formerly Microsoft Azure AD). This will allow you to use single sign-on (SSO), so that each a user can be authenticated by Entra rather than by Ongoing WMS.
  2. Consider turning on multi-factor authentication (MFA).
  3. Consider configuring more complex password requirements.
  4. Consider locking certain accounts to specific IP ranges.
  5. Do not allow users to share accounts. If you have temporary workers in your warehouse, make sure that they all have their own accounts.
  6. Users should have the minimal permission level required for them to carry out their work. Do not make users Administrators if they can carry out their work as a Warehouse Worker.
  7. Only allow users to access the goods owners that are necessary for them to carry out their work.
  8. Regularly review your users and remove those that are no longer necessary. This can be done once a month.
  9. Consider restricting access to the users administration page.

In Administration ⇒ Users, you can easily see which users have multi-factor authentication and IP filters turned on. The below picture shows two users. The first user has both multi-factor authentication and an IP filter, while the second user has neither:

How to check if a user has MFA and an IP filter turned on.

Password complexity requirements

Under the page Administration ⇒ Users you can configure password complexity requirements by navigating to the page settings. It is possible to adjust the minimum number of characters, minimum number of digits, minimum number of upper-case characters and minimum number of lower case characters. You can never configure anything less complex than 8 characters, 1 lower case character, 1 upper-case character and 1 digit.

It is not possible to reuse passwords. That is to say: When a password is changed, it has to be changed to a new password. It is not possible to use an old password again.

Multi-factor authentication / Two-factor authentication

By default, a user may log in to Ongoing WMS if they know their username and password. You can increase security by turning on multi-factor authentication (MFA). When MFA is turned on, the user must provide an additional factor (a PIN code) every 30 days.

MFA is also known as two-factor authentication (2FA).

Note that if you log in using single sign-on (SSO), then you will bypass any MFA which has been set up in Ongoing WMS.

The PIN code can either be delivered to the user via e-mail, or by an authenticator app on the user's smartphone. Both Microsoft and Google provide authenticator apps. We support most authenticator apps.

From the user's perspective, it works like this:

  1. The user attempts to login with their username and password.
  2. A PIN code is delivered to the user. Depending on how you have configured MFA for the user, either:
    1. The PIN code gets sent to the user's email address, or
    2. The user opens an authenticator app on their smartphone (such as Google Authenticator or Microsoft Authenticator) and gets a PIN code from the app.
  3. The user is asked to input the PIN code, which they must do before they are allowed to login.
  4. If the user tries to login again from the same machine within 30 days, they will not be asked for a PIN code. After 30 days, they will be asked for a PIN code again.

To turn on MFA for a user:

  1. Go to Administration ⇒ Users.
  2. Click on "Manage multi-factor authentication".
  3. Locate the setting called "Multi-factor authentication via email" or "Multi-factor authentication via an authenticator app".
  4. Click on the Edit icon and select the users who should have MFA activated.
  5. In the case of MFA via an authenticator app, the next time the user logs in, they will be asked to add the account to their authenticator app.

Resetting a user's authenticator app

If a user has been set up with multi-factor authentication via an authenticator app, then they must have access to the app to login to Ongoing WMS. This means that if the user loses their phone or if their phone breaks, they will not be able to login to Ongoing WMS.

If that happens, the administrator of Ongoing WMS will have to reset the user's MFA setting:

  1. Go to Administration ⇒ Users.
  2. Find the user and click on Edit.
  3. Click on "Reset the user's multi-factor authentication key".

Not requiring MFA from certain IP ranges

The system can be set up so that MFA is not required when logging in from certain IP ranges. So if your warehouse has fixed IPs, you can set it up so that MFA is required when logging in from outside the warehouse, but not when logging in from inside the warehouse.

To set it up:

  1. Go to Administration ⇒ Users.
  2. Click on "Manage IP filters".
  3. Create a new IP filter and make a note of its ID.
  4. Go back to Administration ⇒ Users.
  5. Click on "Manage multi-factor authentication".
  6. Click on the Edit icon for the correct setting.

Then click on the setting in the list to the right. Then click Edit, enter the IDs of the IP filters, then click Update:

Finish by clicking on the Update button at the bottom.

Finish by clicking on the Update button at the bottom:

Finish by clicking on the Update button at the bottom.

IP filters

By default, a user may log in to Ongoing WMS from any IP address. You can increase security by only allowing certain users to login from specific IP ranges. For instance, if your warehouse has a specific IP range then you can restrict all of your Warehouse Worker users so that they can only login from that IP range, thus restricting outside access.

Note that if you log in using single sign-on (SSO), then you will bypass any IP filters which have been set up in Ongoing WMS.

There are two steps to setting this up. The first step is to define one or more IP filters:

  1. Go to Administration ⇒ Users.
  2. Click on "Manage IP filters".
  3. Click on "Create new IP filter".
  4. Enter a description of the IP filter (e.g. "IP addresses for my warehouse").
  5. Enter which IP ranges should be allowed in the filter. Each IP range is described using the standard subnet notation like "192.168.0.1/32". An IP filter can contain several IP ranges.
  6. Click on "Create".

The second step is to update the users:

  1. Go to Administration ⇒ Users.
  2. Find a user.
  3. Click on the Edit icon.
  4. Select the IP filter which you want the user to have.
  5. Click on "Update".
  6. Repeat for all users. You can also use the "Multiple update" to update several users at the same time.

When specifying an IP filter, you should usually specify an actual IP range such as "192.168.0.1/32". However, it is allowed to specify a domain (e.g. "subdomain.yourdomain.com") if you want a dynamic IP filter. In that case, make sure that the TTL on the subdomain is very short to prevent caching issues.

Restrict access to the user administration page

By default, all administrators have access to the user administration page. Consider restricting access to this page so that only a few administrators can access it. Send the list of administrators to your contact person at Ongoing, and they will make the necessary adjustments.

Start using Ongoing WMS