User access and sessions

·

SummitPSA includes several account-security controls, configured under Admin → Settings (admin_settings.manage).

Login lockout

After too many failed sign-ins an account is temporarily locked. Two settings govern this: max login attempts (default 5) and lockout duration in minutes (default 15). Login attempts are rate-limited to 5 per minute. A locked agent can be released early from their edit screen using Unlock.

Password policy

New passwords must meet the configured policy: a minimum length (default 12) plus optional requirements for an uppercase letter, a lowercase letter, a digit, and a symbol (all on by default). Agents also cannot reuse their last 5 passwords.

IP whitelist

List trusted IPv4 addresses (one per line) under whitelisted IPs to exempt them from lockout counting. Failed attempts from whitelisted addresses are still logged. Invalid entries are ignored on save, and the list is best-effort synced to the host firewall (Fail2ban).

Idle-session timeout

Sessions are signed out after a period of inactivity, separate from the cookie's absolute lifetime. The timeout is sliding — it resets on every request. Defaults: agents 480 minutes (8 hours) and portal contacts 240 minutes (4 hours). Values are clamped between 5 minutes and 24 hours, and changes take effect within about a minute. On timeout the user is returned to the login page with a notice.

Was this article helpful?
Still need help? Contact SummitPSA support.